Microsoft Intune MVP, Tech Lead Modern Workplace & MCT
msintune rbac security tips excel github matrix

Intune RBAC – Best Practices (and a handy Excel matrix)

by Jeroen Burgerhout 2 min read

If you've ever tried to set up Role-Based Access Control (RBAC) in Microsoft Intune, you know it can quickly become messy.
Too many roles, too many scopes, and suddenly everyone is a full administrator “to make everything work.” I've been there.

Over the past few months, I've refined my own RBAC model, not only for my own tenants, but also for customers and MSP scenarios.
In doing so, I also created an Excel matrix with all available Intune RBAC roles and permissions.

You can download it for free from my GitHub:
👉 Download the Intune RBAC matrix (Excel)

In this post, I share my best practices for setting up RBAC in Intune so you can stay in control, stay secure, and truly trust your delegation settings.

Why RBAC matters

RBAC is one of those features you only start to appreciate when something goes wrong.
Giving someone full access “just to deploy an app” can quickly lead to accidental policy changes, deleted profiles, or worse, broken devices in production.

With proper RBAC you can:

  • Apply the least privilege principle
  • Separate duties between admins, helpdesk, and security
  • Keep your audit trails clean
  • Stay compliant and reduce risk

It’s not just about security, it’s about structure and peace of mind.

My RBAC best practices

This is what I've learned after many environments, mistakes, and late-night troubleshooting sessions 👇.

  1. Start small.
    Only grant access to what is necessary. You can always expand later.

  2. Use the built-in roles first.
    Microsoft already covers most use cases; custom roles are for the exceptions.

  3. Align with Entra ID groups.
    Keep naming consistent across your groups and roles. This will save you a lot of confusion.

  4. Separate functions.
    Think in terms of help desk, policy management, app management, and security management.

  5. Document your assignments.
    Who has what access and why. Sounds boring, but it's worth its weight in gold during audits.

  6. Check regularly.
    Schedule a quarterly access review and clean up old assignments.

  7. Use PIM (Privileged Identity Management).
    Especially for global or security roles: time-bound access keeps everything secure.

  8. Check the audit logs.
    Intune Audit logs tell you exactly who did what. Make use of them.

The Excel RBAC Matrix

If you want to dive deeper into this, download the Excel file I created with all Intune RBAC roles, permissions, and scopes.
This is an easy way to filter and plan your access model before you get started with production.

👉 Download it on GitHub.

I regularly update this file when Microsoft adds or changes RBAC permissions in Intune.

Wrapping up

RBAC might not be the most exciting feature, but it’s one of the most important for long-term maintainability.
Once you set it up right, everything else like policy management, app deployment, troubleshooting, just flows better.

If you’ve got questions, or if you use your own RBAC structure, I’d love to hear how you’re doing it.
Drop me a message or comment. I'm always happy to exchange ideas.

That is it for now. Until next time. 👋

Read more posts by this author

Jeroen Burgerhout

Tech Lead Modern Workplace | Microsoft MVP | MCT | Microsoft Intune | Entra ID | CEO (Chief Everything Officer) | Founder @workplacedudes

The link has been copied!
You’ve successfully subscribed to Jeroen Burgerhout
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.