Intune Custom Roles – part 1

Hi everyone.

In this post, I’d like to cover a little bit about Intune custom roles. 🧠

If you’ve followed my posts there’s always a part of it that’s somehow linked to architecture, as you I’m an IT Solutions Architect and acting as Intune Product Owner in my current role. I’m really amused by what the tools we have been able to give us as part of a whole solution from its draft, to its deployment and validation when it comes to IT personnel and End-users’ perspective.

This Part 1 is covering a simple scenario where:

  • Different locationID’s (Australia, Brazil, USA, and Canada) have their own Local IT team
  • Each Local IT team requires a different or a standardized level of access to Intune to manage it (delegated access)
  • Each locationID has its own users, devices, and groups (synced for HAADJ or cloud-based for ADDJ) – I’m covering AADJ scenario for lack of resources for a lab at this moment
  • The Central IT team or Global Service Desk team requires access to all users, devices, and groups regardless. If you need more info about different types of IT teams check this article or this here.

The following diagram shows a simple structure of how to kick this off.

Having the diagram let’s check what we need to give Central IT Team or Global Service Desk full access to all users, groups, and devices.

  1. Make sure each LocationID has its own catch-all device, cloud-based security group
    1. AUS-all-devices
    2. BRL-all-devices
    3. CAN-all-devices
    4. USA-all-devices
  2. Make sure all AADJ (Azure AD joined) devices have 2 (two) scope tags.
    1. scope tag #1: for Central IT / Global Service Desk management
    2. scope tag #2: for its own LocationID management
      1. AUS
      2. BRL
      3. CAN
      4. USA
  3. Make sure all AADJ (Azure AD joined) devices are assigned to their own Azure AD administrative unit – why this?
    1. AUS
    2. BRL
    3. CAN
    4. USA
  4. Make sure all AADJ (Azure AD joined) devices have an Azure AD extension attribute – why this?
    1. For HAAJ scenario extension attribute sync is not supported
    2. For AADJ scenario extension attribute is supported. However, its management is done 100% in the cloud (Azure AD)
  5. Make sure there’s an Endpoint management role (with the least privileged access to what they really need to have access to)
    1. An Endpoint management role will give to Central IT / Global Service Desk team their required access to their users, devices, and groups when they access (For Intune users, groups, and device management) or (for Azure AD administrative unit management)

Now that you know all you need for Part 1 let’s check the Screenshots.

In Part 2, I’m sharing all details on how to create all steps:

  • Catch-all device, cloud-based security group
  • Azure AD administrative AUs
  • Scope Tags
  • Endpoint management role


Thiago Beier
Toronto, CA

One thought on “Intune Custom Roles – part 1

Comments are closed.