Intune Custom Roles – part 2

Hi again, If you had checked my previous post about Intune Custom Roles you’re familiar with this setup/architecture.

In this post I’m covering the following:

Diagram

Step 1 – create the Global-Intune-Admins and all LocationID-Intune-Admins sec. groups.

Name: Global-Intune-Admins
Type: security
Membership type: Assigned (add members)

Name: AUS-Intune-Admins
Type: security
Membership type: Assigned (add members)

Step 2 – create the catch-all device cloud-based security group

go to Intune Admin Center, click on Groups on the left menu
group type: security
group name: Intune-all-devices
group description: give it a description
membership type: dynamic device
add dynamic query:
- edit dynamic query
  - all autopilot devices
    - (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”))
repeat the same for other LocatoinID’s
- group name:
  - BRL-all-devices
  - CAN-all-devices
  - USA-all-devices
  - AUS-all-devices
- group description: give it a description
- membership type: dynamic device
- add dynamic query:
  - (device.displayName -startsWith “BRL-“)
  - (device.displayName -startsWith “CAN-“)
  - (device.displayName -startsWith “USA-“)
  - (device.displayName -startsWith “AUS-“)

Step 3 – create all Azure AD administrative units

Step 4 – create all Intune scope tags

go to Microsoft Intune admin center
click on Tenant administration on the left
click on Roles
click on Scope tags
click “+ Create”
give it a name: GLOBAL
give it a description:
click next
under assignments, click on Add groups
select the Intune-all-devices (catch-all device group)
click next
click Create
when the creation is finished you should see two (2) scope tags
- Default: if a device is enrolled to Intune it already has a Default scope tag
- GLOBAL
now create one tag for each LocatoinID (assign to their own cath-all device sec. group)
- BRL => BRL-all-devices
- CAN => CAN-all-devices
- AUS => AUS-all-devices
- USA => USA -all-devices
when you’re finished it will take a couple hours to each device to have 2 (two) scope tags GLOBAL and its own LocationID (BRL or CAN or AUS or USA respectively)

Step 5 – create the Endpoint management roles for IT and Global Service Desk

o to Microsoft Intune admin center
click on Tenant administration on the left
click on Roles
click on All roles
click “+ create”
give it a name: Global Service Desk
give it a description:
click next
under permissions: configure all relevant settings for each category
click next when you’re finished (you can finish that later – you have to select at least one set under a category)
under scope tags: leave Default
click next
click create
when creation if finished you’re redirected to Enpoint Manager roles | All roles screen
you should see your Custom Intune role there.
click on the role: Global Service Desk
go to Assignments tab
click “+ assign”
give it a name: Global-Intune-Admins
give it a description: (not required)
click next
under Admins groups \ Included groups
click “add groups”
add the Global-Intune-Admins sec. group (need to be created – see step 1 above)
add all the service desk personnel to the Global-Intune-Admins sec. group

Step 6 – create the Endpoint management roles for each locationID

AUS => AUS-Intune-Admins (sec. group) => AUS-all-devices and so on.

That’s all, now you can have delegated access to your Intune environment

You can use automation such as Puppet, Azure DevOps of Jenkins to automate:

the Azure AD administrative units (AUS, BRL, USA, and CAN)
the Intune Scope Tags (AUS, BRL, USA, and CAN)
the catch-all device cloud-based security group and keeps its membership based on whatever criteria you have in your business (ExtensionAttribute, DeviceName, LocationId)

That’s all.

I hope you liked it.

Thiago Beier
Toronto, Canada

Published by Thiago Beier