Security Copilot - Intune RBAC Roles

Written By rocky pabillore

Plot twist nobody asked for: every built-in and custom Intune RBAC role now automatically gets Security Copilot contributor access the moment Intune becomes a Copilot data source. No extra role assignment, no "are you sure?" prompt — it just... happens.

More Information for Copilot Security

If you've been religious about least-privilege (and you should be), this is your cue to go audit who's holding what. That help desk tech with a scoped custom role? They might suddenly have Copilot reach they were never supposed to have.

Go check Entra > Roles and admins, cross-reference against your custom Intune roles, and decide if Microsoft's definition of "convenient" matches yours.

How to check (or roll it back)

  1. See who actually has the keys. If you want full visibility into your own access, the role to look for is Intune Service Administrator (aka Intune Administrator) — this Microsoft Entra ID role gives an admin access to all Intune data through Security Copilot. Anyone with this role can see everything; everyone else is scoped to their existing Intune RBAC role and scope tags. Microsoft Learn

  2. Don't want the auto-grant at all? If you want to remove this default access, go remove the relevant Intune role groups from the Security Copilot contributor role in the Security Copilot portal. It's an opt-out, not a setting buried three menus deep — but you do have to go find it. Microsoft Learn

  3. Audit your custom roles. Go through Intune's RBAC console and list out every custom role with any Copilot-adjacent permission, especially ones built for narrow, temporary, or contractor-style access. Remember that Intune RBAC roles are built around least-privilege scoping by design — admins should only be able to act on the users and devices their assignment actually targets. This update doesn't break that model, but it's a good excuse to re-validate it. Microsoft Learn

  4. Track the elevation pattern. If your org uses PIM for just-in-time access, Intune supports elevating into the Intune Administrator role through Microsoft Entra Privileged Identity Management, either via a JIT policy on the built-in role or PIM for Groups tied to an RBAC role assignment. Worth checking that your Copilot-capable roles aren't sitting as standing assignments when they could be JIT instead. Microsoft Learn

That’s all for now!

rocky pabillore
Next

In Tune with Intune: Changes(~10min)