I know I am not the first one to think about this, but I am kind of old school. I like having my service accounts that only have a specific purpose and also very limited access. One item that has bugged me was the need for an account to be able to enroll a device and upload the HASH for AutoPilot. I have typically just used my Global Admin account and went on. What if you do not want to give that and you have a team of techs that just need to be able to enroll devices into Intune. Just a little bit of background. From my research there are 3 Groups or a custom role that can upload the hardware HASH.
- Intune Administrator
This role has full permissions to manage devices and can upload hardware hashes via the Intune portal or PowerShell. - Policy and Profile Manager
This role can also perform device enrollment tasks, including uploading hardware hashes. - Custom Role with Enrollment Program Permissions
You can create a custom role in Intune with all permissions under “Enrollment programs” enabled (except for the four token management options). This allows for more granular control. - Global Administrator
This role has unrestricted access across Azure and Microsoft 365, including Autopilot tasks—but it’s generally not recommended for day-to-day operations due to its broad scope.
So I know from the title we are going to focus on a custom role. Here is a link to my full GitHub write up. I hope this helps. Have a great day and learn something new. Till next time.
Ed_Tech_Jeff 