demystifying Scope tags in Intune – Part 1

Scope tags was for a long time a mystery for me, I’ve heard about it and I thought I understood what it was until I actually started looking in to what it is.

I keep seeing comments and posts online on different forums where people have the wrong perception (just like I did) on what Scope tags in Intune is and its expected behaviour. And to understand Scope (Tags) you also need to understand RBAC so what I i want to do is try to make a simple explenation of what Scope Tags is and how it intergrates with RBAC, I will also link to other useful resources out there.

RBAC – Role Based Access Control

Before we even start talking about scope tags we need to mention RBAC, which stands for Role Based Access Control. This is because scope tags is one of the components in RBAC. I won’t cover RBAC In detail in this post but it’s important to know its there.

Microsofts Documentation on RBAC
https://docs.microsoft.com/en-us/intune/role-based-access-control

Scope (Tags)

Scope (Tags) can be applied to different resource objects (For example a Win10 device) within Intune. The tag is used as an identifier which you then can associate with Scopes. A resource can have multiple Scope (Tags) and a Scope can have multiple Scope (Tags) associated with it.

Microsofts Documentation on Scope tags
https://docs.microsoft.com/en-us/intune/scope-tags

A common miss-conception is that you can use Scope (Tags) to target users or devices with different policies. For example if you have a user who has 2 iOS devices, one iPad and one iPhone.

You then have 2 different policies that you need to set for either iPads or Iphones.

  • iPad-ConfigPolicy
  • iPhone-ConfigPolicy

Both of them are assigned to either a User group or Device group where both devices are members of and you want to make sure that the iPad only gets the iPad-ConfigPolicy or vice versa. This is not what Scope (Tags) are for and it won’t help you out in this situation.

Scope tags is not

  • A way to filter which end-user or device gets a policy, profile or app through assignments.

Scope tag is

  • A way to tag a resource object. Once taged you can define which admin can see that object in Intune. This is done by assigning the Scope tag to a Scope. Add that Scope to a Role and assign that Role to a specific Azure AD group or user.
  • Optional – Not required when using RBAC.

Thats it for part 1, in Part 2 I’ll cover how to use Scope (Tags) and also point to some great resources out there if you are interested in using RBAC.

Leave a Reply