Intune Scope tags got introduced in the MEM portal. Azure AD global admins are not required for all the Intune admin roles. So it’s better to minimize AAD admin roles in your organization.
I recommend watching the Ignite session BRK3026 by David Falkus & Dave Randall.
Intune RBAC Implementation – Tips
I don’t recommend setting up Intune administrator role in the Azure AD for all RBAC Intune operation teams. You need to create RBAC Intune operation team member IDs as normal user IDs in Azure AD.
And use those normal IDs to provide the relevant access using Intune Roles, Scope Groups, and Scope Tags. You can have some Intune Admins in Azure AD who will have all the access in Intune.
But, remember, when your admin is part of Intune Administrator, you can’t reduce the permissions using Intune roles in the Intune blade.
Azure AD – Intune Administrator Role – Super Admin Role for Intune (You can’t reduce this admin permission using Intune Roles)
Note – The feature explained in the post is not working as expected during my testing. So I have not included the Intune admin experience. I will soon share a follow-up post and video guide.
Video Guide – How to Implement Intune RBAC
What are Intune Scope Tags?
Use Intune scope tags to provide administrative users with a filtered view of securable objects. Scope tags are filtering options provided in Intune to ease the admin jobs.
All the Intune objects are not securable when I write this post. You can add scope tags to all Intune objects like applications (coming soon), policies, profiles, etc.
The following are the Intune securable objects. As you can see, some of the Intune managed devices are NOT securable now, but those objects are becoming securable objects soon.
Automation for auto-assigning tags options is coming soon for Intune managed objects. All these details are explained in the Ignite session below.
List of Intune Securable Objects
- Configuration Profiles
- Compliance Policies
- Update Rings
- Compliance Notifications
- Managed Device
- Client Apps (Coming Soon)
- VPP Tokens (Coming Soon)
- App Categories (Coming Soon)
- App Protection Profiles (Coming Soon)
- App Config (Coming Soon)
What are Scope Groups and Member Group Users?
You can assign scope tags to an Intune admin only from the role assignments blade. You can only assign a scope tag you have in your role assignment(s).
This is what was shared by David Falkus & Dave Randall in the above-mentioned ignite session.
Intune Administrator Members are the admins that can do Intune activities. Member Group users are the administrators assigned to this role.
Intune Scope Groups – Intune Admins in this Role Assignment can target policies, small tasks, or applications to these Scope Groups. This group is similar to limiting collection in SCCM RBAC security scopes.
How to Create Intune Scope Tags?
- Login to Azure Portal Navigate to Intune blade
- Select Role and then select Scope (tags)
- Select the + Create button
- Enter a Name and Description. I have given my branch office location names like Mumbai and Bangalore. You can create the name and description as per your requirement.
How to Assign an Intune Scope Tag to an Admin Role
This section will learn how to assign an Intune scope tag to an Intune Admin role. As I mentioned in the second paragraph of this post, try to reduce Intune FULL admins for your tenant by assigning segregated Intune admins roles. I also explained this in the previous post
You can assign a specific Intune Admin role to an admin using the following method. Also, you can assign access only to a particular group of users/devices using Intune Scope tags.
- Make sure you have created the Security Scope Tags as mentioned in the above section.
- Login to Azure Portal and Navigate to Intune Blade
- Select Role and then select a Built-in or custom Intune admin role (For example – Policy and Profile Manager, School Administrator, Help Desk Operator, Application Manager, Read-Only Operator, or Intune Role Administrator )
- Select Assignments, and Select the +Assign button to create a new assignment. In the new assignment, you will define all the details about Scope Tags, Scope Groups, and Member Group users.
- Enter the Assignment name and Description. I have given the Assignment name Mumbai Admins. You can provide an appropriate name. The description – this is the role assignment for Mumbai Admins. This admin shall have access to Mumbai location-related objects and groups.
Click the Members (Groups) option and select Azure AD Group for Intune Admins, who will be assigned to Intune roles, scope tags, and scope groups. In my scenario, I have selected the AAD group created for Mumbai Intune Admins.
Click Scope (Groups) – Administrators (a group you selected in above STEP #6) in this Role Assignment can target policies, applications, or small tasks to these Scope Groups.
You can select Scope to All Users & All Devices if you want the admin group to manage all devices and users in your organization.
Click on Select Groups to Include so that you can select a specific AzureAD Group for a set of users or devices if these Intune admins are part of a particular location or business unit.
Click on Scope (Tags) and click on +Add. Make sure that you have completed the above section named “How to Create Intune Scope Tags?”. Select Intune Security Scope “Mumbai.” Click on the button. Click on OK.
Click OK to complete the Role Assignment process and close the blade.
How to Change the Intune Scope Tags of Devices
In this section, you will learn how to change the scope tag of Intune objects. I would recommend reading the above paragraph where I have explained about Intune objects and which are securable Intune objects.
You can change Intune Scope Tag for all securable Intune objects. More details are available in the Intune Securable Object section above.
The following is one example of setting the scope tags for Intune objects. But you can use a similar method to set the Intune scope tags for all the supported Intune objects.
- Login to Azure Portal and Navigate to Intune Blade
- Click on Devices & then Click on All Devices
- Select the Device which you want to Set Scope Tag and go to Properties of that device
- Click on Scope (Tags) to set that device.
- Click on +Add to search Scope (Tags). I have used Scope (Tags) for Mumbai
- Click on the OK, OK, and Save button to close all the blades and complete the process
Automation of Intune Scope Tags for All Intune Objects
There is also an automated way to change the Intune scope tags of all the supported objects. This has been explained in the Ignite session I referred to in the post. Intune PowerShell module can be used to automate Intune Scope Tags for existing objects.