deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

reorg data

Browse Source
This commit is contained in:
Meghan Stewart 2023-04-07 13:54:43 -07:00
parent 907411b485
commit 4d15fe3a6e
1 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
View File

@ -9,26 +9,35 @@ ms.date: 03/29/2023
ms.localizationpriority: medium ms.localizationpriority: medium
--- ---
<!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context. --> <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context. -->
Accessing Windows Update for Business reports typcially requires permissions from multiple sources.
**Enrolling into Windows Update for Business reports** - [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain roles access to sign in
**Roles that allow enrollment into Windows Update for Business reports**
To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles: To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) - [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
- [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) - Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
> [!IMPORTANT] **Azure roles that allow access to the Log Analytics workspace Windows Update for Business reports data**
> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user as well. All of the above roles don't have the permissions to actually read the Windows Update for Business reports data by default.
**Read Windows Update for Business reports data**:
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions: The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed - [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed
> [!IMPORTANT] Examples of commonly assigned roles for Windows Update for Business reports users:
> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center. For more information, see [Admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles).
| Roles | Enroll though workbook | Enroll through admin center | Read data workbook | Display admin center | Create Log Analytics workspace |
| --- | --- | --- | --- | --- | --- |
| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
| Policy and profile manager + Log Analytics reader | Yes | No | Yes | No | No |
| Log Analytics reader | No | No | Yes | No | No|
| [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |