Custom Role Permissions Category explanations
Admin tasks
Works as a centralized dashboard for operational tasks from multiple Intune features. It gives the ability to quickly view and act on task without having to navigate to multiple sections of the Intune portal.
Summary Table
|
Permission Category
|
What It Controls
|
Notes
|
|
Admin Tasks
|
Ability to view and act on tasks in the Admin Tasks node
|
Only shows tasks the admin already has underlying permissions for
|
|
Endpoint Privilege Management
|
Elevation request actions
|
Required for EPM tasks to appear
|
|
Defender Security Tasks
|
Security task visibility and actions
|
Required for Defender tasks to appear
|
|
Multi‑Admin Approval
|
Approval workflow actions
|
Required for MAA tasks to appear
|
Android Enterprise
Controls what an Intune admin can see or do specifically for Android Enterprise – managed devices and configurations. Allows access to enrollment modes, device management, configurations, Managed Google Play apps, etc.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Enrollment
|
AE enrollment settings, tokens, bindings
|
Often paired with Enrollment permissions
|
|
Device Management
|
View/manage Android Enterprise devices
|
Actions depend on Device permissions
|
|
Configuration
|
AE configuration profiles
|
Requires Device Configuration category
|
|
Compliance
|
AE compliance policies
|
Requires Compliance category
|
|
Apps
|
Managed Google Play apps
|
Requires Apps category
|
Android FOTA
Controls what an Intune admin can see or do specifically for Android FOTA – managed devices and configurations. Allows access to enrollment modes, device management, configurations, policies, etc.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View FOTA policies and device update status
|
Useful for helpdesk
|
|
Write
|
Create/edit FOTA policies
|
Requires Device Configuration permissions
|
|
Assign
|
Assign policies to groups
|
Requires Assign permissions
|
|
Execute
|
Trigger or schedule updates
|
OEM‑dependent; requires Device permissions
|
App Control for Business
Controls weather an admin can interact with ACfB policies that control which application are allowed to run on Windows devices (is Intune’s modern, cloud-managed evolution of Windows Defender Application Control (WDAC)).
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View ACfB policies and device status
|
Useful for helpdesk/security monitoring
|
|
Write
|
Create/edit ACfB policies
|
Requires Device Configuration permissions
|
|
Assign
|
Assign policies to groups
|
Needed for rollout and enforcement
|
|
Manage
|
Approve apps, review blocks, manage exceptions
|
Requires Device permissions
|
Attack Surface Reduction
ASR is part of Microsoft’s Defender’s security stack. Its policies reduce exposure to malware by blocking or auditing behaviors commonly use in attacks. Intune manages ASR through Endpoint Security policies, specifically Attack Surface Reduction profiles.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View ASR policies and device status
|
Useful for helpdesk/security monitoring
|
|
Write
|
Create/edit ASR policies
|
Requires Endpoint Security + Device Configuration
|
|
Assign
|
Assign policies to groups
|
Needed for rollout and enforcement
|
|
Monitor
|
Review ASR events and impact
|
Requires Defender integration
|
Audit data
Controls access to Intune’s audit logs. These logs are essential for compliance, security investigations, and change tracking.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View Intune audit logs
|
Sensitive; often restricted
|
|
Export
|
Download audit logs
|
Useful for SIEM or compliance
|
|
Search/Filter
|
Investigate changes
|
Helps with troubleshooting
|
|
No Write
|
Cannot modify anything
|
Purely observational
|
Certificate Connector
Controls who has access to the Intune Certificate Connectors that integrate Intune with your on-premises certificate infrastructure (SCEP, PKCS, etc.).
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View connector status, health, version
|
Safe for monitoring roles
|
|
Write/Manage
|
Configure, refresh, remove connectors
|
Sensitive; usually PKI/Intune engineers
|
|
Monitor
|
View alerts, troubleshoot failures
|
Useful for security and support teams
|
Chrome Enterprise
Controls who can interact with ChromeOS devices and the Chrom Enterprise connector that links Google Admin Console with Microsoft Intune.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View ChromeOS devices and connector status
|
Safe for monitoring roles
|
|
Write/Manage
|
Configure or delete the Chrome Enterprise connector
|
Sensitive; usually infra teams
|
|
Device Actions
|
Restart, wipe, lost mode, deprovision
|
Requires Device permissions
|
|
Sync
|
Trigger ChromeOS device sync
|
Requires connector to be configured
|
Cloud PKI
Controls the Microsoft Cloud PKI Certificate Authorities (CAs), certificate profiles, and certificate lifecycle operations within Intune. Microsoft Cloud PKI is a fully cloud-based PKI service that issues certificates for Intune managed devices without requiring on-premises servers or connectors
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View Cloud PKI CAs, profiles, logs
|
Safe for monitoring roles
|
|
Write/Manage
|
Create/manage Cloud PKI CAs
|
Sensitive; usually PKI/Intune engineers
|
|
Profile Management
|
Create/assign certificate profiles
|
Requires Device Configuration permissions
|
|
Monitoring
|
Track certificate lifecycle & CA health
|
Useful for security & Zero Trust teams
|
Cloud attached devices
Controls what an Intune admin can see and do with tenant-attached Configuration Manager devices inside the Intune admin center. Tenant attach brings ConfigMgr devices into Intune so admins can perform actions on them.
Summary table
|
Read
|
View tenant‑attached devices, collections, inventory
|
Safe for helpdesk roles
|
|
CMPivot
|
Run real‑time queries
|
Sensitive; Tier‑2/3 or SOC
|
|
Scripts
|
Run PowerShell scripts on devices
|
Highly sensitive
|
|
Client Actions
|
Trigger ConfigMgr client operations
|
Useful for troubleshooting
|
|
Collections
|
View collections
|
Read‑only from Intune
|
Corporate device identifiers
Controls who can interact with hardware identifiers that Intune uses to automatically mark devices as corporate during enrollment (IMEI, Serial #s, Android Enterprise enrollment identifiers, Windows Autopilot-style identifiers, etc.). Is essential to knowing if a device is corporate-owned or personally-owned.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View identifiers and match status
|
Safe for helpdesk roles
|
|
Write
|
Add identifiers (CSV or manual)
|
Used for pre‑registration
|
|
Manage
|
Edit or delete identifiers
|
Sensitive; affects enrollment classification
|
|
Classification
|
Determines corporate vs. personal
|
Impacts compliance, CA, and app policies
|
Customization
Controls access to the Tenant Administration – Customization area in Intune. Configuration of branding, support information, and end-user experience settings live here (Company Portal, Intune web portal, Intune admin center branding, Device enrollment experience branding, etc.).
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Branding
|
Logos, colors, themes
|
Affects Company Portal & enrollment
|
|
Support Info
|
IT contact details
|
Useful for helpdesk teams
|
|
Enrollment UX
|
Instructions, privacy messages
|
Impacts onboarding
|
|
Company Portal
|
App visibility, categories
|
Influences user experience
|
|
Terms & Conditions
|
Create/assign T&Cs
|
Often used for compliance
|
|
Device Categories
|
Create/edit/delete categories
|
Used for targeting and reporting
|
|
Deployment Plans
Controls interactions with Windows Autopatch deployment plans in the Intune admin center (Windows quality updates, Windows feature updates, Microsoft 365 Apps updates, Driver and firmware updates, Rollout waves, Update cadence and scheduling, etc.).
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View deployment plans and rollout status
|
Safe for monitoring roles
|
|
Write/Manage
|
Create/edit deployment plans
|
Sensitive; affects update rollout
|
|
Assign
|
Target device groups with plans
|
Controls who gets updates
|
|
Rollout Control
|
Pause/resume/advance waves
|
High‑impact; usually senior engineers
|
Derived Credentials
Controls settings that allow Intune to issue derived credentials – certificates generated from a user’s smart card (PIV/CAC) for mobile device authentication. These are used when organizations require smart-card level authentication on mobile devices but cannot physically insert a smart card.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View issuer configuration and settings
|
Safe for monitoring roles
|
|
Write/Manage
|
Configure issuer, renewal, notifications
|
Sensitive; affects authentication
|
|
Lifecycle
|
Monitor/renew derived credentials
|
Important for PIV/CAC environments
|
|
Integration
|
Works with Wi‑Fi/VPN/email profiles
|
Requires Device Configuration permissions
|
|
Device compliance policies
Controls administrative access to all compliance=related objects in Intune. They define the minimum security posture a device must meet, such as OS version, encryption, password requirements, jailbreak/rood detections, etc.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View compliance policies & results
|
Safe for helpdesk roles
|
|
Write/Manage
|
Create/edit compliance policies
|
Sensitive; affects Conditional Access
|
|
Assign
|
Target groups with compliance policies
|
Controls who must meet requirements
|
|
Monitor
|
View compliance reports
|
Useful for security & support teams
|
Device configurations
Controls all configuration profiles in Intune, defining the settings, restrictions and capabilities applied to devices across all OS platforms.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View configuration profiles & settings
|
Safe for helpdesk roles
|
|
Write/Manage
|
Create/edit profiles
|
Highly sensitive; affects device behavior
|
|
Assign
|
Target groups with profiles
|
Controls rollout and scope
|
|
Monitor
|
View deployment status & conflicts
|
Essential for troubleshooting
|
Device enrollment messages
Controls custom messages that appear to users during the device enrollment process. Can be used to provide guidance, warnings, or compliance expectations during onboarding.
