Utilize dedicated Intune admin accounts rather than Global Admin accounts

This step by step tutorial will show you how to utilize dedicated Intune admin accounts rather than Global Admin accounts.

This is Part 5 of a 5 part series

=======================================================================

Welcome to part 5 of my five part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune focusing on the essential security configurations.

Security Essentials - Five part series

1. Configure and apply the Security Baseline - Link 

2. Configure Windows Hello for Business - Link 

3. Configure Windows 10 Compliance Policy - Link  

4. Enabling and Configuring BitLocker - Link 
5. Utilize dedicated Intune admin accounts rather than Global Admin accounts - Link - This Tutorial

If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on 

How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link

=========================================================================

5. Utilize dedicated Intune admin accounts rather than Global Admin accounts 

A common challenge for MSPs is that they usually utilise the Microsoft Partner Portal as a way to restrict and monitor access to the client tenant. This is a great solution, until the MSP technician needs to run PowerShell cmdlets against the client tenant. The client tenant has no record of the Partner Portal account, and therefore cannot resolve the MSP technicians credentials when the tech is connecting via PowerShell.

The solution is to create a dedicated account to each MSP technician within the client's tenant, and then to restrict the technician's access via Roles, in this example, the Intune Administrator role.
This allows MSP technicians the ability to perform remote Intune administration via PowerShell without Global Admin rights. 

This method can also be utilised for granting other common administration roles, for example
- Exchange Online Administrator
- SharePoint Online Administrator
- Teams Administrator

======================================================================

Creating a dedicated account with the Intune Administrator role.

Users - New user


I am creating a new user with the login - 
intune.admin01@intuneadmin.tk


As I am granting this user an Azure AD role, I select - 
Roles - and click - User


This opens up - Directory Roles

Search for and select - Intune Administrator
Select
Add


Groups and Roles will update


Make sure you enter the initial password or the option to create will not appear.

Create

====================================================================

The user will be created-


Select the user to show the properties.

Select - Assigned roles to confirm the user has been assigned the role of Intune Administrator.


Confirm that a license has been assigned


===================================================================

PowerShell Administration of Intune - 

Pre-requisites for PowerShell administration of Intune -

Install the Microsoft Graph.Intune PowerShell module
Run PowerShell as Admin
Install-Module -Name Microsoft.Graph.Intune

Import the Microsoft Graph Intune module
Import-Module Microsoft.Graph.Intune

Connect to Microsoft Graph
Connect-MSGraph



Enter your Admin credentials and MFA when prompted.



Note - if this is the first time logging in, you may need to update the password and configure MFA for the user


PowerShell will now be connected



Now to test our connection and admin access, let's run a cmdlet to get the Intune Device Categories - 
As the user - intune.admin01@intuneadmin.tk - is an Intune Administrator, they will have Admin access via PowerShell. 

Get-IntuneDeviceCategory



So, what happens when we try the same get query when logged in as a standard user - user01@intuneadmin.tk 
As you can see below, the standard user can connect to Intune via Microsoft Graph, but receives a 401 unauthorized error when running the Get query.




======================================================================

Check out all my tutorials - Link 

Highlights include - 
13 part series on how to perform the initial Tenant and Intune Configuration - Link 

1. Configure DNS and CNAME
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming
3. Enable Conditional Access and MFA (Multi factor authentication)
4. Configure Conditional Access Terms of Use
5. Company Terms and Conditions
6. User and Device Groups, and Device Categories
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment
7a. More information regarding options for configuring the MDM and MAM user scopes
8. Enrollment Status Page
9. Enrollment Restrictions
10. Deploying Microsoft 365 apps (Office apps)
11. Enable Microsoft Store for Business and publish the Company Portal app
12. Assign Company Portal app
13. Test autopilot via register online

===============================================================

 

About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.

You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/ 
GitHub Repository - https://github.com/TeamTerry