Unified Endpoint Management: Intune Integration - Granular Permissions
Starting with the Nerdio Managerv 6.0, Unified Endpoint Management (UEM) now supports granular permission assignment for Intune integration. When enabling Intune integration, customers can now assign only the permissions they require to achieve their desired management outcome.
Listed below are the management functions and the associated Azure API permissions that are requested for the Nerdio Manager application.
Note:Group and GroupMember permissions can be scoped to specific Entra ID groups if required, rather than assigning the permission globally. To achieve this, the Nerdio Manager application must be granted ownership on the required groups, and the management function listed below should be set to either READ or DISABLED.
For support in configuring group-specific management scenarios, please contact the Nerdio support team.
Management Functions - Details & Permissions
For each setting, the available configurations are:
Manage: Allow current functionality for all RBAC roles that support it (READ/WRITE).
Read: Limit all roles to only read this object type (READ).
Disabled: Hide the policy tab and all policy details for this object type (NO PERMISSION).
The specific individual functions and associated permissions are listed below.
Intune-Managed Devices
This function is used to list, read, and manage in-scope Intune devices within the console.
READ: Device.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementServiceConfig.Read.All
MANAGE: Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All
Group Membership
This function is used to list, read, and manage in-scope Entra ID group membership within the console.
READ: GroupMember.Read.All
MANAGE: GroupMember.ReadWrite.All
Privileged Operations
This function is used to list, read, and manage sensitive tasks within the console. This includes the ability to read Bitlocker keys (Intune service account required) and perform privileged operations, including Cloud PCs restart.
READ: BitlockerKey.Read.All
MANAGE: BitlockerKey.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All
Scripts
This function is used to read Intune script assignments within the console.
Note: This permission is automatically applied if you enable Cloud PC read or MANAGE functionality.
READ: DeviceManagementConfiguration.Read.All
Cloud PC
This function is used to list, read, and manage in-scope Cloud PC devices within the console.
Note: Ensure that the Privileged Operations permission is also enabled to allow for Cloud PC restart tasks.
READ: CloudPC.Read.All, DeviceManagementConfiguration.Read.All
MANAGE: CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All
Conditional Access Policies
This function is used to list, read, and manage Conditional Access policies within the console.
READ: Policy.Read.All
MANAGE: Policy.Read.All, Policy.ReadWrite.ConditionalAccess, Application.Read.All
Intune Applications and App Policies
This function is used to list, read, and manage Application policies and deployments within the console.
Note: Read permissions allow native Intune applications to be discovered. MANAGE permissions are required to allow for the deployment of UAM applications to Intune devices.
READ: DeviceManagementApps.Read.All
MANAGE: DeviceManagementApps.ReadWrite.All, Group.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All
Device Policies
This function is used to list, read, and manage all other policy types, including Compliance, Configuration, Security Baselines, and Windows Updates policies.
READ: DeviceManagementConfiguration.Read.All
MANAGE: DeviceManagementConfiguration.ReadWrite.All
Comments (0 comments)