Microsoft Intune: Allow basic device read permissions
Last week I was requested to allow several users with access to Intune to allow read access on the enrolled devices. At first, I went with the easy approach of allowing Azure Security Reader to the users.
InfoSec team didn’t like that at all, as they said it way to much permissions. So, apparently you can allow Intune permissions only via the following steps (especially of the device read option):
- Log in to MS Intune Admin Center
- On the menu on the left, click on Tenant Administration > Roles
- Click on Create > Intune Role
- Name it > Next
- In the permissions choose the following options:
Device Configuration > Read > Yes
Manage Devices > Read > Yes
6. Hit next > Add tags if needed > Finish
7. Add permissions: Create an Azure AD or OnPrem AD Security group (wait for it to sync). Click on the new custom role, under assignments choose the relevant group or groups.
That it, the users from said groups can now have limited access to read the enrolled devices information.