RBAC Overview
View Role Based Access overview from an Intune perspective.
Intune Admin Analyzer
Overview
The Intune Admin Analyzer is a powerful security analysis tool that helps you identify over-privileged administrator accounts in your Microsoft Intune environment. By analyzing actual user activity patterns against assigned administrative roles, you can ensure that users have appropriate access levels based on their real usage.
Why Use the Intune Admin Analyzer?
Following the principle of least privilege, it's crucial to ensure that administrators only have the permissions they actually need. The Intune Admin Analyzer helps you:
Identify inactive administrators - Users with admin roles but no activity
Detect over-privileged accounts - Users with admin rights who only perform read operations
Understand role membership - See direct, group, and nested group assignments
Make informed decisions - Get data-driven recommendations for role optimization
Getting Started
Accessing the Analyzer
Navigate to the RBAC section from the main sidebar
Click on the Intune Admin Analyzer card
Running an Analysis
The analyzer scans your Intune environment to identify all users with Intune Administrator privileges and analyzes their activity.
Step 1: Configure Analysis Period
In the Analysis Configuration section, set the number of days to analyze
Default: 60 days
Minimum: 1 day
Maximum: 90 days
The tool will look back through Intune audit logs for the specified period
💡 Tip: For a comprehensive analysis, we recommend analyzing at least 30-60 days to capture typical usage patterns.
Step 2: Run the Analysis
Click the Run Analysis button to start the scan. The process includes:
Identifying all Intune Administrator role members
Analyzing audit events for the specified period
Categorizing user activities (read, write, delete operations)
Flagging over-privileged users
Understanding the Results
Summary Dashboard
After the analysis completes, you'll see four key metrics at the top of the page
1. Role Analyzed
Displays: The name of the role being analyzed (typically "Intune Administrator")
Shows: Truncated Role ID for reference
2. Total Users
Displays: Total number of users with the Intune Administrator role
Includes: Direct members, group members, and nested group members
3. Over-Privileged Users
Displays: Number of users flagged for review
4. Analysis Period
Displays: Number of days analyzed
Shows: Date range (e.g., "Mar 1 - Mar 27, 2026")
User Analysis Table
The main results table provides detailed information about each administrator:
Column Breakdown
Status
Green checkmark = Appropriate privileges Warning = Over-privileged
User
Display name and User Principal Name (email)
Membership
How the user has admin access (see below)
Activity Level
Overall activity classification (None/Low/Medium/High)
Total Actions
Total number of Intune actions performed
Read
Number of read-only operations (🟢 Green)
Write
Number of write/modify operations (🟡 Yellow)
Delete
Number of delete operations (🔴 Red)
Details
Click to see detailed information
Membership Types
The analyzer identifies three types of role membership:
🔵 Direct
User is directly assigned to the Intune Administrator role
Most transparent form of role assignment
🟣 Group
User inherited admin rights through membership in a security group
The source group name is displayed below the badge
🟪 Nested
User inherited admin rights through nested group membership
Member of a group that's member of another group assigned the role
The ultimate source group is displayed
📸 Screenshot Placeholder: Table rows showing examples of each membership type with badges
Activity Level Classification
The analyzer automatically classifies users based on their activity:
🔴 High: User has performed delete operations (highest risk actions)
🟡 Medium: User has performed write/modification operations
🟢 Low: User has only performed read operations
⚫ None: User has performed no actions
User Details Panel
Click on any user row (or the Info button) to see detailed information:
📸 Screenshot Placeholder: User Details panel expanded showing all sections
Sections in the Details Panel
1. Basic Information
User Principal Name (UPN)
User ID (GUID)
Table Features
Searching and Filtering
The User Analysis table includes powerful search functionality:
Use the search box at the top right to filter users
Search works across:
User display names
User Principal Names
Membership types
📸 Screenshot Placeholder: Search box with example search query and filtered results
Sorting
Click any column header to sort the results:
First click: Sort ascending
Second click: Sort descending
Third click: Return to default order
Particularly useful columns to sort:
Status: See all over-privileged users first
Total Actions: Identify most/least active admins
Activity Level: Group users by activity type
📸 Screenshot Placeholder: Table with sorted column (showing sort indicator)
Pagination
For organizations with many administrators:
Results are paginated for better performance
Navigate using page controls at the bottom
Shows current page and total pages
Interpreting Results & Taking Action
What is "Over-Privileged"?
