Ensure Intune RBAC groups are protected by Restricted Management Administrative Units or Role Assignable groups

Why This Matters

Privileged Intune roles like Intune Administrator or Policy Manager should only be assigned to users in groups that are protected from accidental modification or deletion. Without using Restricted Management Administrative Units (RMAUs) or Role Assignable groups, an attacker or overprivileged user could alter group membership to gain unauthorized administrative access to your Intune environment.

What Aether365 Checks

This check verifies that all Intune RBAC groups are either in an Administrative Unit with restricted management enabled or configured as Role Assignable groups. The result appears in the Aether365 dashboard under the Intune security checks section.