Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Scope Tags and RBAC: Complete Configuration Guide

Learn how to use scope tags and role-based access control (RBAC) in Intune for distributed IT environments, including creating scope tags and configuring role assignments.

By Ali Alame
intunescope-tagsrbacrole-based-access-controldistributed-itpermissions

Scope tags and role-based access control (RBAC) in Microsoft Intune enable you to control which administrators can see and manage specific Intune objects. This is essential for distributed IT environments where different admins manage different locations, departments, or business units.

Understanding Scope Tags and RBAC

Scope tags and RBAC in Intune work together to control admin access. Roles determine what actions admins can perform, while scope tags determine which objects admins can see. This combination enables distributed IT management where admins only see and manage resources within their scope.

Key Benefits

  • Distributed IT: Enable regional or departmental admins
  • Access Control: Limit admin visibility to specific resources
  • Security: Prevent unauthorized access to resources
  • Organization: Organize resources by scope
  • Flexibility: Support multiple admin models

For an overview, see Use role-based access control (RBAC) and scope tags for distributed IT.

Understanding Scope Tags

What Are Scope Tags?

Scope tags are freeform text values that:

  • Control visibility of Intune objects
  • Limit admin access to specific resources
  • Organize resources by location, department, etc.
  • Work with RBAC role assignments

Default Scope Tag

  • Automatically added to all untagged objects
  • Similar to Configuration Manager security scopes
  • Ensures all objects have at least one tag

Creating Scope Tags

Step 1: Access Scope Tags

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Tenant administration > Roles > Scope (Tags)
  3. Select Create

Step 2: Configure Basics

  1. Name: Enter descriptive name (e.g., "Seattle", "HR Department")
  2. Description: Optional description
  3. Select Next

Step 3: Assign to Groups

  1. Select groups containing devices/users to assign tag
  2. Select Next

Step 4: Review and Create

  1. Review settings
  2. Select Create

Important: Auto scope tag assignments overwrite manually assigned tags. If a device is assigned multiple scope tags through group assignment, all tags apply.

For step-by-step guidance, see To create a scope tag.

Assigning Scope Tags to Objects

Assigning to Policies and Profiles

  1. Navigate to object (e.g., Configuration profile)
  2. Select Properties > Scope (Tags) > Edit
  3. Select Select scope tags
  4. Choose tags to add (maximum 100)
  5. Select Select > Review + save

Automatic Assignment

When an admin creates an object:

  • All scope tags assigned to that admin are automatically assigned to the new object
  • Ensures objects inherit admin's scope tags

Role-Based Access Control

About Role Assignments

Role assignments include:

  1. Members (Groups): Admin groups with permissions
  2. Scope (Groups): User/device groups that can be managed
  3. Scope (Tags): Tags that control object visibility

Creating Role Assignments

  1. Navigate to Tenant administration > Roles > All roles
  2. Select role > Assignments > Assign
  3. Configure:
    • Assignment name and Description
    • Admin Groups: Groups with admin permissions
    • Scope Groups: Groups that can be managed
    • Scope Tags: Tags for object visibility
  4. Review and create

For details, see To assign a scope tag to a role.

Scope Tag Details

Important Considerations

  1. Object Support: Not all objects support scope tags

    • Exceptions: Corp Device Identifiers, Windows Autopilot Devices, Device compliance locations, Jamf devices

  2. VPP Apps: Volume Purchase Program apps inherit tags from VPP token

  3. Automatic Assignment: Admin's scope tags automatically assigned to new objects

  4. Intune Service Admins: Have full access regardless of scope tags

  5. No Scope Tags: Admins with no scope tags see all objects

  6. Tag Assignment: Can only assign tags you have in your role assignments

  7. Group Targeting: Can only target groups in your Scope (Groups)

  8. Minimum Tags: If you have scope tags, can't delete all tags from an object

Best Practices

1. Plan Scope Structure

  • Define scope hierarchy
  • Use consistent naming
  • Consider organizational structure
  • Document scope purposes

2. Use Descriptive Names

  • Use location names (e.g., "Seattle", "New York")
  • Use department names (e.g., "HR", "Finance")
  • Use business unit names
  • Keep names clear and consistent

3. Assign Tags Consistently

  • Assign tags to all relevant objects
  • Use automatic assignment when possible
  • Review tag assignments regularly
  • Maintain tag consistency

4. Test Access Control

  • Test admin access
  • Verify scope limitations
  • Test object visibility
  • Validate permissions

5. Document Configuration

  • Document scope tag purposes
  • Record role assignments
  • Maintain access matrix
  • Update documentation regularly

Distributed IT Models

Full Delegation Model

  • Each local admin has own scope tag
  • Local admins fully manage their scope
  • Use read/assign permissions when full control not needed
  • Create shared groups for common policies

Central Model

  • Single scope tag for all managed orgs
  • Standardize assignments across orgs
  • Use single Microsoft Entra group when possible
  • Update scope tags when orgs move

Devolved Model

  • Multiple local admins with parent oversight
  • Intermediate admin team manages children
  • Assign children's scope tags to intermediate team
  • Add intermediate tag to new policies

For details, see Distributed IT environment with many admins in the same Microsoft Intune tenant.

Troubleshooting

Common Issues

  1. Admin Can't See Objects

    • Verify scope tag assignment
    • Check role assignment scope tags
    • Review object scope tags
    • Verify group membership

  2. Objects Not Inheriting Tags

    • Check admin's scope tags
    • Verify automatic assignment
    • Review tag configuration
    • Test object creation

  3. Access Too Broad

    • Review scope tag assignments
    • Check role assignments
    • Verify scope groups
    • Adjust tag assignments

Additional Resources

Conclusion

Scope tags and RBAC provide essential capabilities for distributed IT management in Intune. By following these best practices:

✅ Plan scope structure carefully
✅ Use descriptive and consistent names
✅ Assign tags consistently
✅ Test access control thoroughly
✅ Document configuration properly

You can enable distributed IT management while maintaining security and control over who can see and manage which resources.

Remember: Scope tags control visibility, while roles control permissions. Both work together to enable distributed IT management. Always test access control after configuration to ensure admins have appropriate access.