Intune Scope Tags and Role-Based Access Control Explained

by | Aug 8, 2023 | Tech Blog

Patch Tuesday Webinar

Join Patch My PC's Jordan Benzing and Bryan Dam every Thursday succeeding Patch Tuesday for the Patch Tuesday Support Group Webinar.

Patch Tuesday Releases

Tech Blogs

Critical Patches

In today’s interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across the globe. Take myself as an example: I am based in Toronto, working for a company headquartered in Colorado. My colleagues span from Australia to Belgium to the West-Coast and everywhere in between, creating a truly international work environment. To effectively manage and support these teams in various regions, many orgs choose to have IT departments spread across the globe. But when you have all these different IT departments spread across globe, how do you restrict access so that admins only have access to the devices and users in their region? Well, we can leverage the use of Intune scope tags and use them in combination with Role based access control (RBAC) to restrict what objects admins can see and also what control they have over those objects.

RBAC defines roles and their associated permissions, while Intune scope tags further restrict access to resources based on their assigned tags. By adding Intune scope tags in your role assignment, administrators can ensure that these admins can only view and manage resources that match the assigned tags.

Lets cover some basic terminology

What is RBAC (Role-Based Access Control)?

RBAC in Intune allows organizations to define different roles within an organization to grant specific permissions and privileges to users or groups in that assigned role. There are 2 types of roles in Intune: Custom roles and built-in roles.

Intune has built-in roles, see the list of roles here. You can choose to assign these roles to more than one group. Note: you will not be able to edit the permissions of a built in role.

You can also choose to create a custom role and set custom permissions. See more here. Creating a custom role is a great way to get even more granular with the permissions you set for your admins.

What are Intune Scope tags?

Intune Scope tags can be applied to Intune objects, such as devices, policies, and profiles. By applying an Intune scope tag to an Intune object, you can easily filter what objects admins have access to.

By default, all objects in Intune must have at least one scope tag. So, by default, you’ll see that any untagged objects have the “Default scope tag” assigned to it already.

What are Scope Groups?

Very simply, scope groups allow you to group users or devices together, making it easier to assign policies and settings to those groups collectively. When we go to assign an RBAC role, we can select a scope group that we want our admins to manage.

Check out this Intune training video to learn more about scope groups

Now, let’s go ahead and see how we can combine RBAC and Intune scope tags to grant specialized permissions for our Toronto IT team.

Picture this: You have offices spread across the globe. We want to grant specialized permissions to allow IT admins in our Toronto Office to manage the apps for our Toronto Devices.

To do this, it will require a few steps:

Note: This is just one example of how to do it, however there are many different variations of how you can go about doing this.

  1. Create a scope tag called “Toronto Office”. I will be applying this scope tag to my dynamic device group called “Toronto Devices” so any newly enrolled devices are automatically assigned this scope tag.
  2. Duplicate and configure the built-in Application Manager Role to allow our Toronto Admins the ability to manage applications for our Toronto device group. We will also be adding the “Toronto office” scope tag in our assignment here.

Step 1: Create a new scope tag.

The scope tag that we create can be applied to any objects in Intune. The admins that we assign in our RBAC role will have access to any objects that are tagged with this scope tag.

In this example, I’ll create a scope tag called “Toronto Office” and assign it to my dynamic group containing my Toronto devices.

Note: I have already pre-created this dynamic device group. This group contains my Toronto devices enrolled in autopilot. To read more about dynamic device groups, check out this blog

Now, let’s go ahead and create our new scope tag:

  1. Sign in to the Microsoft Intune Admin Center and sign in using your admin credentials.
  2. Navigate to “Tenant Administration” From the left-hand menu
  3. Choose Roles > Scope tags > + Create
    Create a new scope tag by hitting create+
  4. Provide a name and description (optional). In my example, I am calling it “Toronto Office”
    Add a name for your new scope tag
  5. In assignments, choose the Azure AD group(s) (AAD group for short) you want this scope tag to apply to. In my example, I am adding my dynamic group containing Toronto Devices.
    Add the Azure AD groups you want to assign this role to
  1. In Review + Create, you can review everything looks good before hitting create.
  2. Woohoo! We created our scope tag.
  3. After hitting create, you’ll see your scope tag show up in the main dash.
    After hitting create, you'll see your scope tag show up in the main dash

Step 2: Configure the RBAC role

Here you’ll choose what role you want to assign to your admins. As mentioned previously, you can choose to create a custom RBAC role, or you can assign any of the built-in roles in Intune already. You can even duplicate an existing built-in role and configure it that way – which is what i’ll be doing.

In our example, I’ll be duplicating and configuring the built-in Application Manager role. This specific role will allow admins to “Manage mobile and managed applications, read device information and view device configuration profiles.” See more about roles here.

