Intune: Granular permissions

Avatar
Nerdio Product Support

Intune: Granular permissions

Starting with the Nerdio Manager v 6.0, the Intune integration now supports granular permission assignment. When enabling Intune, you can now assign only the permissions you require to achieve your desired management outcome.

Listed below are the management functions and the associated Azure API permissions that are requested for the Nerdio Manager application.

Notes:

  • The scope of the permissions obtained by Nerdio Manager depends on the configured user operation mode. If Intune is configured to operate in application context, Nerdio Manager obtains application-level permissions to perform the functions you select. If Intune is configured to operate in user context, Nerdio Manager obtains the necessary delegated access permissions to perform the functions you select on behalf of the signed in admin user.
  • For more detail on the access granted by each of the permissions listed below, navigate to the Microsoft Graph permissions reference and search for the specific permission string (e.g. CloudPC.Read.All) on the page. Depending on your chosen user operation mode, either the Application or Delegated entry will apply to your tenant.

  • Group and GroupMember permissions can be scoped to specific Entra ID groups if required, rather than assigning the permission globally. To achieve this,

    • Grant the Nerdio Manager application ownership on the required groups.

    • Set the applicable management function listed to either READ or DISABLED.

    For support in configuring group-specific management scenarios, please contact the Nerdio support team.

Management functions: Details and permissions

For each setting, the available configurations are:

  • Manage: Allow current functionality for all RBAC roles that support it (Nerdio Manager obtains READ/WRITE permissions).

  • Read: Limit all roles to only read this object type (Nerdio Manager obtains READ permissions only).

  • Disabled: Hide the policy tab and all policy details for this object type (Nerdio Manager obtains NO PERMISSION in relation to this function).

The specific individual functions and associated permissions are listed below.

       Intune-managed devices

This function is used to list, read, and manage in-scope Intune devices within the console.

READ: Device.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementServiceConfig.Read.All

MANAGE: Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All

       Group membership

This function is used to list, read, and manage in-scope Entra ID group membership within the console.

READ: GroupMember.Read.All

MANAGE: GroupMember.ReadWrite.All

       Privileged operations

This function is used to list, read, and manage sensitive tasks within the console. This includes the ability to read Bitlocker keys (Intune service account required) and perform privileged operations, including Cloud PCs restart.

READ: BitlockerKey.Read.All

MANAGE: BitlockerKey.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All

       Scripts

This function is used to read Intune script assignments within the console.

Note: This permission is automatically applied if you enable Cloud PC read or MANAGE functionality.

READ: DeviceManagementScripts.Read/ReadWrite.All

       Cloud PC

This function is used to list, read, and manage in-scope Cloud PC devices within the console.

Note: Ensure that the Privileged Operations permission is also enabled to allow for Cloud PC restart tasks.

READ: CloudPC.Read.All, DeviceManagementConfiguration.Read.All

MANAGE: CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All

       Conditional Access policies

This function is used to list, read, and manage Conditional Access policies within the console.

READ: Policy.Read.All

MANAGE: Policy.Read.All, Policy.ReadWrite.ConditionalAccess, Application.Read.All

       Intune applications and app policies

This function is used to list, read, and manage Application policies and deployments within the console.

Note: Read permissions allow native Intune applications to be discovered. MANAGE permissions are required to allow for the deployment of UAM applications to Intune devices.

READ: DeviceManagementApps.Read.All

MANAGE: DeviceManagementApps.ReadWrite.All, Group.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All

       Device policies

This function is used to list, read, and manage all other policy types, including Compliance, Configuration, Security Baselines, and Windows Updates policies.

READ: DeviceManagementConfiguration.Read.All

MANAGE: DeviceManagementConfiguration.ReadWrite.All

       Audit logs

This function is used to display policy changes made outside of Nerdio Manager, including the UPN of the administrator who made the change, when comparing policy versions.

READ: DeviceManagementApps.Read.All

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Please sign in to leave a comment.