Using intune scope tags – a hidden powerful tool

Intune has been using a RBAC model since a while now. Let’s have a deeper look at ‘Scope Tags’. What can we do with this, what is it used for and what are the limitations.

Scope Tags can be used for distributed IT Teams to ensure that the configuration gets only applied to devices and users they are responsible for.

An Admin can then only see / change / save items within his scope tag. He can also only make assignments to user and device groups within his scope


Let’s start with the following scenario:
We will have three different locations and we want to separate them from an administrative perspective.

  • Frankfurt
  • Nuremberg
  • Munich

We will have three groups per location

  • Devices: all devices related to the location
  • Users: all users related to this location
  • Admins: all admins related to this location


Create Scope Tag

First of all, we have to create one or more scope tag. Go to IntuneRolesScope Tags. There you can create custom Scope Tags.

Create Scope Tag
Create Scope Tag

Use Roles

What is a role? Roles are a bunch of settings to allow administrators very specific tasks to do in Intune. A role has two sections. Permissions and Assignments

Within the permissions you can – how obviously – define which permissions you want to delegate

Within the Assignment you’ll have three sections:

  • Members: Who will get the new permission
  • Scope (Groups): Which groups should be managed. This can be a device and/or user group
  • Scope (Tags): Which tag will apply.

You can have multiple assignments in one Role. But let’s keep it simple and use only one assignment

Let’s create a new Role. Go to Intune Roles All Roles and add a new role

Add new role

You will first have to define what permissions you want to delegate to them. Please select all your required permissions and click create. If you want to can also Scope that role. Don’t let the wizard upset you. This scope is not relevant for the delegated admin at this point.

Now it’s getting interesting. Go into your new role, and create a new assignment.

  • Members, please use a group where your admins are in who want to delegate permission to.
  • Scope (Group): This is a list of target groups where your delegated admin can have permissions to.
  • Scope (Tags): A list of Tags this assignment is relevant to

How does it look like

Now we want to see how it look like for admin Admin which has permission to Franfurt related stuff.

You’ll see, admin global admin can see all policies in this case. An admin which is limited to the scope ‘frankfurt’ can only see policies with no tag and policies with his tag(s), but not policies with other tags.

If an admin with scope tags create new items, they’ll automatically inherit his all of his scope tags.

new created policy will inherit scope tags from admin

An admin can only target groups listed in his scope (group) assignment. This is how it look like if an admin try to assign a policy to all users vs. to his users groups

Lessions learned

  • Admins with scope tags can see policies with NO scope tag and policies with scope tags assigned to him
  • Newly created items always inherit all of his scope tags
  • Change items with no scope tag will then require a scope tag
  • Admins can only target groups that are listed in the scope (Group) of his assignment
  • New created or changed items by an admin need at least one scope tag

Please let me know if you have any concerns or any other feedback to this guide

stay tuned

4 thoughts on “Using intune scope tags – a hidden powerful tool

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.