004: Scope Tags
Overview
You can use role-based access control and scope tags to make sure that the right admins have the correct access and visibility to the required Intune objects. Roles determine what access admins have to which objects. Scope tags determine which objects admins can see.
For example, let's say a Seattle regional office admin has the Policy and Profile Manager role. You want this admin to see and manage only the profiles and policies that only apply to Seattle devices. To set up this access, you would:
Create a scope tag called Seattle. Create a role assignment for the Policy and Profile Manager role with: Members (Groups) = A security group named Seattle IT admins. All admins in this group will have permission to manage policies and profiles for users/devices in the Scope (Groups). Scope (Groups) = A security group named Seattle users. All users/devices in this group can have their profiles and policies managed by the admins in the Members (Groups). Scope (Tags) = Seattle. Admins in the Member (Groups) can see Intune objects that also have the Seattle scope tag. Add the Seattle scope tag to policies and profiles that you want admins in Members (Groups) to have access to. Add the Seattle scope tag to devices that you want visible to admins in the Members (Groups).