Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done in the year 2018) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...
How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune? This post is a quick one that will help you understand the process of removing a work profile from an Android device. So, if you are wondering how the work profiles have been created, you should read my previous post here.
The work profile is created when the Android for Work (A4W) supported device is enrolled in Intune environment, which is enabled to support A4W. There are more than two ways to remove the Work profile from Android devices. We will cover three of them in this post.
Video – Android for Work Un-enrollment
Android for Work Un-enrollment process experience has explained in the video here
How to Remove Work Profile from Intune Managed Android Devices
As per Google documentation following is the method to remove the work profile, but I won’t recommend this approach if your device has enrolled to Intune. On Android 5.0+ devices, you can delete your work profile in Settings > Accounts > Remove work profile. Touch Delete to confirm the removal of all apps and data within the work profile.
The first proper way to remove a work profile or unenroll a device is to go to Intune portal -> Devices and groups -> All devices – select the device that you want to remove or unenroll, then click on the “Remove Company Data” button that will initiate the un-enrollment process from Intune.
How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune
How to Remove Work Profile from Intune Managed Android Devices
Following is another option to remove the work profile or unenroll the Android device. You can also go to your user profile and choose the device you want to delete/remove from the following blade path from the Azure portal “Users and Groups – All users – Anoop Nair (username) – Devices – Device.”
As you can see in the following picture, click on the delete button to remove the device from Intune or to remove the work profile.
How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune
The second option to remove the work profile has to be initiated from the end-user device. The user has to initiate this process from Intune company portal application (more details about the company portal – read my previous post here).
Launch the company portal app from your Android device and tap on the tab called “My Devices” and select the user’s device. In the following picture, tap on the recycle bin button to remove the device’s work profile.
How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune
The Android device un-enrollment process will remove company data from your mobile; it will also remove the work profile created during A4W enrollment. It will also remove all the applications deployed through the work profile.
However, the company portal application will stay there on the device, as you can see in the above picture (#5). It won’t allow you to enroll the device again with the same instance of the company portal. If you want to re-enroll the Android device for Intune management, you need to uninstall the existing company portal and install it again.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager? Android for Work configuration for Intune is not very difficult. I have published a post about “How to set up Android for Work management in Intune” here.
There are some restrictions when you deploy a volume purchased an application to Android for Work devices.
We can deploy Android for Work Volume Licensed apps only to user groups. The ONLY deployment actions/options enabled in the drop-down list are Not Applicable, Required, and Uninstall actions. The “available” deployment Action/option is DISABLE for Android for Work applications.
Android for Work Application Deployment experience
Android for Work Application Deployment experience as explained in the video here
Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager
Recently, it came to my notice that the Android for Work Volume-Purchased App deployment action called “Available” has been enabled for some of the tenants. These “Google play for Work” applications can be deployed to user/device groups in those tenants where the available action is enabled.
I have a more detailed explanation in the above video, and you can watch it here. So what does that mean?
Details Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager
Android for Work Volume-Purchased application deployment option called “Available” and volume purchased app deployment to device groups are ONLY available with new grouping experience in the Azure portal. Hence, this feature is tied to Azure AD group targeting, requiring migration from Intune silver light portal to Azure.
Even when you go to the “Google Play for Work” app store from your “Android for work” supported devices, you can’t see all the Android for Work apps. It will only list the apps which are deployed from Intune console. Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager
Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager
App deployment action details are well documented in the TechNet article here. When the app is displayed in the Volume-Purchased Apps node of the Apps workspace, you can deploy it just like any other app.
You can deploy the app to groups of users only. Currently, you can only select the Required and Uninstall actions. From October 2016, we will begin adding the Available deployment action to new tenants.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work? Android for Work enrollment to Enterprise Mobility Management (EMM) solution or Intune is slightly different if you compare it with iOS and Windows device enrollment.
This difference is not because of your EMM solution rather. This is the process/framework Google implemented to complete Android for Work enrollment. We need to configure Intune to support Android for Work, and I have a post that explains the prerequisites. More details here.
Video Intune How to Enroll Android for Work Supported Devices?
Android for Work Enrollment process experience has explained in the video here
Details Google Play Store for Work
First, we need to make sure that the Android for Work (A4W) is enabled for your Intune tenant and then configure your Intune to support A4W. Do you want to allow only android for work-supported devices to enroll in Intune? This option is not available as out of the box in Intune.
I’m sure Microsoft will come up with a new option in the new Azure portal, as I noted here in the previous blog post about the enrollment restriction rule in Intune. Android for Work is currently supported on devices running Android 5.0 Lollipop and later that support a work profile.
The second step is to ensure that you have configured Android for Work configuration policies in Intune and Android configuration policies. There are different sets of policies in Intune that only support Android for Work.
Intune Compliance policies are the same for “Classic” Android management and Android for Work management. Suppose you plan to deploy VPN and Wi-Fi profiles to Android for Work supported devices. In that case, there are some custom configuration policies (OMA-URI) supported by Intune.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
Android for Work?
As a third step, you need to confirm whether your device has support for “Android for Work” or not. Where is the list of Android for Work supported devices? OK, no worries, Google has already published the list here.
If your device has not been supported, Intune will automatically enroll the device for “classic” Android management. So you won’t be able to see any work profile being created on your phone. Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work?
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
More Details
Once you have identified that the device you are trying to enroll in is supported, the process is to open the “Google Play Store” and Install Intune company portal. Once the company portal is installed, you can log in to the portal with your corporate credentials, and it will start the first phase of the setup, creating a Work profile for Android.
Once the Work profile has been created then, the company portal application will ask you to go to the Work profile and launch the company portal from the work profile to continue setup. So you need to log in to the company portal twice as part of Android for work enrollment.
The work profile will be controlled by an organization you have enrolled in, and the Company Portal app will have access to Work profile-related data.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
Half of the enrollment process has been completed in the above step. Intune company portal application initiated the creation of the work profile. Once the work profile has been created, you need to log in to another instance of the company portal app, which resides in the work profile.
The company portal app in the work profile does the 2nd half of the enrollment process. The company portal helps the device complete Work Place Join, Azure AD Join, and Intune enrollment, as you can see in the above video.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
Google Play Store for Work
Once you complete the Company access setup, you can access company resources and apps depending on the Conditional access, compliance, and configuration policies. The android device must be in compliance with compliance policies, and it should also meet the conditions mentioned in the conditional access policies by the Intune Admin.
Once everything ok then, you can browse the applications from “Google Play Store for Work“. Browse and install applications from the Google play store for work. I will cover the Android application deployment scenarios in an upcoming blog here (coming soon).
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
Outlook is one of the applications you can directly deploy as “available” or “required” from Intune portal. Once the Outlook app has been installed, you can directly configure your official mail without any particular configuration. Email profile deployment via Intune has not required for automatic corporate mail configuration.
You need to put in the email ID. No other configuration is required; rather, everything is automatically configured. You can add applications to the google play store for work with the existing Gmail account, as I mentioned in the blog post here. Once these apps are synced with Intune, you can deploy these apps to groups.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Enable Bitlocker on HyperV and Handle Error Device Cannot Use a Trusted Platform Module? Do you use virtual Windows 10 machines to test the Intune and SCCM policies? Have you tried to enable BitLocker in a HyperV/VMware virtual machine?
Did you ever receive the following error while you tried to enable BitLocker on Windows 10 Virtual Machines?
This Device Can’t Use a Trusted Platform module. Your administrator must set the “Allow Bitlocker without a compatible TPM” option in the “Required additional authentication at startup” policy for OS volumes. More detailed demonstration in the above video, or you can click here
How to Enable Bitlocker on HyperV and Handle Error Device Cannot Use a Trusted Platform Module
How to Enable Bitlocker on HyperV
BitLocker will get automatically enabled on modern instant go devices like Surface Pro 3, Surface Pro 4, etc. But for other Windows 10 devices, each user needs to enable BitLocker via another method. BitLocker can be enabled using Windows 10 MDM policies, Group Policies, SCCM Policies, etc.
All the above BitLocker enablement process is more or less straightforward. But to enable BitLocker on Windows 10 virtual machines are not straightforward. When we try to enable BitLocker from “This PC” or “Control Panel.”
The user needs to enable the following group policy (GPEDIT.MSC) on Windows 10 VM to get rid of the TPM error while enabling the BitLocker.
