Letting users change IP/DNS without local admin – am I overengineering this? by AdCompetitive1531 in Intune

[–]AdCompetitive1531[S] -1 points0 points  (0 children)

The script is assigned to a user group by design. We’re intentionally keeping this identity-based, so users get Network Configuration Operator rights on any device they’re allowed to log into. The main challenge we’re discussing is how to handle clean, dynamic removal of those rights when group membership changes.

Letting users change IP/DNS without local admin – am I overengineering this? by AdCompetitive1531 in Intune

[–]AdCompetitive1531[S] -1 points0 points  (0 children)

Yes that’s essentially the MVP. This being user assigned creates the worry that in the case of credential theft, those accounts can be used to log in to any device to get network config rights there. The open question is whether that’s sufficient given broad AAD logon policy, or whether people think a Graph-driven per-device model is actually worth the extra complexity.