At my current businsees we have Azure AD but we are not paying for intune. I have noticied that some users are able to install programs and others are not.
I have checked to see what roles some of the users are assigned and for some of them there is no role assigned but they can install programs regardless.
Additionally, we are using a 'default admin' user with global administrator priveldges when a user asks us for credentials to install a program.
What would be the lowest level role we could assign instead of a global admin so that users can install programs, or would it be sensible to just provide them temporarily with device admin rights. I am not sure how you would do that on azure ad.