A user is flagged as over-privileged when:
No Activity: They have an Intune Administrator role but haven't performed any Intune actions during the analysis period
Read-Only Usage: They only performed read operations, suggesting they don't need full administrative access
Recommended Actions
Based on the analysis results, consider these actions:
For Users with No Activity
Verify if the user still needs Intune Administrator access
Check if they've recently joined the team (extend analysis period)
Consider removing the role assignment if no longer needed
Contact the user to understand their requirements
For Users with Read-Only Activity
Assign a read-only Intune role instead (e.g., "Intune Read Only Operator")
Remove full Administrator access
Follow principle of least privilege
For Nested Group Members
Review group membership structure
Document the access path for audit purposes
Be cautious - changes may affect other members
Best Practices
Run regular analyses - Schedule quarterly reviews of admin roles
Document decisions - Keep records of why users need admin access
Use longer periods - 60-90 days provide better insight than shorter periods
Cross-reference with HR - Verify access aligns with job responsibilities
Implement JIT access - Consider Just-In-Time admin access for occasional needs (PIM)
Common Scenarios
Scenario 1: New Administrator
Situation: User shows zero activity but was just added last week.
Action: This is expected. Run the analysis again in 30-60 days to see their activity pattern.
Scenario 2: Seasonal Administrator
Situation: User has no activity for 60 days but performs annual cleanup tasks.
Action: Extend the analysis period to cover their active period, or implement Just-In-Time access for their annual tasks.
Scenario 3: Read-Only Auditor
Situation: User only performs read operations for compliance auditing.
Action: Perfect candidate for role optimization. Assign "Intune Read Only Operator" or similar read-only role.
Scenario 4: High Activity Administrator
Situation: User shows high activity with delete operations.
Action: This is appropriate for active admins. Ensure activity aligns with their job responsibilities. Consider enabling additional monitoring.
Troubleshooting
No Data Returned
Problem: Analysis completes but shows 0 users.
Solutions:
Verify you have permissions to read Intune roles
Check that users are assigned to the "Intune Administrator" role
Ensure your tenant has active Intune licensing
Analysis Takes Too Long
Problem: Analysis runs for more than 2-3 minutes.
Solutions:
Reduce the analysis period (try 30 days instead of 90)
Check if your tenant has a large audit log volume
Try running during off-peak hours
Unexpected Over-Privileged Results
Problem: Active administrators are flagged as over-privileged.
Solutions:
Extend the analysis period - they may work in cycles
Verify their activities are logged in Intune audit logs
Check if they use other admin portals (Azure AD, etc.)
FAQ
Q: How often should I run this analysis? A: We recommend quarterly reviews (every 3 months) as part of your access review process.
Q: Will this analysis remove any users or permissions? A: No, this is a read-only analysis tool. It only provides recommendations - you must take action manually.
Q: What's the difference between Direct and Group membership? A: Direct = user is directly assigned the role. Group = user inherits the role through security group membership. Nested = user is in a group that's in another group.
Q: Can I export the results? A: Use the export functionality in the table header to download results as CSV or Excel for further analysis.
Q: Does this analyze custom Intune roles? A: Currently, the analyzer focuses on the built-in "Intune Administrator" role. Custom role analysis may be available in future updates.
Q: What actions are considered "read", "write", or "delete"? A:
Read: Viewing configurations, policies, devices, reports
Write: Creating or modifying policies, configurations, assignments
Delete: Removing policies, wiping devices, deleting configurations
Q: Are guest users included in the analysis? A: Yes, any user with Intune Administrator role permissions is analyzed, including guest accounts.
Security & Privacy Notes
Data Handling
Analysis is performed in real-time and not stored
All data retrieved follows your organization's security policies
Only audit logs within your specified timeframe are analyzed
Permissions Required
You must have permissions to read Intune roles and audit logs
You must have permissions to read Entra RBAC roles
Results are limited to what your account can access
Audit Compliance
All API calls are logged in Azure AD audit logs
The analysis itself is auditable
No changes are made to your environment
Additional Resources
Need Help?
If you encounter issues or have questions:
Check the troubleshooting section above
Review your Intune role permissions
Contact your organization's Intune administrator
Refer to the IntuneAssistant support documentation
Last updated: March 2026
Last updated