Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft Intune Cookbook

You're reading from   Microsoft Intune Cookbook Over 75 recipes for configuring, managing, and automating your identities, apps, and endpoint devices

Arrow left icon
Product type Paperback
Published in Jan 2024
Publisher Packt
ISBN-13 9781805126546
Length 574 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Andrew Taylor Andrew Taylor
Author Profile Icon Andrew Taylor
Andrew Taylor
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Chapter 1: Getting Started with Microsoft Intune FREE CHAPTER 2. Chapter 2: Configuring Your New Tenant for Windows Devices 3. Chapter 3: Securing Your Windows Devices with Security Policies 4. Chapter 4: Setting Up Enrollment and Updates for Windows 5. Chapter 5: Android Device Management 6. Chapter 6: iOS Device Management 7. Chapter 7: macOS Device Management 8. Chapter 8: Setting Up Your Compliance Policies 9. Chapter 9: Monitoring Your New Environment 10. Chapter 10: Looking at Reporting 11. Chapter 11: Packaging Your Windows Applications 12. Chapter 12: PowerShell Scripting across Intune 13. Chapter 13: Tenant Administration 14. Chapter 14: Looking at Intune Suite 15. Index 16. Other Books You May Enjoy

Assigning Entra ID roles

Before we proceed further, we need to understand what roles are within Entra ID. A role gives a user specific permissions to items within Entra ID/Microsoft 365/Intune. There are numerous built-in roles, and you can also create a custom role with specific permissions applied.

It is always worth working from the principle of the least required permissions. It is better to give an admin multiple roles with strict permissions rather than going for a global administrator with keys to the kingdom.

A list of the built-in roles can be found here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference.

As this is an Intune book, the two main roles we are interested in initially are Intune Administrator and Entra Joined Device Local Administrator. As its name suggests, Intune Administrator gives full access to everything within Intune.

Entra Joined Device Local Administrator gives users full administrative access over all Entra joined devices. While this is useful for support teams, if licensed, it is worth considering using privileged identity management (PIM), which you can use for role access for a limited amount of time with full reporting.

You can find out more about PIM here: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Intune also has specific role-based access control (RBAC) to restrict access within the Intune portal itself. We will cover this further in Chapter 13.

There are two ways to assign roles, so we will use one for each.

How to do it…

Follow these steps to assign a built-in role to your newly created user:

  1. Navigate to Entra admin center within your new tenant by going to https://entra.microsoft.com.
  2. Within Entra, click on Show more, then expand the Roles & admins dropdown and click on Roles & admins.
  3. You will be presented with this menu:
Figure 1.4 – Entra ID – Roles and administrators

Figure 1.4 – Entra ID – Roles and administrators

  1. You will now see this screen:
Figure 1.5 – Entra ID – Roles and administrators | All roles

Figure 1.5 – Entra ID – Roles and administrators | All roles

For this, we will use the in-built roles, but if you need something more granular, you can create a custom role based on the exact permissions you require.

  1. Select Intune Administrator.
  2. On the screen that appears, click + Add Assignments and find your new user:
Figure 1.6 – Assigned Intune Administrator role

Figure 1.6 – Assigned Intune Administrator role

  1. The other way we can do this is within the Users blade; navigate back to Entra ID and click on Users, then the user you created.
  2. Within the user details, click on Assigned roles.
  3. Then, click + Add assignments.
  4. This time, select Microsoft Entra Joined Device Local Administrator and click Add.

Following these steps has granted your user administrative rights on your cloud-joined devices.

Automating it

By automating the assignment of roles, we can add to our previous user creation to create an automated onboarding function for user management across job roles.

Adding roles via PowerShell is slightly more complex as we need to find the role ID to be able to assign it.

Create a new PowerShell script and follow these steps:

  1. For this, we will need to install and import an additional module:
    Install-Module Microsoft.Graph.DeviceManagement.Enrolment -Scope CurrentUser -Repository PSGallery -Force
    Import-Module Microsoft.Graph.DeviceManagement.Enrolment
  2. Set the variables, the role name, and the user we are assigning it to (at the time of writing, the role is still called Azure AD Joined Device Local Administrator, but it may change to Entra Joined Device Local Administrator in the future to match the UI):
    $rolename = "Azure AD Joined Device Local Administrator"
    $user = "test@test.onmicrosoft.com"
  3. We need to get the ID from the User Profile Name (UPN). We are querying the Users API to the user’s UPN, passing the output as PSObject, and then retrieving the ID from it. This can be done with two commands, one for grabbing the user details and the second for grabbing the ID from the first variable, but wrapping the query in brackets does the same job and runs quicker:
    $userid = (Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/users/$user" -Method Get -OutputType PSObject).id

    Note that we are passing OutputType and using a GET request with this first command. Setting OutputType allows us to use the output within PowerShell.

  4. The next stage is to find the details for the role we are looking for. We can do this by grabbing all the roles and then using where-object to grab the role we are looking for, after which we can pass the output to a PowerShell object. We grab the roles from roleDefinitions within the whole directory in Graph, in the roleManagement subsection of the API:
    $uri = "https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions"
    $roletoassign = (((Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value) | where-object DisplayName -eq $rolename).id
  5. Now that we have the role ID and the user ID, we just need to put them together and assign the role. As we are using a PowerShell module instead of JSON, we must pass parameters instead of raw JSON. Here, we are setting ScopeID to "/" to cover the entire directory:
    $params = @{
        "@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
        RoleDefinitionId = "$roletoassign"
        PrincipalId = "$userid"
        DirectoryScopeId = "/"
    }
    New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params

By completing these steps, we have created our script to automate role assignment in Microsoft Entra using the Graph API.

You have been reading a chapter from
Microsoft Intune Cookbook
Published in: Jan 2024
Publisher: Packt
ISBN-13: 9781805126546
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime