Applies to: Nerdio Manager for MSP (NMM) v2.5+
Nerdio Manager accounts can be provisioned in what's called a Limited Access mode to restrict permissions granted to the Nerdio Manager enterprise app in customer's Azure tenant. Existing customer accounts that were not created in limited access mode can be switched to limited access mode as well. Note that accounts in limited access mode have reduced functionality. For example, Users & Group management will not be available for limited access mode accounts.
Similarly, the Nerdio Manager install itself can be switched to Limited access mode as well. This restricts the permissions granted to the Nerdio Manger enterprise app in MSP's Azure tenant.
Enabling "Limited access" feature at MSP level
To enable this feature at the MSP level, navigate to "Settings->Environment" from the main menu:
Once you enable the limited access setting at the MSP level, we suggest you replace Directory.ReadWrite.All with Directory.Read.All and add User.Invite.All permission. This action will keep all existing functionality. However, you can also remove Application.ReadWrite.All permission, wherein some functionality like enable REST API, enable Azure runbooks, manage user roles, assign accounts to global images may not work.
For example, if you have previously enabled REST API, then enabled limited access, and later disabled REST API, you will be able to enable REST API again because the necessary app already exists. However, if you enable REST API for the first time after enabling limited access, NMM will not be able to create a rest-api app registration in AD. Also, NMM doesn't show warnings on pages when limited access functionality is enabled.
- If limited access mode is enabled, NMM doesn't restore permissions while updating NMM. However, NMM always restores permissions during update if limited access mode is not enabled.
- If limited access mode is disabled, you would need to re-deploy your installation to restore all required permissions automatically, as shown below:
Enabling "Limited access" feature at account level
Enabling "Limited access" feature for new accounts
You can enable limited access for a specific account during account provisioning. To enable limited access feature for new accounts, navigate to the "Accounts" page. Click "Add account" button:
Click "Settings" gear icon at the top right corner and enable "Limited access" setting as shown below:
NMM creates an app registration for each account during provisioning. Here are a few points to note:
- If "Limited access" is disabled, the app has the "Global Admin" role and the following permissions
- AuditLog.Read.All, Group.ReadWrite.All
- Intune specific - DeviceManagementApps.ReadWrite.All
- Cloud PC specific - CloudPC.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All
- For Intune and Cloud PC - DeviceManagementConfiguration.ReadWrite.All
- If "Limited access" is enabled, the app registration doesn't have the "Global Admin" role and has the following permissions
- AuditLog.Read.All, Directory.Read.All, Group.Read.All
- Cloud PC if it's enabled CloudPC.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All
- Intune permissions can be assigned on Settings -> Integrations page after account is created.
- NMM changes the AD applications during provisioning, so if limited access is enabled, NMM assigns at the first step and removes at the second step of provisioning the following permissions: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All.
- If limited access is enabled, NMM displays an icon next to the first step's name:
- And the same icon next to the account name on "Accounts" screen:
- If you hover on the "Limited access" icon, you will be able to view a tooltip that says: "Account is in limited access mode. User and Group management functionality is limited."
- In limited access mode, NMM prompts you to assign necessary permissions manually when you enable Intune or Cloud PC from the "Settings -> Integrations" page:
- When you disable "Intune" features, NMM displays a list of permissions that can be removed:
- NMM displays warnings for all the functionality that is not available in limited access mode:
Enabling "Limited access" feature for existing accounts
To enable "limited access" feature on existing accounts, navigate to "Accounts" tab from the main menu. Select an account and expand the "Action" menu on it. Click "Enable limited access" option:
On the Confirm Action pop-up, type CONFIRM and click "OK" button:
Note: This is an irreversible operation. And NMM will display warnings for all the functionality that is not available in limited access mode.