Local Computer Policy –> Computer Configuration –> Administrative Template –> Windows Components –> Bitlocker Drive Encryption –> Operating System Drives –> Require additional authentication at startup –> ENABLE
How to Enable Bitlocker on HyperV and Handle Error Device Cannot Use a Trusted Platform Module
Another important option in the BitLocker enablement process is to save the recovery key. We have four options to save the BitLocker key. Save to your Microsoft accounts have to a USB flash drive save to a file, print the recovery key. How to Enable Bitlocker on HyperV and Handle Error Device Cannot Use a Trusted Platform Module.
How to Enable Bitlocker on HyperV and Handle Error Device Cannot Use a Trusted Platform Module
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access? We will discuss the access rights of the build-in Intune RBA role called Intune Application Manager.
Ideally, this role should have access to administrate Managed apps, Mobile apps and read device information depending upon the scope of users/devices assigned to this role.
Do you know what the scope is? “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, the SCOPE option is already there in SCCM 2012 and CB console. I’ve another post that talks about Configuration manager RBAC detail here.
Intune Application Policy Manager
In this post, we will see the permissions associated with Intune application manager build-in role. As per the Microsoft documentation, this role is to “Manage and deploy applications and profiles”.
We will do a deep dive into this topic and explain the exact actions an Intune app admin can perform from the MEM portal. Following are the access permissions given to Intune APP Manager RBAC role.
Assign managed apps to a security group Create managed apps Delete managed apps Read managed apps Update managed apps Wipe Managed apps Managed Devices No Access to delete devices Access to read device information No Access to update device properties Mobile Apps Assign mobile apps to a security group Create mobile apps Delete mobile apps Read mobile apps Update mobile apps Overall Access Rights of Intune tiles
It is allowed to administrate some actions in managing apps and configuring devices tiles.
Access is denied to perform any activities in Conditional Access, Device Enrollment, Access control, and Set device compliance tiles.
Allowed to set up certificate authority in Configure devices tile. However, no access to view profiles.
Allowed to view the device information in the Device and Groups tile.
Access is denied to create/delete new/existing groups or users profiles. It doesn’t matter whether the Intune policy manager is editing the groups in SCOPE or not. In a lot of places, save and add buttons are enabled, but when we try to save, it will give an error.
Access is denied to change device and user settings in the Manage user tile.
Access is denied to access Intune Silverlight console.
Access is denied to Intune App Protection section. Intune mobile application management is not allowed for Intune App Managers. All these app protection options are probably already part of Intune – Manage Apps tab in the Azure portal.
Access rights – Manage Apps (Manage Apps and Mobile apps) – Intune Application Policy Manager RBA Controls
Allowed to edit mobile apps which are uploaded by admins. Access is Denied to edit the managed apps, which are automatically uploaded.
Access is denied to remove assignments/deployments to a group out of scope for Intune application manager.
Access is denied to remove assignments/deployments to a group in scope for Intune application manager. This SHOULD be allowed!
Allowed to add an assignment to mobile/manage app if the user group is in the scope of Intune application manager.
Access Denied adding an assignment to mobile/manage app if the user group is out of scope of Intune application manager.
App Protection Policies are getting hung while trying to edit (or create) existing (or new) app protection policies from Intune App manager account.
Allowed to perform App Selective wipe option from Intune app manager account. Allowed to perform app selective wipe only on “in scope users/devices”.
Access is denied to edit Company portal Branding from Intune app manager account.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM? Android for work is always an exciting topic for me. I’m a fanboy of android devices 🙂 I started testing Intune + SCCM MDM management with Android devices back in 2014, you can refer to that post here. I was eagerly waiting for “Android for Work” support with Intune.
A few months back, Microsoft announced Intune’s supportability for Android for Work (A4W). Since then I was waiting for an A4W supported device 😉 Yes, that means all the android devices are not supported by A4W. Here is the list of A4W supported devices from Google.
A more detailed explanation is in the above video or you can click here
Beginners Guide Intune Android for Work Google Play for Work Setup
In this post, I will try to cover the prerequisites of Android for Work, Intune portal admin configurations, Add Google play apps to Google for Work, Android for Work Device enrollment, Work profile creation, and Removal of Android for thework profile.
First of all, you need to create a baseline of Android devices which you want to support in your environment. Following are some of the points which we need to take care of as part of the Android for Work implementation:-
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
Preparation Work – Android for Work Admin configurations:
Devices with Android 5.0 Lollipop and later will only have work profile and Android for work support as per Google. This is nothing to do with Microsoft and Intune.
Some of the Android for Work settings are available only for Android 6.0 and later.
