Merge pull request #8235 from mestew/inado-14996522-rbac

Publish 8/25 around 8 AM - [hold 8/23ish] Inado 14996522 rbac

Author: mestew

memdocs/configmgr/cloud-attach/enable.md

@@ -2,7 +2,7 @@
 title: Enable cloud attach
 titleSuffix: Configuration Manager
 description: Enable cloud attach for Configuration Manager
-ms.date: 12/01/2021
+ms.date: 08/15/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: overview
@@ -75,11 +75,16 @@ Use the following steps to cloud attach your environment with custom settings:
    **Select which devices to upload to Microsoft Endpoint Manager** has the following two options:
    - **All devices managed my Microsoft Endpoint Configuration Manager (recommended)**: Upload all devices
    - **Specific Collection**: Upload a specific collection, including any subcollections.
-
-1. The **Endpoint Analytics** section of the **Configure Upload** page, enables Enables [Endpoint analytics](../../analytics/scores.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) for devices uploaded to Microsoft Endpoint Manager. Endpoint analytics reports focus on the quality of the experience you're delivering to your users and helps you identify issues to proactively make improvements.
+1. The **Endpoint Analytics** section of the **Configure Upload** page, enables [Endpoint analytics](../../analytics/scores.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) for devices uploaded to Microsoft Endpoint Manager. Endpoint analytics reports focus on the quality of the experience you're delivering to your users and helps you identify issues to proactively make improvements.
 
    Ensure the **Enable Endpoint Analytics for devices uploaded to Microsoft Endpoint Manager** option is selected to enable Endpoint Analytics.
 
+1. In the **Role-based access control** section of the **Configure Upload** page, determine if you need to clear the checkbox for the **Enforce Configuration Manager RBAC for cloud console requests that interact with Configuration Manager** option. (*Introduced in version 2207*)
+   - This option is used for setting Intune as the role-based access control authority for tenant-attached clients. For more information about configuring this option, see [Intune role-based access control for tenant-attached clients](use-intune-rbac.md).
+
+     > [!IMPORTANT]
+     > When this checkbox is cleared, [settings in Intune need to be configured](use-intune-rbac.md) too.
+
 1. Select **Next** to get to the **Enablement** page for [co-management](../comanage/tutorial-co-manage-clients.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json). Co-management simplifies management by enrolling devices into Intune and allowing you to lift selected [workloads](../comanage/workloads.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) to the cloud. For instance, you can choose to enable workloads for [Conditional Access](../comanage/quickstart-conditional-access.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) so only trusted users can access organizational resources on trusted devices using trusted apps.
 
    Choose your co-management setting from the following options under **Automatic enrollment in Intune**:

memdocs/configmgr/cloud-attach/media/14996522-configure-upload.png

@@ -3,14 +3,16 @@ items:
   href: index.yml
 - name: What is cloud attach?
   href: overview.md
-- name: Enable cloud attach
+- name: Enable cloud attach, versions 2111 and later
   href: enable.md 
 - name: Tenant attach
   items:
   - name: Tenant attach prerequisites
     href: ../tenant-attach/prerequisites.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json
-  - name: Enable tenant attach
+  - name: Enable tenant attach, versions 2103 and earlier
     href: ../tenant-attach/device-sync-actions.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json  
+  - name: Use Intune RBAC for tenant attach
+    href: use-intune-rbac.md
   - name: Use tenant attach
     items:
     - name: Client details
@@ -71,7 +73,7 @@ items:
         href: ../tenant-attach/troubleshoot-applications.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json
       - name: Common error codes for application installation
         href: ../tenant-attach/app-install-error-reference.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json
-      - name: ../tenant-attach/Timeline
+      - name: Timeline
         href: ../tenant-attach/troubleshoot-timeline.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json
       - name: Resource explorer
         href: ../tenant-attach/troubleshoot-resource-explorer.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json

