Endpoint Insights

Adding the Intune Service Administrator Directory Role

Topics: Endpoint Insights

I’m sure you are wondering why I created a blog post on how to assign the Intune Service Administrator directory role. Wouldn’t it be straight forward? Yes, normally it would be straight forward, but what happens when you don’t see the role listed?

Before I tell you more about this directory role I’ll talk a bit about security. The importance of security is no different from one application to another when it comes to Microsoft Intune. If you are following best practices and providing the least amount of permissions needed to perform a task to a user, then the person who is the Intune Administrator should only have rights to manage Intune. They should not have permissions for everything within Microsoft Azure or the Azure Active Directory (AAD).

Many Intune Administrators, however, are generally assigned the directory role of Global Administrator. This means that they have far too many permissions to do things outside of the scope of their job. Luckily, there is a directory role called the Intune Service Administrator, or is there? In this blog post I will explain why you won’t necessarily see this directory role, but when you know where to find it, you can assign it to a user.

What is the Intune Service Administrator?

There is a great blog post called, Using the New Role Based Access Controls in Intune, written by a friend of mine, Dave Randall. In this post Dave talks about the Intune Service Administrator directory role. When it came time for me to use it I couldn’t find this directory role, but more on that later.

Here is the relevant section of Dave’s blog post:
Intune Service Administrator: Users with this role can manage all of Intune. Additionally, this role can manage users and devices as well as create and manage groups. This role cannot manage Azure AD’s Conditional Access settings.

This directory role, therefore, allows the Intune Administrator to do what is needed to get the job done. It does not grant too many security rights which would otherwise be the case if they were given a Global Administrator directory role. The Intune Service Administrator directory role definitely helps when it comes to following best practices because it limits the scope of privileges by defining what is needed to be an Intune Administrator.

Where is the Intune Service Administrator Directory Role?

Why did I hint that the Intune Service Administrator directory role was missing? Here’s the short version of a long answer. There are multiple places within Azure where you can do things, so I do most of my user administration (including assigning directory roles) from the Office 365 portal, and all of my Intune management in the Azure portal.

When I looked at the Office 365 portal the directory role wasn’t there (see below).

Intune Service Administrator - Office365 Portal

After spending a considerable amount of time trying to figure out where the directory role was located and why it was not listed in the portal, I finally broke down and sent Dave an email. He pointed out that I needed to assign this directory role from the Azure portal and not the Office 365 portal. I looked in Azure, quickly found the role and added it to my test account.

How to Assign the Intune Service Administrator Directory Role

Intune Service Administrator - Users Blade

Start by signing into the Azure portal using your Global Administrator account. This is where you will find the Users blade. In my case, I pinned the Users blade as a favorite. If you haven’t done so, you will find it under the All services blade. Click on the Users blade.

Intune Service Administrator - User Names

By default, the All users node will be selected and all users will be listed. Locate the user to whom you wish to grant the Intune Service Administrator directory role. Then click the link on their name.

Intune Service Administrator - Directory Role Node

On the user’s profile page, click on the Directory role node.

Intune Service Administrator - Add Role Button

Click on the + Add role button.

Intune Service Administrator - Intune Administrator

In the pop-up window, select the Intune administrator check box and then click on the Select button.

Intune Service Administrator - Successful Note

The existing pop-up window will close and within a few seconds a new pop-up note will indicate that everything was successful.

Intune Service Administrator - Profile

Under the user’s profile, you will see that they now have the Intune administrator directory role (also known as Intune Service Administrator) assigned to them. And that, my friends, is how you assign a user the Intune Service Administrator directory role.

If you have any questions about how to assign the Intune Service Administrator directory role, please feel free to contact me @GarthMJ.

Back to Top