It’s important to understand Android for Work does NOT support all android devices in the market- a list of supported devices -is here.
Bind your Intune and Google for Work account from the Silverlight Intune portal. Because Azure Intune blade is not enlightened with this feature yet.
Create a Google account or use an existing account to sign up for Android for Work with the EMM provider. More details here
Add applications from Google Play to Google for Work store and then sync these apps to Intune. You can click on the Sync button in Intune console to initiate a new sync between Intune and Google store for work.
Sync the apps from Intune console – Admin > Mobile Device Management > Android for Work. After Sync the apps will be visible under – Intune console – Apps – Volume Purchased app
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
I recommend using the following option after the pilot testing in your production environment. Enable the option “Manage supported devices as Android for Work – (Enabled) All devices that support Android for Work are enrolled as Android for Work devices. Any Android device that does not support Android for Work is enrolled as a conventional Android device”.
The only caveat is that we don’t have the option to restrict the devices which are NOT supported by Android for Work from enrolling into Intune. Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?
Notes from the Field – Android for Work security policies:-
As an initial release Intune out of the box “Security and Work profile policies are very limited for A4W”. I suppose you have to use the combination of A4W and Android policies together to support Android devices in your organization.
OMA URI custom policies are supported with A4W. However, only a few options are supported by custom policies along with Intune. I know only 2 policies that are supported by this feature and those are WiFi and VPN profiles. More details here.
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
End-User Experience – Android for Work:-
Enrollment of Android for work devices is straightforward as the normal Android device enrollment for the first part of it. The second part is more towards, logging into Intune company portal from the Android for Work context and continuing the process of enrollment.
Work profile on Android devices will get created via Intune company portal enrollment. This will happen only for Android for Work supported devices. If you have a device that is not supported for Android for Work by Google then the enrollment won’t create a work profile etc… it will be normal enrollment.
How to enroll devices to Android for Work How to sync Google play for Work app store with Intune How to create a work profile for Android devices How to complete configuration task to support Android for Work with Intune
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune RBAC roles and permissions in Intune Admin Center Portal are explained in this post. We will discuss the access rights of the built-in Intune RBAC role called Configuration policy manager.
Ideally, this role should have access to Manage and deploy configuration settings and profiles depending on the scope. Before going into details, let me explain, what is the scope.
Intune RBAC (Role-Based Access Controls) is the workflow that helps organizations segregate the roles and responsibilities of different support teams by providing them with limited access to specific resources. “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, then the SCOPE option is already there in SCCM 2012 and CB console.
Granular control to delegate the permissions to Level 1, 2, and 3 Intune teams from different operating groups (entities/opcos). Limit assigned permissions of Intune admins to specific user or device groups. Control/Manage the view permissions of Intune objects using RBAC.
In this video, we will explain Intune RBAC Strategic Options | Role-Based Access Controls | Scope Groups | Intune Objects | Roles.
Intune RBAC Strategic options – Intune RBAC Roles Permissions in the Intune Admin Center Portal
What is Intune RBAC?
RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are nine (9) built-in Intune roles (RBAC roles). The list of Intune RBAC built-in roles is updated in the table.
In this post, I will try to explain the access right of Intune’s default role called Configuration Policy Manager. I have created a user name Kaith in Azure Active Directory. This user is assigned to Configuration policy manager access and the scope is set to the group “All Bangalore Users”.
Intune configuration policy manager can access Assign, Create, Delete, Read, and Update profiles. However, we will go into deep dive to understand more details about the access rights for this role.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1
Intune RBAC – Tired Hierarchy
Azure AD is the primary identity repository for Intune! The Intune Full Admin permissions – Azure AD.
Global Admin Role (Tier 1)
Intune Service Admin Role (Tier 2)
Intune RBAC Permissions – Intune Portal
Tier 3 Roles – App Admin, Helpdesk Admin, etc…
Updated Built-In Inutune RBAC Roles
Let’s check the built-in Intune RABC roles (endpoint manager roles) available in the MEM admin center portal.
Application Manager
Built-in Role
Endpoint Security Manager
Built-in Role
Read-Only Operator
Built-in Role
School Administrator
Built-in Role
Policy and Profile manager
Built-in Role
Help Desk Operator
Built-in Role
Intune Role Administrator
Built-in Role
Cloud PC Administrator
Built-in Role
Cloud PC Reader
Built-in Role
Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 1
Endpoint Manager Roles
Let’s understand what are the different types of roles available within Intune RBAC workflow. There are built-in roles and custom roles. I have given examples of custom roles in the previous posts.
Assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles. Allowed to edit the Intune Policy and Profile Manager.
Even the profile is ONLY deployed to out-of-scope users/groups. Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile.
This should be NOT allowed. Editing should be allowed only to those profiles which are assigned ONLY to Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.
Access is denied to remove and add assignments to a profile that is already deployed to users who are not in the scope. Addition and removal of Assignments should be allowed if the admin is trying to deploy profiles to users in scope.
Access is denied to remove assignments to profiles that are targeted to the users or groups in scope. This should be allowed!
Allowed to delete all the profiles even if those profiles are targeted to out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users, then the deletion of the profile should be allowed.
Allowed to enable/disable certificate authority connector for SCEP or PFX profile deployment. Intune RBAC roles are still in development.
Login to MEM Admin Center (Intune).
Navigate to tenant admin -> Roles -> Endpoint Manager Roles.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2
Intune RBAC Access rights – Application Manager
Allowed to remove assignments of applications that are already targeted to the users NOT in the scope of an Intune Application Manager. This should NOT be allowed. If it’s deployed/assigned to the users who are in scope, then removal of the assignment should be allowed.
Allowed to add assignments to the application, even if the user’s Intune application manager is targeting is out of scope for him/her. This should NOT be allowed. Assign administrators to Endpoint Manager Roles and Create and configure custom Endpoint Manager Roles.
The addition of assignment to the Application policy should be allowed only when the targeted users are within the scope of an Intune application manager.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3
Intune RBAC – Endpoint Security Manager
Let’s discuss, Intune RBAC – Endpoint Security Manager. You can assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4
Intune Read-Only Operator
Name – Read-Only Operator. Description – Read-Only Operators view user, device, enrollment, configuration, and application information and cannot make changes to Intune.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5
Intune School Administrator
Name – School Administrator. Description – School Administrators can manage apps and settings for their groups. They can take remote actions on devices, including remotely locking them, restarting them, and retiring them from management.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6
Intune RBAC – Help Desk Operator
Name – Help Desk Operator. Description – Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7
Intune Role Administrator
Name – Intune Role Administrator. Description – Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8
Cloud PC Administrator
Name – Cloud PC Administrator. Description – Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC blade.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9
Intune RBAC – Cloud PC Reader
Name – Cloud PC Reader. Description – Cloud PC Reader has read access to all Cloud PC features located within the Cloud PC blade.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10
Video Tutorial – Intune RBAC Roles
A more detailed explanation is in the above Youtube video or you can click here.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Video
Overall Access Rights of Intune tiles
Allowed to perform some administrative activities in configuring devices, and Setting device compliance tiles. Allowed to view details about users and groups in managing users’ tile.
Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
Allowed to view objects in the Manage Users tile – Users and Groups.
Access is denied to create/delete new/existing groups. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not.
Access is denied to change device and user settings in the Manage user tile.
Access is denied to Intune Silverlight console.
Intune administrator Role permissions
Let’s check Intune administrator Role permissions from the following table.
Read basic properties on all resources in the Microsoft 365 admin center
Table 2 – Intune RBAC Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 2
Read, Delete, Wipe, Assign, Create, and Update are Inutne permissions can be assigned for each Intune objects.
Admin Groups – Admin group users are the administrators assigned to this role Scope Groups – Administrators in this role assignment can target policies, applications, and remote tasks to Azure AD Device/User Groups Scope tags – Who all can view this RBAC Role
41 Intune Objects List
Let’s check the list of 41 Intune Objects from Intune RBAC perspective.
Android FOTA Android for work Audit data Certificate Connector Chrome Enterprise (preview) Cloud attached devices Corporate device identifiers Customization Derived Credentials Device compliance policies Device configurations Device enrollment managers Endpoint Analytics Endpoint protection reports Enrollment programs Filters Intune data warehouse Managed Device Cleanup Settings Managed Google Play Managed apps Managed devices Microsoft Defender ATP Microsoft Store For Business Microsoft Tunnel Gateway Mobile Threat Defense Mobile apps Multi Admin Approval Organization Organizational Messages Partner Device Management Policy Sets Quiet Time policies Remote Help app Remote assistance connectors Remote tasks Roles Security baselines Security tasks Telecom expenses Terms and conditions Windows Enterprise Certificate
References:-
Assigning administrator roles in Azure Active Directory – here
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Now, Microsoft Graph API is the buzzword. How to use Microsoft Graph API to fetch the details from Azure Active Directory (Azure AD/AAD) and Microsoft Intune? And a list of Intune PowerShell Scripts samples. I’m not going to provide any Graph API scripts to fetch details in this post.