memdocs/configmgr/cloud-attach/media/14996522-connectors-flyout.png

@@ -0,0 +1,118 @@
+---
+title: Intune role-based access control for tenant-attached devices
+titleSuffix: Configuration Manager
+description: Enable Intune role-based access control for Configuration Manager tenant-attached clients
+ms.date: 08/24/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: overview
+author: mestew
+ms.author: mstewart
+manager: dougeby
+ms.localizationpriority: high
+ms.collection: highpri
+---
+
+# Intune role-based access control for tenant-attached clients
+<!--8126836, 6415648, 8348644, IN14996522, 13058986-->
+*Applies to: Configuration Manager (current branch)*
+
+Starting in Configuration Manager version 2207, you can use Intune role-based access control (RBAC) when interacting with [tenant attached devices](../tenant-attach/client-details.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) from the Microsoft Endpoint Manager admin center. For example, when using Intune as the role-based access control authority, a user with the [Help Desk Operator role](../../intune/fundamentals/role-based-access-control.md#built-in-roles) doesn't need an assigned security role or additional permissions from Configuration Manager. [Intune role-based access control](../../intune/fundamentals/create-custom-role.md) manages the permissions to all cloud-attached device pages in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), such as [device timeline](../tenant-attach/timeline.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json), [CMPivot](../tenant-attach/cmpivot-start.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json), and [scripts](../tenant-attach/scripts.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json).  
+
+> [!IMPORTANT]
+> Currently, any enforcement of Intune role-based access control for displaying and taking actions on tenant-attached devices from the Microsoft Endpoint Manager admin center is optional. We recommend all admins with cloud-connected Configuration Manager environments begin [verifying the role-based access control permissions from Intune](#bkmk_verify-intune-rbac).
+
+The three high-level steps to configure Intune as the role-based access control authority for tenant-attached devices are:
+<!--To enable Intune role-based access control as the authority, the following high-level steps -->
+
+- From the Configuration Manager console, [disable enforcement of Configuration Manager role-based access control](#bkmk_disable-configmgr) for cloud-attached clients
+- From Intune, [enable managing the user permissions](#bkmk_enable-intune) for cloud-attached devices
+- From Intune, [verify role-based access control permissions](#bkmk_verify-intune-rbac) for cloud-attached devices
+
+## Prerequisites
+
+- Configuration Manager version 2207 or later
+- [Tenant attached devices](../tenant-attach/client-details.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json)
+
+## Limitations
+
+- Currently [scoping](../../intune/fundamentals/scope-tags.md) isn't supported when using only Intune role-based access control for for displaying and taking actions on tenant-attached devices from the Microsoft Endpoint Manager admin center.
+- Currently, the [**Software updates** page](../tenant-attach/software-updates.md) isn't available for cloud-only users when using the early update ring of Configuration Manager version 2207.  <!--15287859-->
+
+## <a name="bkmk_disable-configmgr"></a> Disable enforcement of Configuration Manager role-based access control for cloud-attached clients
+
+To use Intune role-based access control for tenant attach rather than Configuration Manager role-based access control, use the instructions below:
+
+1. From the Configuration Manager console, go to, **Administration** > **Cloud Services** > **Cloud Attach**.
+1. The location of the role-based access control option varies depending on if your environment is already cloud-attached or not.
+   - If your environment is already cloud-attached, open the properties for **CoMgmtSettingsProd**. If you don't have devices uploaded to the admin center, configure that option first. For more information, see [Enable cloud attach](enable.md).
+   - If your environment isn't cloud-attached, select **Configure Cloud Attach** to open the **Cloud Attach Configuration wizard**. 
+1. On the **Configure upload** tab, or page in the wizard, clear the checkbox for the following option under the **Role-based Access Control** heading:
+
+   **Enforce Configuration Manager RBAC for cloud console requests that interact with Configuration Manager**
+
+1. Choose **OK** to save the change to the **CoMgmtSettingsProd** properties, or continue on to complete the [cloud attach wizard](enable.md).
+
+:::image type="content" source="media/14996522-configure-upload.png" alt-text="Screenshot of the CoMgmtSettingsProd properties in Configuration Manager. In the screenshot, the configure upload tab is displayed with a red box outlining the role-based access control section." lightbox="media/14996522-configure-upload.png":::
+
+## <a name="bkmk_enable-intune"></a> Enable role-based access control from Intune
+
+To enable Intune to manage user permissions for cloud-attached devices, use the following steps:  
+
+1. Open the [Microsoft Endpoint admin center](https://endpoint.microsoft.com) and sign in.
+1. Select **Tenant administration** > **Connectors and tokens** > **Microsoft Endpoint Configuration Manager**.
+1. In the banner, select **You can also manage user permissions from Intune. Click here to learn more about this option.**
+1. The **Use Intune RBAC** flyout appears.
+1. Select **On** for the **Use Intune RBAC** option, then choose **Apply**.
+1. The change may take about 10 minutes to take effect.
+
+:::image type="content" source="media/14996522-connectors-flyout.png" alt-text="Screenshot of the Microsoft Endpoint Configuration Manager connectors and tokens page in Microsoft Endpoint Manager admin center. The Use Intune RBAC flyout is displayed in the screenshot." lightbox="media/14996522-connectors-flyout.png":::