Now, lets go ahead and duplicate and assign our Application Manager Role

  1. Sign in to the Microsoft Intune Admin Center and sign in using your admin credentials.
  2. Navigate to “Tenant Administration” From the left-hand menu.
  3. Go to Roles > All Roles.
  4. Check the “Application Manager” role and then hit Duplicate in the top panel.
  5. In Basics, Add a name for this role. Make sure to make the assignment name clear and distinct. In this example, I’ll be naming this role “Toronto Application manager”.
  6. In Permissions, all the permissions that are in the default Application Manager role are enabled here. You can choose to enable or disable any of those permissions in here, and enable any addition permissions as well.
  7. In Scope Tags, we can leave the default scope tag as is. (We will be adding our Toronto scope tag in the next section).
  8. In Review & Create, you can look over all your settings before hitting the Create button.
  9. All done! We’ve successfully duplicated our application manager role.
    See your new RBAC role in the Endpoint manager roles list

Step 3: Assign the RBAC role

Now that we have our RBAC role created, lets go ahead and assign the role to our Toronto admin group.

  1. Open up the role you want to assign. In this example, it is our Toronto Application Manager role
  2. On the Lefthand side, go to Assignments, then hit Assign+
    Assign your RBAC role
  3. In Basics, Add a name and description (optional). Make sure to make the assignment name clear and distinct. In this example, my assignment name is “Toronto Admins”.
    Name this role assignment
  4. In Admin Groups, select the group of admins you want to assign this role to. In my example, I have a group named “Toronto IT Admins” containing my Toronto Admin members.
    Add your Azure AD groups to assign this scope tag to
  1. In Scope Groups, under Included Groups, add any azure ad groups you want to allow the Admin Group (the members of the group in the previous step) to manage. In our example, I added my dynamic group “Toronto Devices”. This means that these members can have their profiles and policies managed by the Toronto Admin group.
    Add the Azure AD groups you want the admin members to manage
  2. In Scope tags, choose the Intune scope tag you want to apply. This means that this Admin group will also have access to any Intune objects that have this scope tag assigned to it. In this example, I added my Toronto Office scope tag that I created earlier.
    The admins of this group will see any objects tagged with the scope tag you add here
    If you want to learn more about how to manage and assign scope tags to policies and profiles, watch this video
  3. In review + create, you can review everything over before hitting create.
    Review your configurations
  4. Woohoo! We successfully assigned our Toronto Application Manager role to our Toronto Admin group.
    You should see your new assignment here

Well… What does this all mean?

Well, we duplicated and created the Toronto Application manager role and assigned it to our Toronto Admin group. Then, to ensure they could only manage their Toronto device group, we added the “Toronto devices group” as a scope group. Remember: We assigned our scope tag to the Toronto device group when we created it. We lastly added the “Toronto Office” scope tag so the admins can view and manage any Intune objects that get tagged with the Toronto Office scope tag.

Let’s recap RBAC Roles and Intune scope tags

Hopefully by now, you can see the use of combining Intune’s Role-based-access control with Intune scope tags. Scope tags can be assigned to different policies and profiles you want your admins to have access to. Without scope tags, we wont be able to filter what objects our admins can see. Intune’s Role-based access control allows you to manage and limit what your admins can do. By combining both RBAC and Scope tags, you can control what objects specific admins have access to, as well, what control they have over them. We chose to assign our Application manager role, however you can choose to assign any role you want, or create an entirely new role to add your own permissions to. How you do it is entirely up to you, but hopefully now you understand the general concepts to get you started.

Tech Blog

PowerShell Uses - Feature Image

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 Apps Guide to Availability and Deadlines Feature Image

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...
Discovery Apps - Intune Software Inventory - Feature Image

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...
Intune Discovery Apps - Detecting your applications and gaining back control Feature Image

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

Intune Microsoft Store Integration App Migration Failures (0x87D1041C)

In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has...
Automatic Deployment Rules and ConfigMgr

Automatic Deployment Rules (ADR) and ConfigMgr and why you should use them

What is an ADR Getting Started with ADR Creating and Defining an ADR What are Deployment Packages?In this blog we will review Automatic Deployment...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

Mastering ConfigMgr Client Actions

In this blog post, we’ll take a deep dive into the various SCCM client actions, including when to use them, what they do, and which log files...

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

Intune Microsoft Store Integration App Migration Failures (0x87D1041C)

In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has...

Automatic Deployment Rules (ADR) and ConfigMgr and why you should use them

What is an ADR Getting Started with ADR Creating and Defining an ADR What are Deployment Packages?In this blog we will review Automatic Deployment...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

Mastering ConfigMgr Client Actions

In this blog post, we’ll take a deep dive into the various SCCM client actions, including when to use them, what they do, and which log files...