# User Access Control & PIM Integration ## User Access Control & PIM Integration Configure secure multi-user access with role-based permissions and Privileged Identity Management ## [User Access Control & PIM Integration](#user-access-control--pim-integration) Intune Assistant supports secure multi-user environments through proper access control and integration with Microsoft Entra Privileged Identity Management (PIM). ### [Access Control Overview](#access-control-overview) #### [Default Behavior](#default-behavior) * Only the user who completes onboarding can initially access Intune Assistant, except when a user consents the app registrations for the whole organization. * The service principal is created with restricted access by default * Additional users must be explicitly granted access {% hint style="danger" %} However, Intune Assistant has delegated permissions and acts like the current logged in user, it is HIGHLY recommended to NOT consent the app registrations for the whole organisation. By default it is only consented for the user that runs the onboarding process. \ \ The builder is NOT responsible for any security related misconfiguration. {% endhint %} #### [Security Principles](#security-principles) * **Least Privilege**: Grant minimum required access * **Explicit Assignment**: Never rely on organization-wide consent * **Role-Based Access**: Use PIM for time-limited administrative access ### [User Assignment Methods](#user-assignment-methods) #### [Method 1: Direct User Assignment](#method-1-direct-user-assignment) {% stepper %} {% step %} ### Navigate to Microsoft Entra ID * Go to [Azure Portal](https://portal.azure.com/) or [Entra Admin Center](https://entra.microsoft.com/) * Select **Enterprise Applications** {% endstep %} {% step %} ### Locate Intune Assistant Service Principals * Search for "Intune Assistant" * You'll find two applications: * **Intune Assistant** (Main Application) * **Intune Assistant API** (Backend Service) {% endstep %} {% step %} ### Assign Users to Both Applications * Assign users to both the Intune Assistant and Intune Assistant API applications as needed. {% endstep %} {% endstepper %} [Managing Admin Consent\ \ Handle consent requirements when new permissions are added to IntuneAssistant](broken://pages/3285781e772e72eb9ead78862e26a5bfe729c13e) [Data & Privacy\ \ Our commitment to data privacy and security with minimal data storage and no data leaving your tenant](/security-and-compliance/data-and-privacy.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.intuneassistant.cloud/security-and-compliance/user-access-control-and-pim-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.