Intune Scope Tags - In Detailed

Scope tags determine which objects admins can see; Intune scope tags allow you to manage a large organizations IT infrastructure while giving each department/region/sub company/… the flexibility to configure their own settings. Scope tags in Microsoft Intune allow administrators to divide devices in their organization into logical groups. These groups, also known as tags, can be used to make certain settings, applications, and policies available only to specific users or devices. By using Intune scope tags, you can streamline your IT infrastructure, improve security, and make your life easier.

Intune scope tags

What’s an Intune scope tag?

A scope tag assigns an Intune configuration (e.g. device configuration, compliance policy, mobile app or managed device) to one or more specific management scope(s)

Create Scope Tag

First of all, we have to create one or more scope tag. Go to Intune → Roles → Scope Tags. There you can create custom Scope Tags.

Use Roles

What is a role? Roles are a bunch of settings to allow administrators very specific tasks to do in Intune. A role has two sections. Permissions and Assignments

Within the permissions you can – how obviously – define which permissions you want to delegate

Within the Assignment you’ll have three sections:

• Members: Who will get the new permission

• Scope (Groups): Which groups should be managed. This can be a device and/or user group

• Scope (Tags): Which tag will apply.

You can have multiple assignments in one Role. But let’s keep it simple and use only one assignment

Let’s create a new Role. Go to Intune → Roles → All Roles and add a new role

You will first have to define what permissions you want to delegate to them. Please select all your required permissions and click create. If you want to can also Scope that role. Don’t let the wizard upset you. This scope is not relevant for the delegated admin at this point.

Now it’s getting interesting. Go into your new role, and create a new assignment.

• Members, please use a group where your admins are in who want to delegate permission to.

• Scope (Group): This is a list of target groups where your delegated admin can have permissions to.

• Scope (Tags): A list of Tags this assignment is relevant to

Things to keep in mind:

• To be assigned an intune role, the user must have an intune license.

• When an admin creates an object in Intune, all scope tags assigned to that admin will be                           automatically assigned to the new object.

• Intune RBAC doesn’t apply to Azure Active Directory roles. So, the Intune Service Admins and              Global Admins roles have full admin access to Intune no matter what scope tags they have.

• Admins with scope tags can see policies with NO scope tag and policies with scope tags assigned          to him

• Newly created items always inherit all of his scope tags

• Change items with no scope tag will then require a scope tag

• Admins can only target groups that are listed in the scope (Group) of his assignment

• New created or changed items by an admin need at least one scope tag

Migrate SCCM to Intune Using Co-Management

Cloud attach allows organizations to use MECM to manage devices that are enrolled in Microsoft Intune, without the need to install the MECM client on the device. This allows organizations to take advantage of the advanced management capabilities of MECM, while still using Intune for device enrollment and basic management tasks

Co-management, on the other hand, allows organizations to use both MECM and Intune to manage the same set of devices. With co-management, organizations can use MECM for traditional device management tasks, such as deploying software and updates, while using Intune for modern management tasks, such as mobile device management and conditional access.

Pre-requisites

• Azure Active Directory Premium

• An Azure Account that is global admin and has got a Microsoft Intune subscription.

• Configure a hybrid Azure AD join using Azure AD Connect

• Configure Client Settings to direct clients to register with Azure AD

• Configure auto-enrollment of devices to Intune.

• Setting up Co-management in MECM

Configure a hybrid Azure AD join using Azure AD Connect

•Use Client Settings to configure Configuration Manager clients to automatically register with Azure AD

•Open the Configuration Manager console and go to: \Administration\Overview\Client Settings.

•Edit the default Client settings and select Cloud Services, set Automatically register new Windows 10 domain joined devices with Azure Active Directory to = Yes. Select OK.

Configure auto-enrollment of devices to Intune.

With automatic enrollment, devices you manage with Configuration Manager automatically enroll with Intune.

Automatic enrollment also lets users enroll their Windows 10 devices to Intune. Devices enroll when a user adds their work account to their personally owned device, or when a corporate-owned device is joined to Azure Active Directory

Sign in to the Azure portal and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

Configure MDM user scope. Specify one of the following to configure which users’ devices are managed by Microsoft Intune and accept the defaults for the URL values.

     •Some: Select the Groups that can automatically enroll their Windows 10 devices

     •All: All users can automatically enroll their Windows 10 devices

     •None: Disable MDM automatic enrollment

We can select All or specific the group where the devices are part of cloud attach or co-management collection

Setting up Co-management in MECM

Open your MECM console and go to: \Administration\Overview\Cloud Services\Co-management and click on Configure co-management.

Click Sign In.

Sign in with the Intune organizational account (this account has got to have a Enterprise Mobility + Security (EMS) Subscription). It also must have Global Administrator Rights in Azure AD tenant.

Click Yes to accept the Create AAD Application notification.

Select All my devices managed by MECM or select a specific collection. And check Enable Endpoint Analytics for devices uploaded to MECM. Click Next >.

Now select how you want to automatic enroll your devices in Intune:

1.None of your devices.

2.Pilot a collection of devices, In the case of Pilot, you can select which collections to add from your list

3.All of the devices that are managed by MECM.

Now lets select what workloads we want Intune to manage instead of MECM. Slide al of the workloads to the Pilot Intune, so we can assign each workload to different collections. 

Once the workload is applied, you can verify it through Microsoft Endpoint Manager admin center, and navigate to Devices > Windows > Windows devices. Click on the device and we can see the information under Co-management.