APIs have always been an alien term for me. Rest API was everywhere and now it’s Graph API. Have you ever tried Facebook Graph API? So the entire industry is taking the path of Graph API!
In this post, I would like to help by providing basic details of the Microsoft Graph API. How to start using Graph API graphically (Not programmatically) and how Graph API would be helpful for IT Pros in their day-to-day life. Microsoft Intune admins can analyze the details of a device or user from Graph API.
We can get only limited details of objects from the Azure AD portal, however, loads of details can be fetched from Graph API via Web browsers. You can perform all the GET and other supported operations from the following URL. Remember to sign in to thetenant.
Latest video on Intune Graph
Launch Microsoft Graph – URL –-> https://graph.microsoft.io/en-us/graph-explorer
When you sign in for the first time you need to agree to provide the following permissions to Graph explorer. Click on Agree button to proceed further.
Intune PowerShell Scripts sample
There are two versions of Graph explorer available at the moment. Version 1.0 and Beta. I was having a hard time connecting to Graph API. It was ok when I wanted to retrieve my user information. But when I tried to fetch the details for the entire tenant, it was asked to agree or accept new Admin consent as you can see in the following paragraph.
This query requires additional permissions. If you are an administrator, you can click here to grant them on behalf of your entire organization. Or, you can try the same request against your own tenant by creating a free Office 365 developer account.
When I tried to click on the “HERE” button to accept the consent, it was giving me an odd error as follows:- “AADSTS90002: No service namespace named ‘organizations’ was found in the data store.” Ryan and Panu helped me to get rid of this error mentioned above. To accept this admin consent, you don’t have to create any manual applications or run any PowerShell scripts! It’s out of the box set now in your enterprise applications blade in the Azure console.
Intune PowerShell Scripts sample
Following are some of the samples of graph API GET queries to retrieve details from Intune and Azure Active Directory (AAD). The other 3 types of actions are possible with Graph API and those are POST, PATCH, and DELETE.
https://graph.microsoft.com/beta/users/[email protected]/ownedDeviceshttps://graph.microsoft.com/beta/deviceAppManagement/mobileAppshttps://graph.microsoft.com/beta/users/https://graph.microsoft.com/beta/applications Following is some of the extracts of device management mobile app.
WhatsApp is one of the applications “https://graph.microsoft.com/beta/deviceAppManagement/mobileApps“. Similarly, we can retrieve the owned devices of a user and the status of a device through Graph API GET commands. Some of these details are only available ONLY through Graph API. This will great help for Intune admins at the time of troubleshooting issues.
Intune PowerShell Scripts sample
cache-control: private content-type: application/json;odata.metadata=minimal;odata.streaming=true; request-id: 604557b1-409b-4749-8w32d-d754844b2181 client-request-id: 6se357b1-409b-4349-864d-d754844b2181 Status Code: 200 { “@odata.context”: “https://graph.microsoft.com/beta/$metadata#deviceAppManagement/mobileApps”, “value”: [ { “@odata.type”: “#microsoft.graph.iosStoreApp”, “id”: “ab8a5364-887d-44e7-a6cd-9684d2f279c3”, “displayName”: “WhatsApp Messenger”, “description”: “WhatsApp Messenger is a FREE messaging app available for iPhone and other smartphones. WhatsApp uses your phone’s Internet connection (4G/3G/2G/EDGE or Wi-Fi, as available) to let you message and call friends and family. Switch from SMS to WhatsApp to send and receive messages, calls, photos, videos, and Voice Messages. \n\nWHY USE WHATSAPP: \n\n• NO FEES: WhatsApp uses your phone’s “publisher”: “WhatsApp Inc.”, “largeIcon”: null, “createdDateTime”: “2017-01-22T06:40:24.696692Z”, “lastModifiedDateTime”: “2017-01-22T06:40:24.696692Z”, “isFeatured”: false, “privacyInformationUrl”: null, “informationUrl”: null, “owner”: “”, “developer”: “”, “notes”: “”, “uploadState”: 1, “installSummary”: null, “bundleId”: “net.whatsapp.WhatsApp”, “appStoreUrl”: “https://itunes.apple.com/us/app/whatsapp-messenger/id310633997?mt=8&uo=4”, “applicableDeviceType”: { “iPad”: false, “iPhoneAndIPod”: true }, “minimumSupportedOperatingSystem”: { “v8_0”: true, “v9_0”: false, “v10_0”: false } },
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities? MEM portal is a one-stop-shop for all the services in the Microsoft cloud. When a user logins to a MEM portal for the first time, he/she can see all these services which are already selected as favorite services by default.
