In a dynamic and modern hybrid workplace, a one-size-fits-all scenario for device management simply does not exist. Albeit there are certainly templated designs that you can help teams structure their Intune environment, but at a certain point, all use-cases inevitably variate. After all, every business operates differently, has unique goals and priorities, and structures its departments distinctively.

Given the unique posture of each business, Intune environments and device management tactics can be created to cater to distinctive use cases with Role-Based Access Controls. But what exactly are Role Based Access Controls and how can your business use them to improve security and employee experience?

 

In a dynamic and modern hybrid workplace, a one-size-fits-all scenario for device management simply does not exist. Albeit there are certainly templated designs that you can help teams structure their Intune environment, but at a certain point, all use-cases inevitably variate. After all, every business operates differently, has unique goals and priorities, and structures its departments distinctively.

Given the unique posture of each business, Intune environments and device management tactics can be created to cater to distinctive use cases with Role-Based Access Controls. But what exactly are Role Based Access Controls and how can your business use them to improve security and employee experience?

What are role-based access controls? 

Role-based access controls (RBAC) can be defined as the methodology used to restrict or grant unique permissions to groups or individuals within an Intune tenant. The idea is to limit access to highly sensitive areas of your Intune environment while giving certain employees just enough access to sufficiently perform the duties of their job. RBAC can either restrict or grant access to your environment based on a group or user’s scope role assigned by Global Administrators.

Think of role-based access controls as giving just enough access to an environment without giving away the keys to the entire kingdom. These defined sets of privileges and access levels are imperative for small, medium, and large businesses. Groups that are thoughtfully leveraging RBAC strategies can dynamically lock down access to sensitive data and resources to a select privileged few – creating a safer environment for their business at large.

 

How to use role-based access controls

Usage of role-based access controls in Intune predominately relies on two features: group tags and scope tags. These are used as filtering devices to determine access within your Intune environment, device capabilities, or security privileges. Setting these filters properly will allow you to leverage the full capabilities of RBAC within your Intune environment.

 

What are group tags?

Group tags are the first tool necessary to deploy role-based access controls.  These allow you to establish a target group of individuals that share similar roles/locations/ job functions and likely require the same set of permissions to effectively carry out the duties of their job.

To set group tags properly, you should audit each of your business’s departments. Search for similar groups of people should carry out specific job responsibilities and will require identical access to resources. For instance, you may have a department that only needs access to reporting, through the use of group tags you can sequester their privileges to a specific scope.

 

What are scope tags?

Scope tags work in close association with group tags and provide the next level of filtering necessary to deploy RBAC in your Intune tenant. Scope tags are the feature that allow you to set the scope of privileges for a specific group. They allow global administrators to dictate what a group can see and access in the environment. 

 

What considerations should you take when using RBAC?

When defining your role-based access controls, group tags, and scope tags, you should not only consider an employee’s department and function in your business, but also the type of device they are using for productivity. For instance, the permissions of BYO devices should be different than those that are corporately owned. Machines such as kiosk devices and shared devices should have their own set of unique privileges as well.

You also may want to set distinctive configurations based on the type of the device. For instance, Mac devices will regularly require different patches and updates than Android devices and should be grouped as such to receive the correct upgrades.

 

What are the advantages of setting role-based access controls?

When configured properly, role-based access controls can strengthen your business’s security while aiding to provide a better end-user experience. These principles of RBAC are concurrent with many of those in the “least privileged access” methodology. From an administrative perspective, Role-Based Access Controls only grant a user or group the permissions they need – while keeping them out of areas of sensitive areas of your environment where the likelihood of making a costly mistake increases.

 

What are the benefits of deploying RBAC?

Better compliance and management

Most businesses adhere to a certain set of best practice compliances according to industry, job function, or region. RBAC will allow you to sufficiently monitor devices and manage the access of resources to ensure compliance is met based on a user’s defined role.

 

Better Security

Keeping unwelcome users out of hyper-sensitive resources will limit the potential for error or data leaks. Role-based access controls drastically reduce accidental clicks or unintended assignments. Overall, RBAC can provide tighter security to your environment by limiting entry points for possible cyber-attack.

 

Lower IT costs

Limiting the number of permissions to sensitive data can save businesses big in terms of evading a breach, but it may also cut down on network bandwidth costs as fewer users will have access to locked resources. 

 

Better end-user experience

Delimiting employees’ access by role will reduce the demand for end-users to receive unnecessary updates while cutting out the noise of viewing unneeded data. With balanced role-based access controls in place, your employees will be able to focus solely on the necessary resources to get their job done right.

 

Scenarios where RBAC is advantageous

Help desk employees

Many help desk employees need to access your tenant in a limited capacity. Although we, at Mobile Mentor, recommend Passwordless Authentication, a common scenario we’ll often help with is when helpdesk employees need access to the tenant for password resets. The right RBAC configuration will allow these employees access to your Intune tenant specifically for password reset purposes while barring them from accessing unneeded areas of your environment.

 

Mergers and Acquisitions

This is a common situation as well, and a great example of how RBAC can benefit businesses. Suppose a business (we’ll call it Company A) acquires another (Company B) and they both have an Intune tenant up and running.  Company A may want to continue leveraging its existing tenant while also utilizing Company B’s setup. An RBAC configuration using group tags and scope tags will allow the administrators of Company A to view and control both company tenants, while the admins in Company B will continue to only see their own. Again, allowing each team to focus on what is needed to perform their job.

 

Conclusion

Role-based access controls are extremely useful in a plethora of scenarios. When leveraged properly, you’ll find that your IT team will create better management in your tenant, while eliminating the unwanted clicks and access that create vulnerabilities.


 

Contact us to learn more about Windows Autopilot

 


Terrence Brown 

Terrence is our Modern Work and Security Manager in the US and works with clients in the Microsoft O365 space helping to design and develop Endpoint Management solutions. Terrence is a Marine Corps veteran and graduate of Kaplan University. Prior to joining Mobile Mentor, Terrence spent over 5 years working for a Microsoft top 10 Consulting partner in the SCCM and O365 technology space where he implemented and designed solutions for different clients both large and small.