Zehadi Alam
Introduction
The University of Georgia consists of a distributed IT environment where technicians from various colleges operate within a single Intune tenant. To manage this shared environment effectively, UGA has implemented a role-based access control structure known as the full delegation model. This model, based on Microsoft's RBAC framework, defines the relationship between the global administrators of the Microsoft 365 tenant (i.e., EITS) and the local Intune administrators (i.e., college IT unit). In the full delegation model, each IT unit at UGA acts as an independent administrator within Intune, with control over their respective resources such as devices, policies, and applications. The autonomy over one's own resources is achieved through scope tags (created by EITS) and scope groups. Scope tags define what an administrator can see. Scope groups define what an administrator can manage. These are incorporated within Intune role assignments. Intune roles define what an administrator can do.
Group Assignment - Insufficient Permissions
In the process of assigning an Intune resource to an Azure security group, an administrator may receive the following error message (the following message is specific to assigning an app).
To resolve this issue, it is important to understand the nature of assigning a resource to a group. Assignment to a group is an act of management over the members of that group. As previously explained, scope groups define what an administrator can manage. If any of the Azure security groups chosen for assignment are not part of the administrator's list of scope groups, an error message indicating insufficient permissions will be displayed when they attempt to save the settings.
Solution
To resolve the error message above, one must add any Azure security group they have added under Assignments to the scope groups section if they are missing. When the message says to "contact your administrator", the administrator is yourself in this context.
Navigate to Tenant administration → Roles.
Click on the name of the custom Intune role created for your IT unit.
Click on Assignments and then the name of your role assignment.
Edit the Scope (Groups) list and add every Azure security group that you have created for Intune.
Save the changes. Wait at least 1 minute before attempting to assign an Intune resource to the Azure security group.
Note: The above procedure must be done for every new group that is created in the future.