Summary table
|
Area
|
What it controls
|
Notes
|
|
Read
|
View enrollment messages
|
Safe for helpdesk roles
|
|
Write/Manage
|
Create/edit messages
|
Affects onboarding UX
|
|
Assign
|
Target messages to groups
|
Controls who sees what
|
|
Lifecycle
|
Enable/disable/retire messages
|
Useful for evolving onboarding processes
|
Endpoint Analytics
Controls all analytics-related data and features under Reports – Endpoint Analytics in the Intune admin center.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View analytics dashboards & device scores
|
Safe for helpdesk/reporting
|
|
Write/Manage
|
Configure analytics settings
|
Impacts data collection
|
|
Proactive Remediations
|
Create/assign remediation scripts
|
Powerful; Tier‑2/3 only
|
|
Monitoring
|
Track trends & export data
|
Useful for operations & leadership
|
Endpoint Detection and Response
Controls the EDR onboarding and integration settings that Intune uses to connect Windows, macOS, iOS, Android, and Linux devices to Microsoft Defender for Endpoint. Used to deploy Defender for Endpoint onboarding packages and manage EDR-related security postures.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View EDR policies & onboarding status
|
Safe for monitoring roles
|
|
Write/Manage
|
Create/edit onboarding policies
|
Sensitive; affects security posture
|
|
Assign
|
Target groups with EDR policies
|
Controls onboarding scope
|
|
Lifecycle
|
Offboard/update/monitor devices
|
Critical for SOC & security teams
|
Endpoint Privilege Management Elevation Requests
Controls elevation requests submitted by end users when they attempt to run an application with elevated privileges under Endpoint Privilege Management (EPM). EPM allows organizations to remove local admin rights while still enabling users to elevate approved apps on demand. When a user requests elevation for an app that requires approval, the request appears in Intune under Endpoint Security – Endpoint Privilege Management – Elevation Requests. The permissions in this category determine who can interact with those requests.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View elevation requests & details
|
Safe for audit/helpdesk
|
|
Approve/Deny
|
Act on elevation requests
|
High‑impact; least‑privilege critical
|
|
Lifecycle
|
Track, comment, revoke, export
|
Useful for SOC & engineering
|
|
Integration
|
Works with EPM policies
|
Needed for full least‑privilege workflows
|
Endpoint Privilege Management Policy Authoring
Controls the policies that define how Endpoint Privilege Management handles application elevation on Windows devices. Elevation Requests permissions govern approvals, Policy Authoring governs the rules themselves – the logic that determines which apps can elevate, under what conditions, and whether approval is required.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View EPM policies & rule sets
|
Safe for audit or oversight roles
|
|
Write/Manage
|
Create/edit elevation rules
|
Highly sensitive; defines least‑privilege model
|
|
Assign
|
Target groups with EPM policies
|
Controls rollout and scope
|
|
Lifecycle
|
Publish, retire, version policies
|
Critical for secure operations
|
Endpoint protection reports
Controls security related reporting data under Reports for the following – Microsoft Defender Antivirus, Endpoint security, Device protection, and Threats, detections, and protection status. These reports provide visibility into malware detections, antivirus status, protection configuration, and device security posture across the fleet. It is essential for security teams, SOC analysts, and administrators responsible for monitoring endpoint protection health.
Summary Table
|
Area
|
What it controls
|
Notes
|
|
Read
|
View antivirus & protection reports
|
Safe for SOC/helpdesk/audit
|
|
Export
|
Export CSVs for analysis
|
Useful for investigations
|
|
Monitoring
|
Track protection health & trends
|
Helps identify risky devices
|
|
Integration
|
Works with EDR, AV, compliance
|
Full picture of endpoint security
|
Enrollment programs
Controls the integrations between Intune and external device enrollment services – Apple Automated Device Enrollment (ADE, formerly DEP), Android Zero-Touch Enrollment, and Windows Autopilot. These integrations allow devices to be pre-registered so that when users turn them on, they automatically enroll into Intune with the correct configuration. This category is highly sensitive because it governs the supply-chain entry point for corporate devices.
Summary Table
|
Area
|
What it controls
|
Notes
|
|
Read
|
View ADE, Zero‑Touch, Autopilot data
|
Safe for audit/helpdesk
|
|
Manage tokens
|
Renew/upload ADE tokens, configure ZT
|
High‑impact; supply‑chain sensitive
|
|
Assign profiles
|
Autopilot/ADE/Zero‑Touch profiles
|
Controls OOBE and enrollment flow
|
|
Lifecycle
|
Sync, delete, reassign devices
|
Critical for provisioning teams
|
Filters
Is a powerful targeting mechanism that lets you include or exclude devices or apps based on properties like OS version, device type, manufacturer, enrollment type, and more. They refine policy and app targeting without needing extra Azure AD groups.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View filters & rules
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Create/edit/delete filters
|
High‑impact; affects targeting
|
|
Assign
|
Attach filters to policies/apps
|
Controls scope of deployments
|
|
Advanced Rules
|
Complex logic (AND/OR)
|
Useful for engineering teams
|
|
Intune data warehouse
Exposes historical Intune data for reporting, analytics, and BI tools like Power BI. It is a small but important category because it governs access to tenant-wide historical data, not just what appears in the Intune admin center.
Summary Table
|
Capability
|
Description
|
Notes
|
|
Read Data Warehouse
|
Query historical Intune data via OData
|
Core permission
|
|
Authenticate to API
|
Allows user/app to connect to the endpoint
|
Required for Power BI, scripts
|
|
Export/Analyze Data
|
Build dashboards, reports, automation
|
Read-only
|
|
No Write Access
|
Cannot modify Intune data
|
Safe for auditors
|
Managed Device Cleanup Rules
Controls the automatic cleanup settings that determine when Intune removes devices that haven’t checked in for a specified number of days. These rules help keep your Intune tenant clean, reduce clutter, and prevent stale devices from affecting compliance, reporting and licensing.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View cleanup rule settings
|
Safe for audit/reporting
|
|
Write/Manage
|
Enable/disable rules, set inactivity days
|
High‑impact; affects device lifecycle
|
|
Lifecycle
|
Automatic removal of stale devices
|
Helps maintain clean inventory
|
Managed Device Cleanup Settings
Controls the tenant-wide settings that determine how Intune automatically removes inactive or stale devices. They define when Intune should automatically delete devices that haven’t checked in for a specified number of days. It is important for maintaining a clean, accurate device inventory and preventing stale devices from affecting compliance, reporting and licensing.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View cleanup settings
|
Safe for audit/reporting
|
|
Write/Manage
|
Enable/disable cleanup, set inactivity days
|
High‑impact; affects device lifecycle
|
|
Lifecycle
|
Automatic removal of stale devices
|
Helps maintain clean inventory
|
Managed Google Play
Controls apps and configurations that come from Managed Google Play, the enterprise version of the Google Play Store used by Android Enterprise. This governs the administrative bridge between Intune and Google’s enterprise app ecosystem.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View Managed Google Play apps & sync status
|
Safe for audit/helpdesk
|
|
Approve/Sync
|
Approve apps, sync metadata
|
Core for Android Enterprise
|
|
Private Apps
|
Publish internal Android apps
|
Sensitive; developer workflows
|
|
Web Apps
|
Create/publish web apps
|
Useful for SaaS/internal portals
|
|
Availability
|
Control what users see in the Play Store
