Direct Group Ownership Permissions for Nerdio Manager
Note: This article does not cover the use of permissions in Nerdio Manager outside of the Unified Endpoint Management (UEM) feature.
Customers making use of Nerdio Manager's UEM feature may need the ability to restrict the groups to which Nerdio Manager has access. By default, group management activities in UEM make use of the permissions discussed below.
Manage/Edit Functions
These permissions are used to:
Create and manage groups for Intune deployment of Unified Application Management (UAM) applications.
View and edit the group membership of users and devices in UEM.
Assign AVD hosts to specific Entra ID groups as part of host creation.
Group.ReadWrite.All
Group.Member.ReadWrite.All
The above permissions are assigned by selecting Manage for the selectors shown below.
Note: See Unified Endpoint Management: Intune Integration - Granular Permissions for additional details.
To assign Manage/Edit function permissions:
Navigate to Settings > Azure environment.
In the Intune (Unified Endpoint Management) tile, select the current status, either Disabled or Enabled, to manage the Intune settings.
In the Configurable Features section, set the following to Manage:
Group membership
Intune Applications and App policies
Once you have set the proper permissions, select Save.
Read Functions
These permissions are used to:
View the group membership of users and devices in UEM.
GroupMember.Read.All
The above permissions are assigned by selecting Read-only for the selectors shown below.
Note: See Unified Endpoint Management: Intune Integration - Granular Permissions for additional details.
To assign Read function permissions:
Navigate to Settings > Azure environment.
In the Intune (Unified Endpoint Management) tile, select the current status, either Disabled or Enabled, to manage the Intune settings.
In the Configurable Features section, set the following to Read-only:
Group membership
Once you have set the proper permissions, select Save.
Restricting Entra ID Group Management Permissions - Overview
Customers who do not wish to grant the permissions listed above can still perform management activities against a set of specified groups by granting the Nerdio Manager application ownership permissions on the target groups. Nerdio Manager is then able to perform the activities shown below for any groups for which ownership has been assigned.
View and edit the group membership of users and devices in UEM.
Assign AVD hosts to specific Entra ID groups as part of host creation.
The following feature are not supported in this configuration:
Create and manage groups for Intune deployment of UAM applications.
How to Restrict Entra ID Group Management Permissions
The following steps allow you to restrict Entra ID group management permissions.
To assign ownership to the required Entra ID groups:
From the Intune Admin center, select Groups and then select the desired group.
In the Manage section, select Owners.
In the central section, select Add Owners.
In the pop-up, select Enterprise applications and then chose your Nerdio Manager application as the owner.
Repeat this process for any groups for which Nerdio Manager should be assigned ownership.
Notes:
This process may be performed separately directly in the Entra ID portal. Nerdio Manager can also be added as an owner during the Entra ID group creation process.
Enterprise applications can only be made owner of Entra ID security groups.
Comments (0 comments)