Hi again, If you had checked my previous post about Intune Custom Roles you’re familiar with this setup/architecture.
In this post I’m covering the following:
- Catch-all device, cloud-based security group
- Azure AD administrative AUs
- Intune Scope Tags
- Endpoint management role
Diagram
Step 1 – create the Global-Intune-Admins and all LocationID-Intune-Admins sec. groups.
Name: Global-Intune-Admins
Type: security
Membership type: Assigned (add members)
Name: AUS-Intune-Admins
Type: security
Membership type: Assigned (add members)
Step 2 – create the catch-all device cloud-based security group
- go to Intune Admin Center, click on Groups on the left menu
- group type: security
- group name: Intune-all-devices
- group description: give it a description
- membership type: dynamic device
- add dynamic query:
- edit dynamic query
- all autopilot devices
- (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”))
- all autopilot devices
- edit dynamic query
- repeat the same for other LocatoinID’s
- group name:
- BRL-all-devices
- CAN-all-devices
- USA-all-devices
- AUS-all-devices
- group description: give it a description
- membership type: dynamic device
- add dynamic query:
- (device.displayName -startsWith “BRL-“)
- (device.displayName -startsWith “CAN-“)
- (device.displayName -startsWith “USA-“)
- (device.displayName -startsWith “AUS-“)
- group name:
Step 3 – create all Azure AD administrative units
- go to https://entra.microsoft.com/
- expand Azure Active Directory on the left
- Expand Roles & admins
- select Admin units
- click on “+ add”
- under properties
- give it a name:
- give it a description:
- click next: assign roles
- click next: Review + create
- click create
- when creation is finished the AAD AU (Azure AD administrative unit will be shown)
- click on it to explore it
- your should see
- properties
- users
- groups
- devcies
- roles and adminsitratos and, bulk operation results
- your should see
- click on it to explore it
Step 4 – create all Intune scope tags
- go to Microsoft Intune admin center
- click on Tenant administration on the left
- click on Roles
- click on Scope tags
- click “+ Create”
- give it a name: GLOBAL
- give it a description:
- click next
- under assignments, click on Add groups
- select the Intune-all-devices (catch-all device group)
- click next
- click Create
- when the creation is finished you should see two (2) scope tags
- Default: if a device is enrolled to Intune it already has a Default scope tag
- GLOBAL
- now create one tag for each LocatoinID (assign to their own cath-all device sec. group)
- BRL => BRL-all-devices
- CAN => CAN-all-devices
- AUS => AUS-all-devices
- USA => USA -all-devices
- when you’re finished it will take a couple hours to each device to have 2 (two) scope tags GLOBAL and its own LocationID (BRL or CAN or AUS or USA respectively)
Step 5 – create the Endpoint management roles for IT and Global Service Desk
- o to Microsoft Intune admin center
- click on Tenant administration on the left
- click on Roles
- click on All roles
- click “+ create”
- give it a name: Global Service Desk
- give it a description:
- click next
- under permissions: configure all relevant settings for each category
- click next when you’re finished (you can finish that later – you have to select at least one set under a category)
- under scope tags: leave Default
- click next
- click create
- when creation if finished you’re redirected to Enpoint Manager roles | All roles screen
- you should see your Custom Intune role there.
- click on the role: Global Service Desk
- go to Assignments tab
- click “+ assign”
- give it a name: Global-Intune-Admins
- give it a description: (not required)
- click next
- under Admins groups \ Included groups
- click “add groups”
- add the Global-Intune-Admins sec. group (need to be created – see step 1 above)
- add all the service desk personnel to the Global-Intune-Admins sec. group
Step 6 – create the Endpoint management roles for each locationID
AUS => AUS-Intune-Admins (sec. group) => AUS-all-devices and so on.
That’s all, now you can have delegated access to your Intune environment
You can use automation such as Puppet, Azure DevOps of Jenkins to automate:
- the Azure AD administrative units (AUS, BRL, USA, and CAN)
- the Intune Scope Tags (AUS, BRL, USA, and CAN)
- the catch-all device cloud-based security group and keeps its membership based on whatever criteria you have in your business (ExtensionAttribute, DeviceName, LocationId)
That’s all.
I hope you liked it.
Thiago Beier
Toronto, Canada
One thought on “Intune Custom Roles – part 2”
Comments are closed.