Intune – How to use scope tags and understanding RBAC

For a while now, Scope Tags have been an odd concept for me to understand. Partly because, i thought i understood it, and partly due to me not getting my hands dirty and bringing myself to understand how they work.

However, as with all things tech, there comes a time where you just have to get stuck in and learn by doing – the best way of learning.

So what did i have to accomplish? My scenario and requirements are below;

The entertainment department recently purchased 70 iPhones.

  • They wanted these iPhones to be managed by Intune.
  • Required custom device settings
    • e.g Hide all apps possible, Move all others to a single folder except for the settings app
    • Never Auto-Lock
    • Bluetooth always Off
  • Required some restrictions on the device
    • Safari disabled
    • Camera Disabled
    • Siri Disabled

Once the settings had been configured. They wanted to be provided with access to maintain and modify the device configuration profile for all future changes. This is where the scope tags come in to play. But first, i had to understand how RBAC worked on Azure and Intune.

Understanding RBAC

As per Microsoft documentation – You can use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the right Intune objects.

Roles determine what access admins have to which objects.

Scope tags determine which objects admins can see.

Understanding Scope Tags

Scope Tags can be applied to different objects on Azure and Intune. The tag is essentially your unique identifier which you then use to link with scopes. Your objects can have multiple Scope Tags and a Scope can have multiple Scope Tags linked with it.

Things to keep in mind:

  • To be assigned an intune role, the user must have an intune license.
  • When an admin creates an object in Intune, all scope tags assigned to that admin will be automatically assigned to the new object.
  • Intune RBAC doesn’t apply to Azure Active Directory roles. So, the Intune Service Admins and Global Admins roles have full admin access to Intune no matter what scope tags they have.

How to use Scope Tags

Here is the scenario;
The entertainment team would like to be able to manage their own device configuration profile for their iPhones – and as such, we want to separate them from an administrative perspective.

  • Entertainment Team

We will create three groups for the Team.

  • Devices Group: All devices that they manage
  • Users
  • Admins Group: All admins who will manage the profile

How to create a Scope Tag

  1. Navigate to and open Intune.
  2. From here, go to Roles > Scope Tags and click on Create.
  3. Enter a name for your Scope Tag and assign the tag to a group of your target devices.

How to assign a role to a Scope Tag

Now that we have our scope tag, the next step is to assign it our desired role (permissions).

  1. Navigate to and open Intune.
  2. From here, go to roles, and click on “All roles”.
  3. Click on the role you want to assign, in this case i am going with “Policy and profile manager”
  4. Click on Assign
  1. Enter a name for your assignment
  2. If you wish, enter a description
  3. Click on Members (Groups)
    • Member group users are the administrators assigned to this role, enter the group you have created which contains all the administrators.
  4. Click on Scope (Groups)
    • The scope groups entered here are the policies, applications or remote tasks that administrators in this role assignment can target.
  5. Click on Scope (Tags)
    • Enter the Scope Tag, this is the tag that will apply to this role.

It is worth remembering that the administrators who you are applying these permissions to will require a “Microsoft Intune” license for RBAC to work.

I hope that this blog post can help fellow admins.

If you have any questions, feedback, constructive criticisms, or anything else. Please dont hesitate to comment below.

Thank you for reading.

3 Replies to “Intune – How to use scope tags and understanding RBAC”

  1. Hi there,

    We need a method of assigning scope tags to devices automatically. We have User groups with scope tags assigned, but we won’t know the devices until enrollment.

    1. Hi Nigel,
      You can create a security group (Azure AD) with membership type = dynamic device, then you can select which queries you want to use to select the devices (ex: displayname starts with xyz). Then use this group as one of the groups in your scope tag assignments (in scope tag properties). This will automatically tag any devices matching the properties in the group query (and therefore automatically member of that group) with your selected scope tag.

      1. Do you know of some sort of documentation about this? This is exactly what we need but we are struggling because we want to have a device group in which a device gets moved into upon enrollment. The information can be for example the users domain.

        But as far as I know, we can not sort devices after the device users domain. Can we?

Leave a Reply

Your email address will not be published. Required fields are marked *