+
+## <a name="bkmk_verify-intune-rbac"></a> Verify role-based access control permissions from Intune
+
+Once Intune is set to the role-based access control authority, verify the permissions for your roles. If needed, you can add these permissions to [custom roles](../../intune/fundamentals/create-custom-role.md) you created in Intune.  
+
+1. Open the [Microsoft Endpoint admin center](https://endpoint.microsoft.com) and sign in.
+1. Select **Tenant administration** > **Roles**.
+1. Select a role, such as **Application Manager**, and review the permissions listed for **Cloud attached devices**. If needed, edit permissions for any [custom roles](../../intune/fundamentals/create-custom-role.md) you created in Intune.  
+
+The following Intune permissions control access to the Configuration Manager cloud-attached devices:
+
+| Permission | Description | Intune built-in roles with the permission |
+|---|---|---|
+| Cloud attached devices\View collections | Displays the **Collections** page for Configuration Manager cloud attached devices | Application Manager, Endpoint Security Manager, Read Only Operator, School Administrator, Policy Profile Manager, Help Desk Operator |
+| Cloud attached devices\View resource explorer | Displays the **Resource explorer** page for Configuration Manager cloud attached devices |  Application Manager, Endpoint Security Manager, Read Only Operator, School Administrator, Policy Profile Manager, Help Desk Operator |
+| Cloud attached devices\View timeline | Displays the **Timeline** page for Configuration Manager cloud attached devices |  Application Manager, Endpoint Security Manager, Read Only Operator, School Administrator, Policy Profile Manager, Help Desk Operator |
+| Cloud attached devices\View software updates | Displays the **Software updates** page for Configuration Manager cloud attached devices |  Application Manager, Endpoint Security Manager, Read Only Operator, School Administrator, Help Desk Operator |
+| Cloud attached devices\View scripts | Displays the **Scripts** page for Configuration Manager cloud attached devices |  Endpoint Security Manager, Read Only Operator, School Administrator, Policy Profile Manager, Help Desk Operator |
+| Cloud attached devices\Run script | Displays the **Run script** action and allows the user to run scripts on Configuration Manager cloud attached devices |  School Administrator, Help Desk Operator |
+| Cloud attached devices\Run CMPivot query | Displays the **CMPivot** page for Configuration Manager cloud attached devices |  Endpoint Security Manager, School Administrator, Help Desk Operator |
+| Cloud attached devices\View client details | Displays the **Client details** page for Configuration Manager cloud attached devices |  Application Manager, Endpoint Security Manager, Read Only Operator,School Administrator, Policy Profile Manager, Help Desk Operator |
+| Cloud attached devices\View applications | Displays the **Applications** page for Configuration Manager cloud attached devices |  Application Manager, Read Only Operator, School Administrator, Policy Profile Manager, Help Desk Operator |
+| Cloud attached devices\Take application actions | Displays application actions in the **Applications** page and allows the user to take application actions on Configuration Manager cloud attached devices |  Application Manager, School Administrator, Help Desk Operator |
+| Remote tasks/Rotate BitLockerKeys (preview) | Initiates a key rotation for BitLocker Recovery Passwords on the device. Displays the *Recovery keys* page for Configuration Manager cloud attached devices. |  Endpoint Security Manager, Help Desk Operator |
+
+## <a name="bkmk_faq"></a> Frequently asked questions
+
+### I have cloud-only users that need access to tenant-attached devices in Intune, will this give them access?
+
+Yes. When a user is cloud only, in this scenario meaning they are in Azure Active Directory (Azure AD) and can access Intune, using Intune RBAC will give them access to tenant-attached devices.
+
+### What if I have multiple Configuration Manager hierarchies connected to my tenant?
+
+The **Use Intune RBAC** setting in the Microsoft Endpoint Manager admin center applies to all of the Configuration Manager hierarchies listed in the tenant.
+
+### What happens if the Configuration Manager and Intune settings are mismatched?
+
+If the **Use Intune RBAC** toggle in Intune is set to **Off**, then Configuration Manager role-based access will be enforced, even if the **Enforce Configuration Manager RBAC for cloud console requests that interact with Configuration Manager** checkbox is cleared. Disabling the **Enforce Configuration Manager RBAC for cloud console requests that interact with Configuration Manager** option doesn't have any effect until the **Use Intune RBAC** toggle in Intune is set to **On**.
+
+### What happens if my test hierarchy is configured to use Intune RBAC, but my production hierarchy isn't and they are in the same tenant?
+
+The **Use Intune RBAC** setting applies to all of the Configuration Manager hierarchies listed in the tenant. Cloud-only users can access tenant-attached devices that are uploaded from the test hierarchy because you've also cleared the checkbox to enforce Configuration Manager RBAC. If a cloud-only user tries to access a tenant-attached device uploaded from the production environment, they'll receive an error since production devices are enforcing Configuration Manager RBAC. The cloud-only user will receive an error similar to the following message: 
+`Unable to get device information. Make sure Azure AD and AD user discovery are configured and the user is discovered by both. Verify that the user has proper permissions in Configuration Manager.`
+
+
+## Next steps
+
+- Review the [timeline](../tenant-attach/timeline.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) for a cloud-attached device
+- Run a [CMPivot](../tenant-attach/cmpivot-start.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) query on a cloud attached device

