Intune Scope Tags - In Detailed

Scope tags determine which objects admins can see; Intune scope tags allow you to manage a large organizations IT infrastructure while giving each department/region/sub company/… the flexibility to configure their own settings. Scope tags in Microsoft Intune allow administrators to divide devices in their organization into logical groups. These groups, also known as tags, can be used to make certain settings, applications, and policies available only to specific users or devices. By using Intune scope tags, you can streamline your IT infrastructure, improve security, and make your life easier.

Intune scope tags

What’s an Intune scope tag?

A scope tag assigns an Intune configuration (e.g. device configuration, compliance policy, mobile app or managed device) to one or more specific management scope(s)

Create Scope Tag

First of all, we have to create one or more scope tag. Go to Intune → Roles → Scope Tags. There you can create custom Scope Tags.

Use Roles

What is a role? Roles are a bunch of settings to allow administrators very specific tasks to do in Intune. A role has two sections. Permissions and Assignments

Within the permissions you can – how obviously – define which permissions you want to delegate

Within the Assignment you’ll have three sections:

• Members: Who will get the new permission

• Scope (Groups): Which groups should be managed. This can be a device and/or user group

• Scope (Tags): Which tag will apply.

You can have multiple assignments in one Role. But let’s keep it simple and use only one assignment

Let’s create a new Role. Go to Intune → Roles → All Roles and add a new role

You will first have to define what permissions you want to delegate to them. Please select all your required permissions and click create. If you want to can also Scope that role. Don’t let the wizard upset you. This scope is not relevant for the delegated admin at this point.

Now it’s getting interesting. Go into your new role, and create a new assignment.

• Members, please use a group where your admins are in who want to delegate permission to.

• Scope (Group): This is a list of target groups where your delegated admin can have permissions to.

• Scope (Tags): A list of Tags this assignment is relevant to

Things to keep in mind:

• To be assigned an intune role, the user must have an intune license.

• When an admin creates an object in Intune, all scope tags assigned to that admin will be                           automatically assigned to the new object.

• Intune RBAC doesn’t apply to Azure Active Directory roles. So, the Intune Service Admins and              Global Admins roles have full admin access to Intune no matter what scope tags they have.

• Admins with scope tags can see policies with NO scope tag and policies with scope tags assigned          to him

• Newly created items always inherit all of his scope tags

• Change items with no scope tag will then require a scope tag

• Admins can only target groups that are listed in the scope (Group) of his assignment

• New created or changed items by an admin need at least one scope tag