|
High‑impact for user experience
|
Managed apps
Controls all App Protection Policies (APP) and Mobile Application Management (MAM) settings in Intune. They apply at the appl level, not the device level, and are used to protect corporate data on BYOD devices (iOS/Android), Unmanaged devices, Managed devices (when using MAM-WE) and Apps integrated with the Intune SDK or App Protection Framework. This is essential for organizations implementing data loss prevention (DLP) and Zero Trust for mobile apps.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View app protection policies
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Create/edit MAM/APP policies
|
High‑impact; affects data security
|
|
Assign
|
Target policies to users/apps
|
Controls who gets protection
|
|
App Config (MAM)
|
Configure app‑level settings
|
Essential for BYOD
|
Managed devices
Controls who can interact with devices enrolled in Intune. They apply to Windows, macOS, iOS/iPadOS, Android (including Android Enterprise) and Linux. It is central to day-to-day device administration and is often used to define helpdesk, Tier-2 and endpoint engineering roles.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View device inventory & details
|
Safe for helpdesk
|
|
Manage
|
Wipe, retire, restart, lock, sync
|
High‑impact; affects user devices
|
|
Lifecycle
|
Delete, reassign, categorize devices
|
Important for operations
|
|
Troubleshooting
|
View policy status, conflicts
|
Essential for engineering teams
|
Microsoft Defender ATP
Controls integration between Intune and Defender for Endpoint, including onboarding devices, enforcing threat-based compliance, and monitoring device risk. It is essential for organizations using Intune + MDE as part of their endpoint security and Zero Trust posture.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View MDE integration, risk levels, onboarding status
|
Safe for SOC/helpdesk
|
|
Write/Manage
|
Create/edit onboarding/offboarding policies
|
High‑impact; affects EDR onboarding
|
|
Assign
|
Target MDE policies to device groups
|
Controls onboarding scope
|
|
Threat‑based Compliance
|
Enforce access based on device risk
|
Core to Zero Trust
|
|
Monitoring
|
View threats, risk, remediation
|
Essential for security teams
|
Microsoft Store for Business
Controls apps that come from the legacy Microsoft Store for Business integration. Historically, MSfB allowed organizations to acquire free or paid Windows apps, assign apps to users or devices, sync apps into Intune for deployment, and manage private line-of-business apps published through MSfB. MSfB is retired, but this category still applies to tenants that previously synced MSfB apps, legacy store apps still present in Intune, and admins who need to manage or clean up old store content.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View MSfB apps & sync status
|
Safe for audit/helpdesk
|
|
Sync
|
Trigger Store app sync
|
Legacy but still functional in some tenants
|
|
Manage Apps
|
Delete, update, assign Store apps
|
Important for cleanup
|
|
Connector Management
|
View/remove MSfB connector
|
Needed for retirement workflows
|
Microsoft Tunnel Gateway
Controls all components of the Microsoft Intune Tunnel infrastructure. Microsoft Tunnel provides a modern, secure VPN for iOS, Android and Linux clients; per-app VPN; conditional access-aware secure access; integration with Microsoft Entra ID and a self-hosted gateway running on Linux. This category governs the administrative interface for the Tunnel service inside Intune.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View Tunnel sites, servers, profiles
|
Safe for monitoring
|
|
Write/Manage
|
Create/edit Tunnel sites & servers
|
High‑impact; affects VPN access
|
|
VPN Profiles
|
Create/edit per‑app and device VPN configs
|
Core to Tunnel functionality
|
|
Assignments
|
Deploy VPN profiles to users/devices
|
Controls access scope
|
|
Monitoring
|
Logs, health, connection status
|
Essential for operations
|
Mobile Threat Defense
Controls mobile threat defense solutions connected to Intune. They provide real-time mobile threat detection (Malware, Network attacks, Phishing, Device compromise (root/jailbreak), suspicious apps, behavioral anomalies, etc.). MTD integrates with Intune (Microsoft Defender for Endpoint (iOS/Android), Lookout for Work, Zimperium zIPS, Pradeo, Symantec MTD, Check Point SandBlast Mobile, etc.).
