Tag: scope tags

  • Intune Scope tags – What is it and what can we use it for?

    Intune Scope tags – What is it and what can we use it for?

    Okay, something that has been around in Microsoft Intune for quite some time is Scope tags. You know that step before assignment when creating a policy or profile?

    In this post, I was thinking we would talk through what it is and what you can use it for since it’s a quite power full tool and very useful if you are working in larger environments and want to delegate rights since you can combine it with the Intune roles to really have a granular setup when it comes to who can do what. If you want to read more about the Intune RBAC setup, have a look at this post I wrote a few years ago called RBAC in Intune- Who does what at the zoo.

    What is even scope tags?

    Scope tags is not something you use by itself, it is connected to the Intune RBAC setup, since you can control what you different administrators can see and do.

    If I have a scope tag called Sweden which I use on my policies, I can create an Intune role granting only permission to see and administrate things related to that scope.

    This means that I can grant access to only certain parts of Intune for my administrators, delegating the responsibility to the Swedish organisation to manage Sweden while Norway and Iceland only can manage their things.

    How ever, this only applies to Intune roles, so if you use an EntraID role granting more access, like the Intune Administrator role, scopetags are not part of the solution.

    In general, it’s a good idea NOT to use the Intune administrator for all your administrators since this is a very powerfull administrator role also outside Intune. It is the Global Admin of Intune almost (but not as power full).

    Setting up Scope tags

    To use scope tags, you need to define them which you do by navigating to Tenant Admin – Roles and select Scope tags. You will see that you have one default scope tag, but you can add more in here.

    To create a Scope tag, you simply press “+ Create” and we will give our scope tag name, which will be the one used in the portal. We can also add a comment explaining what this scope tag is used for which can be a good idea. When done, click Next.

    In the assignment step, we will add a group which contains all out Swedish devices. There are a lot of different ways you could set this group up given that you want to not only catch the Windows devices, you would also probably like to see their mobile devices. In this example, I have a dynamic group looking for all Windows devices tagged with the Autopilot group tag “SE” using this dynamic membership rule.

    (device.devicePhysicalIds -any _ -eq "[OrderID]:SE")

    When I’ve added my group I will click Next to get to the last step in the scopetag creation.

    On the last step you can review your settings before creating it. If everything looks like you want it to, click Create and your scope tag will be created.

    Repeat this step for all the scope tags you need, as you can see in my lab I currently have 3 scope tags and the default one.

    Using scope tags for roles in Intune

    Now that we have create our scope tags, we can add them to a role in Intune as a first step.

    Head into Tenant Admin – Roles and select “All roles“. Then find the role that you want to configure, we will use the “Help Desk Operator” as an example.

    Click on the name of the role to configure it and you want to head into “Assignments” which is where we define who has this role.

    In here, we will click on “+ Assign” to add a new assignment. Since we are setting this up for the Swedish help desk, we will call this “Sweden“. Click Next.

    On the next step we will add the group of Swedish help desk operators by clicking on “Add group” and selecting our Help desk Sweden user group. Click Next.

    Next step is to add the scope groups, which devices and user we want to be able to manage. This means that we can limit this even further. For now, we will select all users and all devices and click Next.

    In the next and last configuration step we will select what scope tag this Help Desk Operator is allowed operate with, meaning what devices and other object can it interact with. In this step we will select our Sweden scope tag and click Next.

    As usual, before creating the role assignment you can review you options. Then click Create.

    How does it look for my Help Desk Operator in Sweden?

    So, what does things now look like for my Swedish help desk operator which we can call Moltas? Well, Moltas can only see things which has the scope tag Sweden. He can see all user and all groups, but he can only see two devices in the environment, since these are part of the scope tag Sweden.

    If we compare this to a user with the Intune administrator role, you can see that the view is limited in the amount of devices.

    If we take a look at one of the devices Moltas can see, we can actually see that it automatciallu got the scope tag Sweden since it’s a part of the “All Sweden device” group mentioned further up in the post.

    We can also add scope tags to profiles that we create, making it possible to grant permission to e.g. one business area to manage their on profiles, applications and so on.

    Since I’ve added the scope tag to this profile, Moltas will be able to see this one but not the rest of my profiles, but given his role he will not be able to do any modifications to this profile (Help Desk Oprator does not allow that).

    Worth mentioning is also that if this administrator would have the rights to create objects, all their objects would have the scope tag Sweden.

    Key take aways

    Using scope tags and combinding it with the Intune roles makes it really easy and power full to delegate access to local administrator or different business units to operate their own settings in a bigger tenant. You can e.g. make sure that the local IT support in Sweden cannot see or touch the Norweigan devices.

    I really like this feature, and it’s really convinient in larger environments. You can off course limit the access even further by not granting access to all users and all devices, limiting it even further.