search
Ctrlk

User Access Control & PIM Integration

hashtag
User Access Control & PIM Integration

Configure secure multi-user access with role-based permissions and Privileged Identity Management

hashtag
User Access Control & PIM Integration

Intune Assistant supports secure multi-user environments through proper access control and integration with Microsoft Entra Privileged Identity Management (PIM).

hashtag
Access Control Overview

hashtag
Default Behavior

  • Only the user who completes onboarding can initially access Intune Assistant, except when a user consents the app registrations for the whole organization.

  • The service principal is created with restricted access by default

  • Additional users must be explicitly granted access

triangle-exclamation

However, Intune Assistant has delegated permissions and acts like the current logged in user, it is HIGHLY recommended to NOT consent the app registrations for the whole organisation. By default it is only consented for the user that runs the onboarding process. The builder is NOT responsible for any security related misconfiguration.

hashtag
Security Principles

  • Least Privilege: Grant minimum required access

  • Explicit Assignment: Never rely on organization-wide consent

  • Role-Based Access: Use PIM for time-limited administrative access

hashtag
User Assignment Methods

hashtag
Method 1: Direct User Assignment

1

hashtag
Navigate to Microsoft Entra ID

2

hashtag
Locate Intune Assistant Service Principals

  • Search for "Intune Assistant"

  • You'll find two applications:

    • Intune Assistant (Main Application)

    • Intune Assistant API (Backend Service)

3

hashtag
Assign Users to Both Applications

  • Assign users to both the Intune Assistant and Intune Assistant API applications as needed.

Managing Admin Consent\ \ Handle consent requirements when new permissions are added to IntuneAssistant

Data & Privacy\ \ Our commitment to data privacy and security with minimal data storage and no data leaving your tenant

Last updated