memdocs/configmgr/cloud-attach/toc.yml

@@ -2,7 +2,7 @@
 title: What's new in version 2207
 titleSuffix: Configuration Manager
 description: Get details about changes and new capabilities introduced in version 2207 of Configuration Manager current branch.
-ms.date: 08/12/2022
+ms.date: 08/24/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: conceptual
@@ -25,6 +25,11 @@ To take full advantage of new Configuration Manager features, after you update t
 
 ## Cloud-attached management
 
+### Use Intune role-based access control (RBAC) for tenant attached devices 
+<!--8126836, 6415648, 8348644, IN14996522, 13058986-->
+
+You can now use Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Endpoint Manager admin center. For example, when using Intune as the role-based access control authority, a user with Intune's [Help Desk Operator role](../../../../intune/fundamentals/role-based-access-control.md#built-in-roles) doesn't need an assigned security role or additional permissions from Configuration Manager. For more information, see [Intune role-based access control for tenant attached clients](../../../cloud-attach/use-intune-rbac.md).
+
 ### Enhanced security for Configuration Manager administration service
 <!--12952905-->
 We're introducing a new cloud application with limited access to the administration service. This feature allows cloud management gateway (CMG) to segment the admin privileges between a management point, and the administration service. This enables CMG to restrict access to the administration service. This feature gives admins granular access controls through which users can have access to the administration service and to enforce MFA if necessary.