MicrosoftDocs · MandiOhlinger · Mar 16, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 13, 2026
@@ -3,7 +3,7 @@ title: Use Multi Admin Approval in Intune
 description: Configure Multi Admin Approval to protect your tenant against the use of compromised administrative accounts in Intune.
 author: brenduns
 ms.author: brenduns
-ms.date: 02/23/2026
+ms.date: 03/12/2026
 ms.topic: how-to
 ms.reviewer: davidra
 ms.collection:
@@ -35,9 +35,13 @@ Access policies are supported for the following resources:
 
 To use multi administrative approval, your tenant must have at least two administrator accounts. One account is used to perform a change in the tenant, the second account is used to approve the change.
 
-To create an access policy, your account must be assigned the [*Intune Service Administrator*](../fundamentals/role-based-access-control.md) role, or be assigned the appropriate Multi Admin Approval permissions for an Intune role. Administrators who manage the access policies specifically for multi-admin approval require the *Approval for Multi Admin Approval* permission.
+**To create and manage access policies**, use an account with one of the following:
 
-To be an approver for access policies, an account must be in the approver group that's assigned to the access policy for a specific type of resource.
+- **Custom Intune role** (recommended): Use a [custom role](create-custom-role.md) that includes the required [Multi Admin Approval permissions](create-custom-role.md#multi-admin-approval). To create and manage access policies, the custom role needs *Create access policy*, *Read access policy*, *Update access policy*, and *Delete access policy* permissions.
+
+- **Intune Administrator** [:::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false":::](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center) (also known as **Intune Service Administrator**): This Microsoft Entra role provides full read/write access to Intune. Because it's a [privileged role](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center), Microsoft recommends using a least-privileged custom Intune role for routine access policy management instead of this role. To learn more, see [Microsoft Entra built-in roles - Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator).
+
+**To approve or reject requests**, an account must be in the approver group that's assigned to the access policy for a specific type of resource. Approver accounts require the *Approval for Multi Admin Approval* permission in their Intune role.
 
 All approver groups must also be a member group of one or more Intune role assignments. There's no specific requirement for which role assignment the approver group must be added to. If the approver group isn't added to a role assignment, approver group members are removed from the group periodically.
 

@@ -3,7 +3,7 @@ title: Role-based access control (RBAC) with Microsoft Intune
 description: Learn how RBAC lets you control who can perform actions and make changes in Microsoft Intune.
 author: brenduns
 ms.author: brenduns
-ms.date: 08/20/2025
+ms.date: 03/12/2026
 ms.topic: article
 ms.reviewer: davidra
 ms.collection:
@@ -68,7 +68,7 @@ The following table identifies the Microsoft Entra roles that have access to Int
 | Microsoft Entra role | All Intune data | Intune audit data |
 | --- | :---: | :---: |
 | Global Administrator [:::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false":::](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center) | Read/write | Read/write |
-| Intune Service Administrator [:::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false":::](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center) | Read/write | Read/write |
+| Intune Administrator [:::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false":::](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center) | Read/write | Read/write |
 | Conditional Access Administrator [:::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false":::](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center) | None | None |
 | Security Administrator [:::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false":::](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center) | Read only (full administrative permissions for Endpoint Security node) | Read only |
 | Security Operator [:::image type="icon" source="../../media/icons/16/privileged-label.svg" border="false":::](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center) | Read only | Read only |
@@ -96,12 +96,16 @@ The **Global Administrator** role is a built-in role in Microsoft Entra, and has
 
 To learn more about the Microsoft Entra Global Administrator role, see [Microsoft Entra built-in roles - Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator).
 
-The **Intune Administrator** role is a built-in role in Microsoft Entra, and is also known as the **Intune Service Administrator** role. It has a limited scope of permissions to administer and manage Intune, and manage related features, like user and group management. This role is suitable for admins who only need to administer Intune.
+The **Intune Administrator** role is a built-in role in Microsoft Entra. It grants global read/write permissions across Microsoft Intune and is classified as a [privileged role](/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center). While its scope is narrower than the Global Administrator role, it still exceeds what is needed for almost all day-to-day Intune management tasks. Don't use this role for routine administration. Use a least-privileged [built-in Intune role](#rbac-roles) or a [custom role](create-custom-role.md) instead.
+
+> [!NOTE]
+> In Microsoft Graph API and Microsoft PowerShell, this role appears as **Intune Service Administrator**.
 
 **To reduce risk**:
 
-- Assign the Intune Administrator role only as needed. If there's a [built-in Intune role](#rbac-roles) that meets the needs of the admin, then assign that role instead of the Intune Administrator role. Always assign the least privileged Intune role necessary for the admin to do their tasks.
-- Create [custom roles](create-custom-role.md) to further limit the scope of permissions for your admins.
+- Don't use the Intune Administrator role for day-to-day Intune administration.
+- Assign a [built-in Intune role](#rbac-roles) or a [custom role](create-custom-role.md) instead. These roles limit permissions to only what each task requires.
+- When the Intune Administrator role is required, assign it only for the duration needed, and then remove it. Optionally, if you have Microsoft Entra ID with a P2 or Microsoft Entra ID Governance license, you can use [Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-getting-started) (PIM) to provide time bound elevation for this role.
 
 **Enhanced Security Controls**: