Intune Scope tags got introduced in Azure portal a few months back. Azure AD global admins are not required for all the Intune admin roles. So it’s better to minimize AAD admin roles in your organization. I would recommend watching the Ignite session BRK3026 by David Falkus & Dave Randall.
Table of Contents
Intune RBAC Implementation – Tips
I don’t recommend setting up Intune administrator role in the Azure AD for all RBAC Intune operation teams. You need to create RBAC Intune operation team member IDs as normal user IDs in Azure AD.
And use those normal IDs to provide the relevant access using Intune Roles, Scope Groups, and Scope Tags. You can have some Intune Admins in Azure AD who will have all the access in Intune. But, remember when your admin is part of Intune Administrator, then you can’t reduce the permissions using Intune roles in the Intune blade.
Azure AD – Intune Administrator Role – Super Admin Role for Intune (You can’t reduce this admin permission using Intune Roles)
Note – The feature explained in the post is not working as expected during my testing. So I have not included the Intune admin experience. I will soon share a followup post and video guide.
Video Guide – How to Implement Intune RBAC
What is Intune Scope Tags?
Use Intune scope tags to provide administrative users with a filtered a view to securable objects. Scope tags are filtering option provided in Intune to ease the admin jobs. All the Intune objects are not securable when I write this post. You can add scope tags to all Intune objects like applications (coming soon), policies, profiles, etc.
The following are the Intune securable objects. As you can see, some of the Intune managed devices are NOT securable now, but those objects are becoming securable objects soon. Automation for auto-assigning tags options is coming soon for Intune managed objects. All these details are explained in the Ignite session below.
List of Intune Securable Objects
- Configuration Profiles
- Compliance Policies
- Update Rings
- Compliance Notifications
- Managed Device
- Client Apps (Coming Soon)
- VPP Tokens (Coming Soon)
- App Categories (Coming Soon)
- App Protection Profiles (Coming Soon)
- App Config (Coming Soon)
What is Scope Groups and Member Group Users?
You can assign scope tags to an Intune admin only from role assignments blade. You can only assign a scope tag you have in your role assignment(s). This is what shared by David Falkus & Dave Randall in the above mentioned ignite session.
Intune Administrator Members are the admins that can do Intune activities. Member Group users are the administrators assigned to this role.
Intune Scope Groups – Intune Admins in this Role Assignment can target policies, remote tasks or applications to these Scope Groups. This group is similar to limiting collection in SCCM RBAC security scopes.
How to Create Intune Scope Tags?
- Login to Azure Portal Navigate to Intune blade
- Select Role and then select Scope (tags)
- Select the + Create button
- Enter a Name and Description. I have given my branch office location names like Mumbai and Bangalore. You can create the name and description as per your requirement.
How to Assign an Intune Scope Tag to an Admin Role
In this section, you will learn how to assign an Intune scope tag to an Intune Admin role. As I mentioned in the second paragraph of this post, try to reduce Intune FULL admins for your tenant by assigning segregated Intune admins roles. I also explained in the previous post here.
You can assign a specific Intune Admin role to an admin using the following method. Also, you can assign access only to a particular group of users/devices using Intune Scope tags.
- Make sure you have created the Security Scope Tags as mentioned in the above section.
- Login to Azure Portal and Navigate to Intune Blade
- Select Role and then select a Built-in or custom Intune admin role (For example – Policy and Profile Manager, School Administrator, Help Desk Operator, Application Manager, Read Only Operator or Intune Role Administrator )
- Select Assignments, and Select +Assign button to create a new assignment. In the new assignment you will define all the details about Scope Tags, Scope Groups, and Member Group users.
- Enter the Assignment name and Description. I have given Assignment name Mumbai Admins. You can give an appropriate name. The description – this is the role assignment for Mumbai Admins. This admin shall have access to Mumbai location related objects and groups.
- Click the Members (Groups) option and select Azure AD Group for Intune Admins who will be assigned to Intune role, scope tags, and scope groups. In my scenario, I have selected the AAD group which is created for Mumbai Intune Admins. Their admins will manage all deployments related to Mumbai location. Member Group users are the administrators assigned to this role.
- Click Scope (Groups) – Administrators (a group which you selected in above STEP #6) in this Role Assignment can target policies, applications or remote tasks to these Scope Groups. You can select Scope to All Users & All Devices if you want the admin group to manage all devices and users in your organization. Click on Select Groups to Include so that you can select specific AzureAD Group for a set of users or devices if these Intune admins are part of a particular location or business unit. Follow the steps mentioned in the below pic.Administrators in this Role Assignment can target policies, applications or remote tasks to these Scope Groups.
- Click on Scope (Tags) and click on +Add. Make sure that you have completed the above section named “How to Create Intune Scope Tags?”. Select Intune Security Scope “Mumbai”. Click on Select the button. Click on OK.
- Click OK to complete the Role Assignment process and close the blade.
How to Change the Intune Scope Tags of Devices
In this section, you will learn how to change the scope tag of Intune objects. I would recommend reading the above section where I have explained about Intune objects and which are securable Intune objects.
You can change Intune Scope Tag for all securable Intune objects. More details available in the Intune Securable Object section in the above. The following is one of the examples to set the scope tags for Intune objects. But you can use the similar method to set the Intune scope tags for all the supported Intune objects.
- Login to Azure Portal and Navigate to Intune Blade
- Click on Devices & then Click on All Devices
- Select the Device which you want to Set Scope Tag and go to Properties of that device
- Click on Scope (Tags) to set of that device
- Click on +Add to search Scope (Tags). I have used Scope (Tags) to Mumbai
- Click on OK, OK, and Save button to close all the blades and complete the process
Automation of Intune Scope Tags for All Intune Objects
There is also an automated way to change the Intune scope tags of all the supported objects. This has been explained in the Ignite session which I referred to in the post.Intune PowerShell modulecan be used to automate Intune Scope Tags for existing objects.