As a tenant admin, you can assign precise, workload-focused permissions to operators. This allows each operator to manage only the workloads relevant to their responsibilities in the tenant you are setting their permissions for.
For example, if you set permissions in the “Dev Tenant,” those permissions will only apply to that specific tenant. If you want the same permissions in other tenants, you’ll need to repeat the process for each one individually.
To configure this access:
- Go to the Permissions page
- For each operator, enable or disable specific workload checkbox to match their duties
The operator’s interface will only show the workloads they are authorized to manage.
Key restrictions and behaviors
Before assigning permissions, it’s important to understand the specific limitations and behaviors associated with workload-specific role delegation.
Configuration visibility
Operators can see only the configurations related to the specific workload. However, when deploying a change, if any of the configurations have one or more dependencies, they will also be able to modify those dependent configurations.
Required Sync warning
If an operator sees a “Required Sync” badge when trying to make a change, they will get a message: “Cannot perform this action, before the Global Admin runs a Sync”.
Workload-restricted operators can only perform Syncs that relate to their own changes, not for the whole environment.
Sync actions
Workload-restricted operators cannot perform actions on the Sync Page. Full Sync and Backup actions require all filters to be set and are not available to workload operators.
Sync Settings filters
- Only tenant admins can use Configuration filters.
- Workload operators are not allowed to use these filters.
App Builder visibility
The App Builder section is only visible if you one of the following roles:
- Tenant Admin,
- Configuration Admin,
- Configuration User
and only if you have access to Intune.
Link and apply configurations limitation
Workload-restricted operators cannot manage Link configurations nor the "Apply configurations" functionality, regardless of their granted workloads.
All workload permissions granted
If you assign all workload permissions to an operator they are no longer considered a “workload-restricted operator”:
- Having all workloads assigned is the same as having no restrictions: you’ll have full visibility and can run a Full Sync.
- A user who doesn’t have all workloads assigned can only sync specific changes for their assigned workloads.
- If a new workload is added in the future and you previously selected all workloads, the new workload won’t be included automatically.
To give a user full access: skip this permission step and do not assign all workloads.
| Role | Access Level | Sync actions | Limitations |
|---|---|---|---|
| Workload operator (specific) | Limited by assigned workloads | Can perform “Sync only these changes”. | |
| Operator (all workloads) | Unrestricted but limited to granted set of workloads. Workloads added in the future are not automatically included. | Can perform either “Full Sync” or “Sync only these changes”. | |
| No workload operator | Full | Can perform either “Full Sync” or “Sync only these changes”. |
|