You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/fundamentals/assign-role.md
+10-7Lines changed: 10 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,17 +40,20 @@ To create, edit, or assign roles, your account must have one of the following pe
40
40
41
41
2. On the **Endpoint Manager roles - All roles** blade, choose the built-in role you want to assign > **Assignments** > **+ Assign**.
42
42
43
-
5. On the **Basics** page, enter an **Assignment name** and optional **Assignment description**, and then choose **Next**.
44
-
For step #5 in this doc, we need to call out the following with a note:
45
-
The All users and All devices are Intune virtual groups and not AAD security groups. As a result, for Scope group assignment purposes you cannot use them as parents of AAD security groups. If you need both All users/All devices and specific AAD security groups for scope group assignments, you must add them separately with separate assignments. Otherwise, even if you have All users for the role's scope group assignment the admin in this role won't have access to specific AAD user groups. For AAD security groups, nesting is supported.
43
+
3. On the **Basics** page, enter an **Assignment name** and optional **Assignment description**, and then choose **Next**.
46
44
47
-
6. On the **Admin Groups** page, select the group that contains the user you want to give the permissions to. Choose **Next**
45
+
4. On the **Admin Groups** page, select the group that contains the user you want to give the permissions to. Choose **Next**
48
46
49
-
7. On the **Scope (Groups)** page, choose a group containing the users/devices that the member above will be allowed to manage. You also have the option to choose all users and/or all devices. Choose **Next**.
47
+
5. On the **Scope (Groups)** page, choose a group containing the users/devices that the member above will be allowed to manage. You also have the option to choose all users and/or all devices. Choose **Next**.
48
+
49
+
> [!NOTE]
50
+
> The **All users** and **All devices** are [Intune virtual groups](groups-add.md) and not Azure Active Directory (Azure AD) security groups. As a result, for **Scope (Groups)** assignment purposes you cannot use them as parents of Azure AD security groups. If you need both **All users** and **All devices** and specific Azure AD security groups for **Scope (Groups)** assignments, you must add them separately with separate assignments. Otherwise, even if the **Scope (Groups)** assignment for a role is set to **All Users** the admin in this role won't have access to specific Azure AD user groups.
51
+
>
52
+
> For Azure AD security groups, nesting is supported.
50
53
51
-
8. On the **Scope (Tags)** page, choose tags where this role assignment will be applied. Choose **Next**.
54
+
7. On the **Scope (Tags)** page, choose tags where this role assignment will be applied. Choose **Next**.
52
55
53
-
9. On the **Review + Create** page, when you're done, choose **Create**. The new assignment is displayed in the list of assignments.
56
+
8. On the **Review + Create** page, when you're done, choose **Create**. The new assignment is displayed in the list of assignments.
54
57
55
58
## Next steps
56
59
-[Learn more about role-based access control in Intune](role-based-access-control.md)
0 commit comments