This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 77%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi,
Please can someone advise which Intune role permission is required to allow visibility of the 'Default Device Compliance Policy' under the Device compliance page?
I have a RBAC role (assigned to a scope tag), with Read and View reports allowed for 'Device compliance policies':
However a user assigned this role can only see the policies scoped to the role and does not see the 'Default Device Compliance Policy':
Compared with a full admin:
It seems like the kind of thing I would expect to be possible, does anyone know how?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@Phil Hope the following suggestion can help. If the answer is helpful, please click "Accept Answer". Thanks!
Hello Phil
The Default Device Compliance Policy is not a policy that can be viewed by Intune users with a standard RBAC role, even if they have the necessary permissions. The Default Device Compliance Policy is a special policy that is automatically applied to devices when they are enrolled in Intune, and it's not intended to be managed or viewed directly by users.
The reason why full admins can see it is because they have the necessary permissions to view all device compliance policies, including the default one. The Device compliance policies permission only grants access to view policies created by users, not the default one.
To allow users to view the default device compliance policy, you would need to assign them the View all device compliance policies permission, which is only available on the built-in Intune Device Administrator role.
Alternatively, you could also consider creating a custom role with the necessary permissions and assigning it to your user. This way, you can grant them the specific permissions they need without having to assign them the full Intune Device Administrator role.
Keep in mind that the Default Device Compliance Policy is not meant to be modified or managed directly by users, so even if your user has the necessary permissions, they should not attempt to modify or delete it.
I hope this helps clarify things! Let me know if you have any further questions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 26%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
For my tenant, there is no such permission as "View all device compliance policy" if you create a custom role. Also there is no built-in role named "Intune Device Administrator". Would you mind to further clarify?
I also got the problem that some of the admins can only view objects with certain scope tags (RBAC concept), but since I cannot edit the tag of the default compliance policy, there is no option to make it visible for these admins I suppose?