Setting up regional-specific permissions with Intune scope tags

A common question when implementing Intune for multi-national organizations is: “How can I allow regional IT teams to manage devices that are in their own region, without access to the rest of the organization’s devices?” This is something that isn’t obvious for IT teams that aren’t unfamiliar with Intune. This article explains the details about how to set up the permissions within Microsoft Endpoint Manager (MEM) Admin Center for an IT team in Seattle where their manager can only manage devices enrolled into Intune via Autopilot in that region.

The Theory – Intune Scope Tags

The most important element to understand is something called scope tags. An Intune scope tag is a container that allows specific teams to manage the specific devices defined in a Dynamic Device Group t. It’s worth noting that Intune assigns a default scope tag automatically to all untagged devices. All objects within Intune must have at least one scope tag.

Role-Based Access Control (RBAC) with Intune

 Endpoint Manager includes nine RBAC roles for Intune management (Figure 1):

Intune RBAC Roles in Endpoint Manager
Figure 1: The default RBAC roles in Endpoint Manager

The roles range from Intune Role Administrator, giving full power over Intune, to the Read-Only Operator role which gives holders read-only rights to the Intune environment. To see more on the Built-In roles, please check the Microsoft documentation.

To determine the required permissions, we must create a custom Endpoint Manager role for the Seattle administrators to ensure that they can only manage devices in their region.

Check out the Top 10 Security Events to Monitor in Azure Active Directory and Office 365 in this eBook.

Dynamic Device Group

Autopilot uses Azure AD Dynamic Device Groups to control registered devices. A typical environment has a DDG which is automatically updated with a device when its Hardware Hash is uploaded to Intune. To identify Seattle-based devices, we the device a specific Group Tag when we upload the Hardware Hash to Intune.

Setting up permissions for the Seattle IT department

Create Azure AD Groups

The solution needs two Azure AD groups. First, a Security Group for The Seattle IT Team (called “Seattle IT”) populated by the members of the Seattle IT team. The second Security group is a Dynamic Device Group, used for Seattle-based devices enrolled via Autopilot. Create the group with the following dynamic membership rule:

(device.devicePhysicalIds -any (_ -eq "[OrderID]:SeattleDevice"))

If you have a “catch-all” Dynamic Device Group for Autopilot devices, the dynamic member rule should be changed to the following (thanks to Peter Egerton’s blog):

(device.devicePhysicalIDs -any (_ -contains "[ZTDId]")) -and -not (device.devicePhysicalIDs -any (_ -eq "[OrderID]:SeattleDevice"))

Create Scope Tag

Next, we create a scope tag in the Intune scope tag section. The following information is needed to create a scope tag:

  • Name The name of the scope tag should be easily identifiable i.e., “Seattle Office.”
  • Description A description of the scope tag which identifies its purpose.
  • Included Groups Here we add the group we created above. This will assign the scope tag to all the devices in this group.

Create Intune RBAC Roles

We now decide the administrative rights to assign to our administrators. Go to the RBAC landing page. We need the following details:

  • Name The Name of the role, such as “Seattle Admin”
  • Description A user-friendly description of the Intune RBAC role
  • Permissions for the scenario. In this case, we need some granular permissions, including permissions to manage Windows 10 devices: (Figure 2) & (Figure 3)
Intune RBAC Roles scope
Figure 2: Example of granular RBAC permissions
granular RBAC
Figure 3: Second example of granular RBAC permissions

Create Autopilot Profile

Last, we create an Autopilot profile for the Seattle devices. The important points are to ensure that devices are easily identifiable by giving them a SEATTLE prefix and that any device that uses this profile inherits the “Seattle Office” scope tag. I used the settings shown in Figure 4.

Intune Autopilot
Figure 4: AutoPilot Settings

Enrolling a device

After uploading the Hardware Hash with the Group Tag SeattleDevice, and enrolling the device via Autopilot. I can now see it in Intune alongside the other desktop that I previously enrolled: (Figure 5)

enrolled devices
Figure 5: Enrolled Devices

By examining the device properties, it’s obvious that Intune enrolled the device automatically with the Seattle Office group tag (Figure 6):

intune RBAC roles
Figure 6: Example of a “Seattle” device

The Result

If we now log in as a Seattle administrator, only the device based in Seattle is visible (Figure 7):

Intune scope tags
Figure 7: The view of a Seattle administrator

The administrator can perform all the administrative tasks on this device that we assigned permissions for earlier: (Figure 8)

Intune
Figure 8: A Seattle device, accessed by a Seattle admin with permissions to fully manage the device

Conclusion

Assigning the Intune Role Administrator permissions to all admins is never the right answer. It is important for organizations to create Intune RBAC roles to ensure administrators have the necessary permissions to do their work without the ability to interact with devices that do not concern them. In a multi-region or national company with multiple helpdesks that look after specific devices, using Intune scope tags is the right way to ensure that IT teams have permissions to the devices that they need to look after.

Check out the Top 10 Security Events to Monitor in Azure Active Directory and Office 365 in this eBook.

About the Author

Jon Jarvis

Jon Jarvis is a Microsoft 365 Principal Consultant at CDW. Jon has been working within Office 365 for over a decade having first learnt how to do an Exchange Online migration using articles from Practical 365! Jon enjoys working on the whole of the Microsoft 365 product range and has a passion for learning new skills, which has led to him passing 19 Microsoft exams. Outside of work, Jon is a Brazilian Jiu Jitsu Black Belt who has trained for over 11 years!

Leave a Reply