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View MTD connectors, risk levels, threat data
|
Safe for SOC/helpdesk
|
|
Write/Manage
|
Configure connectors, tokens, integration
|
High‑impact; affects threat detection
|
|
App Deployment
|
Deploy MTD apps to devices
|
Required for threat reporting
|
|
Threat‑based Compliance
|
Enforce access based on risk
|
Core to Zero Trust
|
|
Monitoring
|
View threats, risk, remediation
|
Essential for security teams
|
Mobile apps
Controls administrative access to all app objects in Intune (Win32 apps, Microsoft Store apps, iOS/iPadOS apps, Android/Android Enterprise apps, macOS apps, Web apps, Line-of-business (LOB) apps, Store-integrated apps (Managed Google Play, VPP, etc.)). This is essential for app deployment teams, platform administrators, and anyone responsible for application lifecycle management.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View all apps & deployment status
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Add/edit/delete apps
|
High‑impact; affects app catalog
|
|
Assignments
|
Deploy apps to users/devices
|
Controls who gets what
|
|
Lifecycle
|
Retire, supersede, update apps
|
Essential for app hygiene
|
|
Monitoring
|
Track install success/failure
|
Critical for operations
|
Multi Admin Approval
MAA is Intune’s built-in safeguard for preventing unauthorized or risky changes, similar in spirit to ‘two-person integrity’ or four-eyes approval’ models used in high-security environments. This is essential for Zero Trust administration and protecting against insider threats or compromised admin accounts.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View workflows, approvals, history
|
Safe for audit/compliance
|
|
Manage
|
Create/edit approval workflows
|
High‑impact; defines governance
|
|
Approve/Deny
|
Act on pending admin requests
|
Core operational function
|
|
Audit
|
Review approval logs
|
Essential for compliance
|
Operating System Recovery Configurations
Controls Windows OS recovery settings in Intune. These settings define how devices can recover, reset or restore their operating system using cloud-based or local recovery options. Especially needed for organizations using Windows Autopatch, Windows Autopilot reset, Cloud Recover/Cloud Reset, Push-button reset (PBR) and Self-service recovery options for end users.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View OS recovery policies
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Create/edit recovery configurations
|
High‑impact; affects device restore behavior
|
|
Assignments
|
Target recovery policies to devices
|
Controls recovery capability scope
|
|
Lifecycle
|
Retire, update, validate policies
|
Essential for resilience planning
|
Organization
Controls global Intune tenant settings (branding, contact information, support details and certain tenant-wide behaviors). They appear in Tenant administration – Customization, Intune roles – Tenant-wide settings and Terms and conditions (as well as other global configuration areas). This category affect the identity, branding, and user-facing experience across the entire tenant.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View organization branding & settings
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Edit branding, support info, T&C
|
High‑impact; affects all users
|
|
Customization
|
Company Portal look & feel
|
Important for user experience
|
|
Tenant‑wide UX
|
Enrollment & portal messaging
|
Affects onboarding and support
|
Organizational Messages
Controls messages sent to users through the Windows Organizational Messages platform. These messages allow IT and communication teams to deliver native, secure, non-email notifications to Windows 11 devices (Taskbar messages, Notification center messages, Get Started app messages, Lock screen messages, etc.). These messages are ideal for communicating security reminders, policy changes, outage notifications, training prompts, organizational announcements, and onboarding guidance.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View messages, templates, schedules
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Create/edit message content
|
High‑impact; user‑facing
|
|
Assignments
|
Target messages to users/devices
|
Controls who sees what
|
|
Lifecycle
|
Publish, pause, retire messages
|
Essential for communications governance
|
Partner Device Management
Controls partner integrations that extend Intune’s device-management capabilities (Mobile Device Management partners, Mobile Application Management partners, Unified Endpoint Management partners, Security or compliance partners, and Telecom or carrier-based device management solutions.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View partner integrations & device data
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Configure partner connections
|
High‑impact; affects external access
|
|
Partner Devices
|
View/manage partner‑managed devices
|
Depends on partner capabilities
|
|
Compliance Mapping
|
Use partner signals for compliance
|
Core to Zero Trust
|
|
Monitoring
|
Logs, sync status, troubleshooting