The selection of favorite services in the MEM portal for individual users is not based on the user’s profile or access rights of the user. This is not really good for new users in Intune portal. They will struggle to find out their role-related services.
Video
A more detailed explanation is in the above video or you can click here
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities
For example, you are an Intune admin and you have only access to Intune and Azure AD users and groups. But if you log into the MEM portal you will see all loads of services that make no sense to you at all. You will also find it really messy and I’m sure you will get lost in the portal until you find the search button or Intune services.
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
Don’t worry there is a very friendly search option available in the Azure portal. If you are Intune admin then you can just click on more services and type “Intune” in the search menu. You can see 2 Intune services one is for Intune (MDM) and the second one is for Intune App Protection (MAM without enrollment).
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
To keep your Azure portal well organized, you need to spend only 2-3 minutes when you log in to the portal for the first time. What do we need to do to get neatly organized Azure portal? You log in to the Azure portal and click on the more services button, then remove the services which are not relevant to you.
For example, Intune admins don’t have anything to do with “Virtual Machines” hence you can remove Virtual machine service from your favorite menu. So this will help you to get rid of the Virtual machine shortcut from the left side menu of the MEM portal.
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
END Result:- Clean and Tidy Azure portal for Intune Admins. Remove all the services from the Azure portal except Azure Active Directory, Users and Groups, Intune, and Intune protection services.
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune? In the previous posthere, you might have seen the basic process to create Azure AD dynamic user and device groups along with the explanations about the syntax of the queries/rules.
I have a feeling that we will also get some performance issues with Azure AD dynamic groups when we don’t design our queries properly. This is similar to performance issues with dynamic collections with bad WQL queries and SCCM admins are very familiar with this kind of performance issue.
In this post, we will see how can we create dynamic device groups for Windows devices with the “Device Ownership” attribute in the Azure AD. This attribute is populated only when the devices are enrolled through MDM and if I understand correctly “Device Ownership” attribute is populated by Intune in this case.
So if this attribute is not getting populated then you need to make sure that the device is correctly enrolled to Intune or not. Because some of these types of attributes are available only when the Intune portal is migrated to Azure. If you are still using Intune Silverlight portal, you may need to wait for your Intune migration to complete.
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
Following are the Advanced membership rules which you can use to create Azure AD, and dynamic Device groups, to segregate BYOD and CYOD devices!All Windows CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “company”) -and (device.deviceOSType -contains “Windows”)
All Windows BYOD Devices Query for Azure Active Directory
All BYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Personal”) All CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Company”)
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
Auditing of Azure Active Directory Dynamic groups is very important from ops teams’ perspective. These auditing options are available in the new Azure portal and it’s very useful to track the changes of a particular Azure AD dynamic group. As you can see in the below table ACTOR is the one who performed the activity on that group. For example, when I created this group “Microsoft Approval Management” (probably an AAD automated process in the background) added 2 devices to the device group.
Date
Actor
Activity
Target(s)
3/2/2017, 1:42:18 PM
Microsoft Approval Management
Add member to group
Device : DESKTOP-FOSD7L3, Group : All Windows CYOD Devices
3/2/2017, 1:42:18 PM
Microsoft Approval Management
Add member to group
Device : DESKTOP-IIRCSUV, Group : All Windows CYOD Devices
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
So, it’s recommended to look at the best practices when we create dynamic device or user groups in Azure Active Directory. You may not see the performance issues with AAD dynamic groups at the time of testing or POC but when you migrate all the users into Azure AD then this could surely impact.
Personally, I always try to use -eq rather than using -contains in the AAD dynamic rules but it’s not always possible to use -eq! How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune?
Reference:-
Using attributes to create advanced rules for group membership in Azure AD – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
