| title | Intune Administrator |
|---|---|
| description | Intune Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. For more information, see Role-based administration control (RBAC) with Microsoft Intune.
This role can create and manage all security groups. However, Intune Administrator does not have admin rights over Microsoft 365 groups. That means the admin cannot update owners or memberships of all Microsoft 365 groups in the organization. However, he/she can manage the Microsoft 365 group that he creates which comes as a part of his/her end-user privileges. So, any Microsoft 365 group (not security group) that he/she creates should be counted against his/her quota of 250.
Note
In the Microsoft Graph API and Microsoft Graph PowerShell, this role is named Intune Service Administrator. In the Azure portal, it is named Intune Administrator.
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.cloudPC/allEntities/allProperties/allTasks Manage all aspects of Windows 365 microsoft.directory/bitlockerKeys/key/read Read bitlocker metadata and key on devices microsoft.directory/contacts/basic/update Update basic properties on contacts microsoft.directory/contacts/create Create contacts microsoft.directory/contacts/delete Delete contacts microsoft.directory/deletedItems.devices/delete Permanently delete devices, which can no longer be restored microsoft.directory/deletedItems.devices/restore Restore soft deleted devices to original state microsoft.directory/deviceLocalCredentials/password/read Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password microsoft.directory/deviceManagementPolicies/standard/read Read standard properties on mobile device management and mobile app management policies microsoft.directory/deviceRegistrationPolicy/standard/read Read standard properties on device registration policies microsoft.directory/devices/basic/update Update basic properties on devices microsoft.directory/devices/create Create devices (enroll in Microsoft Entra ID) microsoft.directory/devices/delete Delete devices from Microsoft Entra ID microsoft.directory/devices/disable Disable devices in Microsoft Entra ID microsoft.directory/devices/enable Enable devices in Microsoft Entra ID microsoft.directory/devices/extensionAttributeSet1/update Update the extensionAttribute1 to extensionAttribute5 properties on devices microsoft.directory/devices/extensionAttributeSet2/update Update the extensionAttribute6 to extensionAttribute10 properties on devices microsoft.directory/devices/extensionAttributeSet3/update Update the extensionAttribute11 to extensionAttribute15 properties on devices microsoft.directory/devices/registeredOwners/update Update registered owners of devices microsoft.directory/devices/registeredUsers/update Update registered users of devices microsoft.directory/groups.security/assignedLabels/update Update the assigned labels property on Security groups of assigned membership type, excluding role-assignable groups microsoft.directory/groups.security/basic/update Update basic properties on Security groups, excluding role-assignable groups microsoft.directory/groups.security/classification/update Update the classification property on Security groups, excluding role-assignable groups microsoft.directory/groups.security/create Create Security groups, excluding role-assignable groups microsoft.directory/groups.security/delete Delete Security groups, excluding role-assignable groups microsoft.directory/groups.security/dynamicMembershipRule/update Update the dynamic membership rule on Security groups, excluding role-assignable groups microsoft.directory/groups.security/members/update Update members of Security groups, excluding role-assignable groups microsoft.directory/groups.security/owners/update Update owners of Security groups, excluding role-assignable groups microsoft.directory/groups.security/visibility/update Update the visibility property on Security groups, excluding role-assignable groups microsoft.directory/groups/hiddenMembers/read Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups microsoft.directory/users/basic/update Update basic properties on users microsoft.directory/users/manager/update Update manager for users microsoft.directory/users/photo/update Update photo of users microsoft.intune/allEntities/allTasks Manage all aspects of Microsoft Intune microsoft.office365.organizationalMessages/allEntities/allProperties/read Read all aspects of Microsoft 365 Organizational Messages microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center