My Endpoint Infrastructure and Engineering group has questions about using Quest ARS Active Roles to control device groups and user groups in Entra ID for use with MS Intune.
Our problem:
Delegation within Intune & Entra ID are necessary for widespread Intune adoption. We have generally handled what delegation is possible with Intune, and need Entra ID delegation to continue.
Anyone who has permissions in Intune (what we envision giving Technical Support Provider’s, and what the Cloud Team have) can create and deploy applications, configurations, scripts, etc. Deployment with Intune utilizes Entra ID groups. Currently anyone can create groups in Entra ID and add users and devices. If a person also can deploy items in Intune, then they can utilize any Entra ID group for deployment, which means they can deploy items to any device within Intune. This means if multiple groups have Intune permissions, they could potentially deploy items to each other.
In short we need a way to delegate model that restricts who can make groups in Entra ID, and limit what can be added to those groups. Otherwise without a custom solution, we can not move forward with Intune.
We have heard other places use Grouper to restrict what can be added to groups within Entra. Since Entra groups are what is used for scoping in Intune, we can only do so much with scope tags and restrictions in Intune, but if someone adds a device or user to a group in Entra, even if they can't see the device/user in Intune, they can create and deploy items to them. MS confirmed this was the case in the meeting the other week. We need a way in Entra to restrict what items a person can add to a group.
We want to know if Quest ARS Active Roles for EntraID can meet this need or if there is another Quest related solution.
Thank you for your thoughts and feedback in advance.