|
Essential for operations
|
Policy Sets
Controls can interact with Policy sets, a feature in Intune that lets you bundle multiple resources into a single, reusable deployment package (apps, app configuration policies, app protection (MAM) policies, device configuration profile, compliance policies, enrollment profiles, scripts, filters, terms and conditions, organizational messages, etc.). They are often used for role-based provisioning, device onboarding bundles, app + policy + configuration groupings, and standardized deployments for departments or personas.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View Policy Sets & contents
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Create/edit Policy Sets
|
High‑impact; bundles many resources
|
|
Assignments
|
Deploy Policy Sets to groups
|
Controls who gets the bundle
|
|
Lifecycle
|
Publish, retire, duplicate
|
Essential for provisioning workflows
|
Quite Time policies
These policies allow organizations to silence work-related notifications from Microsoft apps during non-working hours on – iOS/iPadOS, Android, Microsoft Teams mobile, Outlook mobile, Other Microsoft 365 mobile apps that support Quiet Time. These policies help reduce after-hours interruptions, support work-life balance, and meet labor-law requirements in some regions.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View Quiet Time policies
|
Safe for HR/compliance/helpdesk
|
|
Write/Manage
|
Create/edit Quiet Time settings
|
High‑impact; affects notifications
|
|
Assignments
|
Target policies to users
|
Controls who gets Quiet Time
|
|
Lifecycle
|
Retire, duplicate, monitor
|
Important for wellbeing governance
|
Remote Help app
Remote help is used by support teams to remotely assist users, view or control a user’s screen, elevate to admin privileges (with user consent), troubleshoot devices securely, log and audit support sessions, etc. This category governs the administrative side of Remote Help – not the act of providing help itself.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View Remote Help settings & logs
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Configure Remote Help behavior
|
High‑impact; affects remote access
|
|
Assignments
|
Define who can help or receive help
|
Core to support workflows
|
|
Monitoring
|
Audit sessions, elevation, activity
|
Essential for compliance
|
Remote assistance connectors
Controls integrations between Intune and external remote support solutions. They allow Intune to work with partner remote-assistance platforms (TeamViewer and other vendors that integrate through Intune’s connector model). This category governs the administrative interface for enabling, configuring, and monitoring these integrations.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View connector status & settings
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Configure connectors & authentication
|
High‑impact; affects remote access
|
|
Assignments
|
Define who can use remote assistance
|
Core to support workflows
|
|
Monitoring
|
Logs, health, troubleshooting
|
Essential for operations
|
Remote tasks
Controls management of remote device actions from the Intune admin center. They allow administrators to remotely interact with devices for troubleshooting, security, and lifecycle management. They can apply across multiple platforms – Windows, macOS, iOS/iPadOS, and Android/Android Enterprise. This category is essential for helpdesk, Tier-2 support, and endpoint operations teams.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View remote actions & history
|
Safe for audit/helpdesk
|
|
Manage
|
Perform remote actions (wipe, lock, restart, sync)
|
High‑impact; affects user devices
|
|
Security
|
Key rotation, malware scan
|
Requires careful delegation
|
|
Lifecycle
|
Retire, delete, reset devices
|
Core to device operations
|
|
Roles
Controls Intune custom roles and role assignments. This governs administrative power within Intune. Foundational for delegated administration, least-privilege role design, scoped administration, governance and compliance, and separation of duties. It is one of the highest-impact permission categories in Intune.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View roles, permissions, assignments
|
Safe for audit/compliance
|
|
Write/Manage
|
Create/edit roles & permissions
|
High‑impact; defines admin power
|
|
Assignments
|
Assign roles to groups
|
Controls who can administer Intune
|
|
Scope Tags
|
Define admin boundaries
|
Essential for segmentation
|
|
Governance
|
Enforce least‑privilege RBAC
|
Critical for security
|
Security baselines
Controls Microsoft-provided security baselines in Intune. Examples of curated collections of recommended security settings create by Microsoft are – Windows 10/11, Microsoft Edge, Microsoft Defender for Endpoint, and Microsoft 365 Apps for Enterprise. These provide secure, opinionated starting points for hardening devices without manually configuring hundreds of settings.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View baselines, versions, compliance
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Create/edit baseline profiles
|
High‑impact; affects device security
|
|
Assignments
|
Deploy baselines to groups
|
Controls security posture
|
|
Lifecycle
|
Upgrade, retire, compare versions
|
Essential for secure operations
|
Security tasks
Controls security-related tasks that surface in Intune from Microsoft Defender for Endpoint (MDE). They represent recommended remediation actions generated by Defender when it detects vulnerabilities, misconfigurations, or threats on devices. Tasks appear in Intune when Defender for Endpoint is integrated with Intune, Defender identifies a threat, vulnerability, or required remediation, Defender creates a ‘security task’ for Intune to act on, or Intune administrators need to approve, assign or complete a task.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View security tasks & details
|
Safe for SOC visibility
|
|
Approve/Reject
|
Decide whether remediation proceeds
|
High‑impact; affects security posture
|
|
Manage
|
Assign, complete, track tasks
|
Core to remediation workflows
|
|
Audit
|
Review historical tasks & trends
|
Important for compliance
|
ServiceNow
Controls the integration between Intune and ServiceNow Change Management. Integration allows Intune to require ServiceNow change requests for sensitive actions, validate approval status before executing actions, log Intune actions into ServiceNow for audit and compliance, and Enforce ITIL-aligned change control processes. Essential for organizations with strict governance, compliance or ITSM requirements.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View ServiceNow integration & logs
|
Safe for audit/compliance
|
|
Write/Manage
|
Configure connector & approval rules
|
High‑impact; affects governance
|
|
Workflow Mapping
|
Map Intune actions to change requests
|
Core to ITSM alignment
|
|
Monitoring
|
Health, logs, troubleshooting
|
Essential for operations
|
Telecom expenses
Controls telecom-related data for mobile devices enrolled in Intune (Voice minutes, SMS usage, Mobile data consumption, Roaming usage, Cost or billing-related data (when provided by carriers or imported)). This is especially relevant for organizations that manage corporate mobile plans, need to track roaming or overage costs, monitor data usage for compliance, or use Intune’s telecom expense management (TEM) capabilities.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View telecom usage & cost data
|
Safe for finance/helpdesk
|
|
Write/Manage
|
Configure telecom policies & thresholds
|
High‑impact; affects cost control
|
|
Assignments
|
Apply policies to groups
|
Controls who is monitored or restricted
|
|
Reporting
|
Analyze usage & trends
|
Essential for cost optimization
|
Tenant attached recommendations
Controls recommendations that appear in Intune when Configuration Manager (ConfigMgr) is tenant=attached. These recommendations come from – Endpoint analytics, ConfigMgr insights, Cloud-based device health signals, Security and configuration posture assessments. These help administrators identify issues, optimize performance, and improve device health across hybrid-managed environments.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View recommendations & insights
|
Safe for audit/helpdesk
|
|
Manage
|
Apply or dismiss recommendations
|
High‑impact; affects device posture
|
|
Remediation
|
Trigger fixes or scripts
|
Core to hybrid management
|
|
Monitoring
|
Track remediation progress
|
Essential for operations
|
Terms and conditions
Controls Terms and Conditions (T&C) documents in Microsoft Intune. They are presented to users during – Device enrollment, Company Portal sign-in, and in App access. Users must accept the T&C before proceeding, making this a key compliance and governance feature.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View T&C content, versions, assignments
|
Safe for audit/compliance
|
|
Write/Manage
|
Create/edit T&C documents
|
High‑impact; legal implications
|
|
Assignments
|
Deploy T&C to user groups
|
Controls who must accept terms
|
|
Lifecycle
|
Versioning, retirement, acceptance tracking
|
Essential for governance
|
Windows Enterprise Certificate
Controls certificate profiles used by Windows devices for certificate-based authentication (CBA), Wi-Fi and VPN authentication, S/MIME email signing and encryption, client authentication for on-premises or cloud resources, and PKI-based identity scenarios. This also governs Intune’s ability to deliver enterprise certificates to Windows devices using – SCEP (Simple Certificate Enrollment Protocol), PKCS (Public Key Cryptography Standards), PKCS imported certificates, and Cloud PKI (if used in combination). This is essential for secure access, Zero Trust, and identity-drive device management.
Summary Table
|
Area
|
What It Controls
|
Notes
|
|
Read
|
View certificate profiles & status
|
Safe for audit/helpdesk
|
|
Write/Manage
|
Create/edit SCEP/PKCS profiles
|
High‑impact; affects authentication
|
|
Assignments
|
Deploy certificates to groups
|
Controls device identity
|
|
Lifecycle
|
Renewal, retirement, troubleshooting
|
Essential for secure operations
|