# Intune Administrator Analyzer

## Intune Admin Analyzer <a href="#intune-admin-analyzer" id="intune-admin-analyzer"></a>

### Overview <a href="#overview" id="overview"></a>

The **Intune Admin Analyzer** is a powerful security analysis tool that helps you identify over-privileged administrator accounts in your Microsoft Intune environment. By analyzing actual user activity patterns against assigned administrative roles, you can ensure that users have appropriate access levels based on their real usage.

***

### Why Use the Intune Admin Analyzer? <a href="#why-use-the-intune-admin-analyzer" id="why-use-the-intune-admin-analyzer"></a>

Following the principle of **least privilege**, it's crucial to ensure that administrators only have the permissions they actually need. The Intune Admin Analyzer helps you:

* **Identify inactive administrators** - Users with admin roles but no activity
* **Detect over-privileged accounts** - Users with admin rights who only perform read operations
* **Understand role membership** - See direct, group, and nested group assignments
* **Make informed decisions** - Get data-driven recommendations for role optimization

***

### Getting Started <a href="#getting-started" id="getting-started"></a>

#### Accessing the Analyzer <a href="#accessing-the-analyzer" id="accessing-the-analyzer"></a>

1. Navigate to the **RBAC** section from the main sidebar
2. Click on the **Intune Admin Analyzer** card

<figure><img src="/files/3Z71m8bwRjauIqJvsrgt" alt=""><figcaption></figcaption></figure>

#### Running an Analysis <a href="#running-an-analysis" id="running-an-analysis"></a>

The analyzer scans your Intune environment to identify all users with Intune Administrator privileges and analyzes their activity.

**Step 1: Configure Analysis Period**

1. In the **Analysis Configuration** section, set the number of days to analyze
   * **Default**: 60 days
   * **Minimum**: 1 day
   * **Maximum**: 90 days
2. The tool will look back through Intune audit logs for the specified period

**💡 Tip**: For a comprehensive analysis, we recommend analyzing at least 30-60 days to capture typical usage patterns.

**Step 2: Run the Analysis**

Click the **Run Analysis** button to start the scan. The process includes:

1. Identifying all Intune Administrator role members
2. Analyzing audit events for the specified period
3. Categorizing user activities (read, write, delete operations)
4. Flagging over-privileged users

***

### Understanding the Results <a href="#understanding-the-results" id="understanding-the-results"></a>

#### Summary Dashboard <a href="#summary-dashboard" id="summary-dashboard"></a>

After the analysis completes, you'll see four key metrics at the top of the page

<figure><img src="/files/hVyosLGUBfFHzBpbfKTf" alt=""><figcaption></figcaption></figure>

**1. Role Analyzed**

* **Displays**: The name of the role being analyzed (typically "Intune Administrator")
* **Shows**: Truncated Role ID for reference

**2. Total Users**

* **Displays**: Total number of users with the Intune Administrator role
* **Includes**: Direct members, group members, and nested group members

**3. Over-Privileged Users**

* **Displays**: Number of users flagged for review

**4. Analysis Period**

* **Displays**: Number of days analyzed
* **Shows**: Date range (e.g., "Mar 1 - Mar 27, 2026")

***

#### User Analysis Table <a href="#user-analysis-table" id="user-analysis-table"></a>

The main results table provides detailed information about each administrator:

<figure><img src="/files/xolMdzbMKrFRLSSK2ygm" alt=""><figcaption></figcaption></figure>

**Column Breakdown**

| Column             | Description                                                                  |
| ------------------ | ---------------------------------------------------------------------------- |
| **Status**         | <p>Green checkmark = Appropriate privileges<br>Warning = Over-privileged</p> |
| **User**           | Display name and User Principal Name (email)                                 |
| **Membership**     | How the user has admin access (see below)                                    |
| **Activity Level** | Overall activity classification (None/Low/Medium/High)                       |
| **Total Actions**  | Total number of Intune actions performed                                     |
| **Read**           | Number of read-only operations (🟢 Green)                                    |
| **Write**          | Number of write/modify operations (🟡 Yellow)                                |
| **Delete**         | Number of delete operations (🔴 Red)                                         |
| **Details**        | Click to see detailed information                                            |

**Membership Types**

The analyzer identifies three types of role membership:

**Direct**

* User is directly assigned to the Intune Administrator role
* Most transparent form of role assignment

**Group**

* User inherited admin rights through membership in a security group
* The source group name is displayed below the badge

**Nested**

* User inherited admin rights through nested group membership
* Member of a group that's member of another group assigned the role
* The ultimate source group is displayed

> 📸 **Screenshot Placeholder**: *Table rows showing examples of each membership type with badges*

**Activity Level Classification**

The analyzer automatically classifies users based on their activity:

* **High**: User has performed delete operations (highest risk actions)
* **Medium**: User has performed write/modification operations
* **Low**: User has only performed read operations
* **None**: User has performed no actions

***

#### User Details Panel <a href="#user-details-panel" id="user-details-panel"></a>

Click on any user row (or the **Info** button) to see detailed information:

> 📸 **Screenshot Placeholder**: *User Details panel expanded showing all sections*

**Sections in the Details Panel**

**1. Basic Information**

* User Principal Name (UPN)
* User ID (GUID)

***

### Table Features <a href="#table-features" id="table-features"></a>

#### Searching and Filtering <a href="#searching-and-filtering" id="searching-and-filtering"></a>

The User Analysis table includes powerful search functionality:

1. Use the **search box** at the top right to filter users
2. Search works across:
   * User display names
   * User Principal Names
   * Membership types

> 📸 **Screenshot Placeholder**: *Search box with example search query and filtered results*

#### Sorting <a href="#sorting" id="sorting"></a>

Click any column header to sort the results:

* **First click**: Sort ascending
* **Second click**: Sort descending
* **Third click**: Return to default order

Particularly useful columns to sort:

* **Status**: See all over-privileged users first
* **Total Actions**: Identify most/least active admins
* **Activity Level**: Group users by activity type

> 📸 **Screenshot Placeholder**: *Table with sorted column (showing sort indicator)*

#### Pagination <a href="#pagination" id="pagination"></a>

For organizations with many administrators:

* Results are paginated for better performance
* Navigate using page controls at the bottom
* Shows current page and total pages

***

### Interpreting Results & Taking Action <a href="#interpreting-results--taking-action" id="interpreting-results--taking-action"></a>

#### What is "Over-Privileged"? <a href="#what-is-over-privileged" id="what-is-over-privileged"></a>

A user is flagged as over-privileged when:

1. **No Activity**: They have an Intune Administrator role but haven't performed any Intune actions during the analysis period
2. **Read-Only Usage**: They only performed read operations, suggesting they don't need full administrative access

#### Recommended Actions <a href="#recommended-actions" id="recommended-actions"></a>

Based on the analysis results, consider these actions:

**For Users with No Activity**

* Verify if the user still needs Intune Administrator access
* Check if they've recently joined the team (extend analysis period)
* Consider removing the role assignment if no longer needed
* Contact the user to understand their requirements

**For Users with Read-Only Activity**

* Assign a read-only Intune role instead (e.g., "Intune Read Only Operator")
* Remove full Administrator access
* Follow principle of least privilege

**For Nested Group Members**

* Review group membership structure
* Document the access path for audit purposes
* Be cautious - changes may affect other members

#### Best Practices <a href="#best-practices" id="best-practices"></a>

* **Run regular analyses** - Schedule quarterly reviews of admin roles
* **Document decisions** - Keep records of why users need admin access
* **Use longer periods** - 60-90 days provide better insight than shorter periods
* **Cross-reference with HR** - Verify access aligns with job responsibilities
* **Implement JIT access** - Consider Just-In-Time admin access for occasional needs (PIM)

***

### Common Scenarios <a href="#common-scenarios" id="common-scenarios"></a>

#### Scenario 1: New Administrator <a href="#scenario-1-new-administrator" id="scenario-1-new-administrator"></a>

**Situation**: User shows zero activity but was just added last week.

**Action**: This is expected. Run the analysis again in 30-60 days to see their activity pattern.

***

#### Scenario 2: Seasonal Administrator <a href="#scenario-2-seasonal-administrator" id="scenario-2-seasonal-administrator"></a>

**Situation**: User has no activity for 60 days but performs annual cleanup tasks.

**Action**: Extend the analysis period to cover their active period, or implement Just-In-Time access for their annual tasks.

***

#### Scenario 3: Read-Only Auditor <a href="#scenario-3-read-only-auditor" id="scenario-3-read-only-auditor"></a>

**Situation**: User only performs read operations for compliance auditing.

**Action**: Perfect candidate for role optimization. Assign "Intune Read Only Operator" or similar read-only role.

***

#### Scenario 4: High Activity Administrator <a href="#scenario-4-high-activity-administrator" id="scenario-4-high-activity-administrator"></a>

**Situation**: User shows high activity with delete operations.

**Action**: This is appropriate for active admins. Ensure activity aligns with their job responsibilities. Consider enabling additional monitoring.

***

### Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>

#### No Data Returned <a href="#no-data-returned" id="no-data-returned"></a>

**Problem**: Analysis completes but shows 0 users.

**Solutions**:

* Verify you have permissions to read Intune roles
* Check that users are assigned to the "Intune Administrator" role
* Ensure your tenant has active Intune licensing

#### Analysis Takes Too Long <a href="#analysis-takes-too-long" id="analysis-takes-too-long"></a>

**Problem**: Analysis runs for more than 2-3 minutes.

**Solutions**:

* Reduce the analysis period (try 30 days instead of 90)
* Check if your tenant has a large audit log volume
* Try running during off-peak hours

#### Unexpected Over-Privileged Results <a href="#unexpected-over-privileged-results" id="unexpected-over-privileged-results"></a>

**Problem**: Active administrators are flagged as over-privileged.

**Solutions**:

* Extend the analysis period - they may work in cycles
* Verify their activities are logged in Intune audit logs
* Check if they use other admin portals (Azure AD, etc.)

***

### FAQ <a href="#faq" id="faq"></a>

**Q: How often should I run this analysis?**\
A: We recommend quarterly reviews (every 3 months) as part of your access review process.

**Q: Will this analysis remove any users or permissions?**\
A: No, this is a read-only analysis tool. It only provides recommendations - you must take action manually.

**Q: What's the difference between Direct and Group membership?**\
A: Direct = user is directly assigned the role. Group = user inherits the role through security group membership. Nested = user is in a group that's in another group.

**Q: Can I export the results?**\
A: Use the export functionality in the table header to download results as CSV or Excel for further analysis.

**Q: Does this analyze custom Intune roles?**\
A: Currently, the analyzer focuses on the built-in "Intune Administrator" role. Custom role analysis may be available in future updates.

**Q: What actions are considered "read", "write", or "delete"?**\
A:

* **Read**: Viewing configurations, policies, devices, reports
* **Write**: Creating or modifying policies, configurations, assignments
* **Delete**: Removing policies, wiping devices, deleting configurations

**Q: Are guest users included in the analysis?**\
A: Yes, any user with Intune Administrator role permissions is analyzed, including guest accounts.

***

### Security & Privacy Notes <a href="#security--privacy-notes" id="security--privacy-notes"></a>

**Data Handling**

* Analysis is performed in real-time and not stored
* All data retrieved follows your organization's security policies
* Only audit logs within your specified timeframe are analyzed

**Permissions Required**

* You must have permissions to read Intune roles and audit logs
* You must have permissions to read Entra RBAC roles
* Results are limited to what your account can access

**Audit Compliance**

* All API calls are logged in Azure AD audit logs
* The analysis itself is auditable
* No changes are made to your environment

***

### Additional Resources <a href="#additional-resources" id="additional-resources"></a>

* [Microsoft Intune RBAC Documentation](https://docs.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control)
* [Principle of Least Privilege Best Practices](https://docs.microsoft.com/en-us/security/privileged-access-workstations/overview)
* [Intune Built-in Roles Reference](https://docs.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control#built-in-roles)

***

### Need Help? <a href="#need-help" id="need-help"></a>

If you encounter issues or have questions:

* Check the troubleshooting section above
* Review your Intune role permissions
* Contact your organization's Intune administrator
* Refer to the IntuneAssistant support documentation

***

*Last updated: March 2026*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.intuneassistant.cloud/intune-assistant/security/intune-administrator-analyzer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.