Microsoft Intune - Scoping Tags

Please note: This Video is in German

This blog is about how to use the scoping feature in Microsoft Intune. It lets you separate administrative tasks for specific roles, groups, or teams. For example, imagine a group of people managing Microsoft Teams Rooms devices. You might want to give them some capabilities to manage those devices without giving them access to all devices. With scoping, you can divide your Intune environment into different scopes, which is where the "scope tag" name comes from.

So here is how you do it.

First you go into Roles in your Tenant Administration of Intune, there you will find on the left side of the menu the Scope Tags configuration.

Before creating a scoping tag you need to do two things!

  1. Create a group which have the Administrators or People in them doing the actions
  2. Create a dynamically assigned group for devices following a specific naming convention or category or so.

This way you are setup for the scoping tags.

So, moving forward, you create the scoping tag and name it, then select the device group where you want the tag to be applied.

Next, you'll want to choose the role you want to authorize the Admin group to. Then, under Assignments, you'll assign the Scoping Tag, the User Group of the admins, and the Devices Group.

Now you are set.

Don't be confused by the messages seen in the Members and Scope Groups selection screen, they need to be read like that:

Admin group users are the administrators assigned to this role (This is the mentioned role assignment), administrators in this role assignment can target policies, applications and remote tasks to devices member of the groups listed below

That's all there is to it. You can assign multiple scope tags to devices if you have people managing different aspects but have overlapping device areas.