Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- iOS
- Windows
Important
On October 14, 2025, Windows 10 reached end of support and no longer receives quality and feature updates. Windows 10 is an allowed version in Intune. Devices running this version can still enroll in Intune and use eligible features, but functionality isn't guaranteed and can vary.
Give these permissions only to qualified individuals to reduce the risk of unauthorized or accidental changes in Intune for Education. Users with admin permissions can only see and make changes to the groups you assign them.
Group admins can:
- ✅ View information about devices, users, and apps.
- ✅ Assign, create, delete, view, and update device and user settings.
- ✅ Assign, create, delete, view, and update apps.
- ✅ View reports.
- ✅ Take remote actions on devices, including resetting to factory settings, rebooting, and forcing a sync.
- ✅ Create, delete, view, and update the iOS MDM Push Certificate, iOS MDM server tokens, and iOS VPP tokens.
- ✅ Assign and delete an Apple user-initiated enrollment profile.
- ✅ Assign and delete Windows Autopilot deployment profiles.
- ✅ Initiate a sync on devices registered with the Windows Autopilot service.
- ✅ Assign users to devices registered with the Windows Autopilot service.
- ✅ Delete devices registered with the Windows Autopilot service.
Building custom roles
The built-in School Admin role includes all the permissions you need to use Intune for Education. If you want to create a custom role that grants access to Intune for Education, duplicate the built-in School Admin role, and then add or remove permissions to create the role you want.
To build a custom set of admin permissions, switch to the full management experience in Microsoft Intune and go to Tenant administration > Roles. For more information about role-based access, see Role-based access control (RBAC) with Microsoft Intune.
Assign group admins
You can assign group admins in Intune for Education in two ways:
- Select a device or user group, and then add new group members as admins.
- Select an admin group, and then add a device or user group for the admins to manage.
Add group members as admins
Follow these steps to add admins to a device or user group.
- Sign in to Intune for Education and go to Groups.
- Select a group.
- Go to Admins > Admins of this group.
- Select Add admins.
- Select a group.
- Select Add groups.
Add a group to manage
Follow these steps to assign a device or user group to a group of admins.
- Sign in to Intune for Education and go to Groups.
- Select a group.
- Go to Admins > Managed by this group.
- Select Add groups to manage.
- Select a group.
- Select Add groups.
Remove admin permissions
To remove admin permissions from people in your school, you can either:
- Select a device or user group and remove the associated admins.
- Select an admin group and remove an associated device or user group.
Remove admins
Follow these steps to remove a group of admins from a device or user group.
- In Groups, select a group.
- Go to Admins > Admins of this group.
- Select one or more groups.
- Select Remove admins.
- Select Remove to confirm removal.
Remove device or user group
Follow these steps to remove a device or user group from a group of admins.
- In Groups, select a group.
- Go to Admins > Managed by this group.
- Select one or more groups.
- Select Remove groups.
- Select Remove to confirm removal.
Restrict iOS VPP token access
If you're in a school district that has iOS devices at multiple locations, restrict VPP token access to select admins. Admins can access these tokens only if you add the token to their group's restricted token list.
- In Groups, select a group.
- To view admins of the current group, select Admins of this group. To view groups that this group can manage, select Managed by this group.
- Select the admin group, and then select the More ellipses icon (...).
- Select Restrict admin access. Two lists appear:
- The top list shows all restricted VPP tokens. These tokens and their associated apps can only be accessed by the selected group.
- The bottom list shows all unrestricted VPP tokens. These tokens and their associated apps can be accessed by anyone with admin permissions.
- To add a token to the group's restricted list, use one of these options:
- Use the search bar to find a token, and then select it from the search results.
- Find a token in the unrestricted list and select Restrict to these admins.
- Select Save.
Only the selected admins can now see and manage the token and its associated apps. To restrict all VPP tokens to their respective admins, repeat these steps for each group.