3.6 KiB
author, ms.author, manager, ms.technology, ms.prod, ms.topic, ms.date, ms.localizationpriority
| author | ms.author | manager | ms.technology | ms.prod | ms.topic | ms.date | ms.localizationpriority |
|---|---|---|---|---|---|---|---|
| mestew | mstewart | aaroncz | itpro-updates | windows-client | include | 04/26/2023 | medium |
Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
- Azure Active Directory (Azure AD) or Intune: Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- Azure: Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
- Microsoft 365 admin center: Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
Roles that can enroll into Windows Update for Business reports
To enroll into Windows Update for Business reports from the Azure portal or the Microsoft 365 admin center requires one of the following roles:
- Global Administrator Azure AD role
- Intune Administrator Azure AD role
- Windows Update deployment administrator Azure AD role
- Policy and profile manager Microsoft Intune role
- Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
Azure roles that allow access to the Log Analytics workspace
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace:
- Log Analytics Reader role can be used to read data
- Log Analytics Contributor role can be used if creating a new workspace or write access is needed
Examples of commonly assigned roles for Windows Update for Business reports users:
| Roles | Enroll though the workbook | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
|---|---|---|---|---|---|
| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes | No |
| Policy and profile manager (Intune role)+ Log Analytics reader | Yes | No | Yes | No | No |
| Log Analytics reader | No | No | Yes | No | No |
| Global reader + Log Analytics reader | No | No | Yes | Yes | No |
Note
The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the Windows tab of the Software Updates page. For more information about the Microsoft 365 Apps tab, see Microsoft 365 Apps updates in the admin center.