How To Create A Custom Role In Intune

In large organizations, multiple IT teams often work on different projects requiring specific levels of access. Providing Global Administrator or Intune Service Administrator rights to everyone is a significant security risk and unnecessary.

Microsoft Intune provides Role-Based Access Control (RBAC), allowing us to create custom roles with granular permissions. In this tutorial, we will create a custom Intune role specifically for the Help Desk, enabling them to Wipe and Sync devices without granting full administrative control.

Step 1: Accessing Intune Roles

1. Login to the Microsoft Endpoint Manager admin center at endpoint.microsoft.com.

2. Navigate to Tenant administration > Roles.

Tenant Administration Navigation

Step 2: Create a New Custom Role

1. Select All roles and click on + Create.

Create Intune Custom role

2. On the Basics page, enter a Name (e.g., Help Desk - Wipe and Sync) and an optional description.

Role Basics

Step 3: Configure Permissions

Now, select the specific permissions for this role. For this scenario, we will assign:

  • Remote tasks: Wipe
  • Remote tasks: Sync devices
Custom permissions

Click Next. You can assign Scope Tags if your organization uses them to filter objects.

Step 4: Role Assignment

Creating the role is only half the work. Now you must assign it to the IT Staff group:

1. Select the newly created role and click on Assignments > + Assign.

Intune role assignment

2. Enter an assignment name and select the Admin Group (the group containing your Help Desk members).

3. Select the Scope Group: You can select a specific group of devices they can manage, or select "All Users/All Devices" to provide rights across the entire tenant.

Intune scope group
Success! Review the settings and click Create. Your Help Desk team now has a dedicated custom role to manage basic device tasks securely.