Skip to Main Content
Patch My PC Feature and Application Request

A community where customers and the community can provide feedback to make a better product for everyone! For more details on how we prioritize request, please see:

20 VOTE
Status SUBMITTED
Categories Patch My PC Cloud
Created by Justin Chalfant
Created on Mar 31, 2025

Granular Department Scoping: Restrict Patch My PC Cloud Portal Access to Specific Device Groups

Core Need
The customer wants fine-grained access control in the Patch My PC Cloud Portal. They have multiple departments (like separate school departments or agencies) in a single tenant. Each department has its own Entra ID device groups. Today, if they give someone permissions in the Patch My PC Cloud Portal, that person can see and manage all applications and device groups across the entire tenant. They only want each department’s admin to be able to:

  1. View and publish applications only to the Entra ID device groups that admin actually owns.

  2. Manage software update rings and settings only for devices in their scope.

  3. Avoid being able to deploy apps to Entra ID groups that aren't assigned to that are for other departments.

In other words, each department admin should see only see device groups that fall under their Entra Group, If possible, we would be great to pull groups from their Scope Tag groups. They should not see or modify apps or groups that belong to other departments.

Scenario Details

  1. Multiple Departments or Schools

    • The environment is an enterprise tenant that onboards various departments (or schools).

    • Every department has its own Entra ID device groups.

    • Department admins handle their own apps and update schedules.

  2. Why They Need This

    • Central IT does not want to manage every single department’s app approvals and updates.

    • They want to delegate that responsibility so each department can pick items from the Patch My PC app catalog and deploy them to only its own groups.

    • Right now, if they give department admins access to the Patch My PC Cloud Portal, they can see other departments’ deployments, apps, or group assignments. This raises concerns about accidental edits or even just confusion.

  3. Desired Behavior

    • When an admin for “Department A” logs into Patch My PC Cloud Portal, that admin should only see “Department A’s” scope tags and groups. They should only be allowed to assign new deployments to the Entra ID groups belonging to Department A.

    • If “Department B” logs in, they see only the scope tags or groups for Department B.

    • No department admin should be able to edit or even view another department’s deployments.

    • They also want department admins to be able to create apps and software update rings on their own, yet remain locked to just their department’s devices and groups.


Specific Capabilities Requested

  1. Role-Based Permissions in Patch My PC Cloud Portal

    • A new admin role or permission set that allows a user to:

      • Choose apps from the Patch My PC catalog.

      • Create required or available deployments for their department.

      • Create update rings (pilot, production, etc.) for their department.

      • Use or create templates for recurring deployments.

    • But only within the scope tags and Entra ID device groups assigned to them.

  2. Granular Scope Tag or Group Assignments

    • The customer wants a method to link an admin to certain scope tags and device groups so they can’t see or deploy to anything else.

    • Each department admin would inherit these scope tags automatically when creating new applications or updates.

  3. Isolation of Other Departments’ Objects

    • The ability to hide or restrict changes to global or enterprise-wide apps if one department tries to open them.

    • Department-level admins should not have visibility or control over universal apps or other departments’ custom apps.

  4. Straightforward Onboarding

    • When a new department is onboarded to Intune, they get a dedicated Patch My PC Cloud Portal role.

    • That role grants them the ability to pick from the Patch My PC app catalog, decide on schedules, and manage updates only for their devices.

    • There is no risk of them affecting or seeing other departments in the tenant.


Conclusion

The customer’s main request is for departmental or school-level isolation within the Patch My PC Cloud Portal. They want each team or admin to manage only their own Entra ID groups, apps, and update rings. They do not want broad oversight of the entire enterprise. This would enable each department to operate autonomously in a single Patch My PC Cloud environment without exposing other groups’ settings or device deployments.

Added by Justin Chalfant based on a customer conversation on March 31, 2025

  • Attach files
      Drop here to upload
    • +12
    13 VOTE

    PMPC Cloud Portal - Customer-Specific RBAC for MSPs

    MSP customers using the PMPC Cloud Portal may need to grant specific Users or Entra ID groups access while restricting that access to certain child customers. However, this functionality is currently unavailable in the PMPC Cloud Portal. Adding su...
    Liviu Barbat 4 months ago in Patch My PC Cloud 1 SUBMITTED