This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 59%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
I have the following requirement:
We have 2 admin departments in our organization - Windows and Mobile for MDM.
We would like to setup custom roles or use scope tags such that:
Windows admin users should not be able to manage Android aspect of the settings and vice-versa.
Is this scenario possible to be created ?
@Lu Dai-MSFT thanks for looking into the query.
I got a notification of your answer, however I am not able to view the same.
Could you please re-post it ?
@IntuneUser I have posted again. Did you see my answer? If not, please refresh this page again.
@Lu Dai-MSFT yes I can see it now.
Please allow me some time to review the same.
Thanks for your help.
@IntuneUser Thanks for posting in our Q&A.
Of course, you can. I have done the test in my lab. I will share you more details.
Step1: I create a device group that only includes windows devices.
Step2: I create a user group that I want the user in this group only can see windows devices.
Setp3: I create a scope tag called "windows scope tag" in Tenant administration > Roles > scope tags. In this "windows scope tag", I add the windows device group under "assignments".
Setp4: I create a custom role called "windows role" in Tenant administration > Roles and enable the feature what I want and add "windows scope tag".
Step5: I create a role assignment.
Stpe6: When I use the target user signing in intune portal, I can only manage windows devices and I can't see other platform devices.
Hope it will help.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@IntuneUser This is the double post.
Thanks for posting in our Q&A.
Of course, you can. I have done the test in my lab. I will share you more details.
Step1: I create a device group that only includes windows devices.
Step2: I create a user group that I want the user in this group only can see windows devices.
Setp3: I create a scope tag called "windows scope tag" in Tenant administration > Roles > scope tags. In this "windows scope tag", I add the windows device group under "assignments".
Setp4: I create a custom role called "windows role" in Tenant administration > Roles and enable the feature what I want and add "windows scope tag".
Step5: I create a role assignment.
Stpe6: When I use the target user signing in intune portal, I can only manage windows devices and I can't see other platform devices.
Hope it will help.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello @Lu Dai-MSFT , the proposed solution works good.
But there's one concern, my Windows admin user is able to create Config and Compliance policies for Android platform as well. However, they are not able to assign the policies to Android group(or any group they are not scoped with).
Is there any solution to prevent creating the policies itself ?
@IntuneUser No, there is no method to prevent creating policies for other platforms.
@IntuneUser Is there any other assistance that we can provide? If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.
If my answer is helpful to create a custom role, please accept it. It will help someone else who has the similar issue easily find the direction.
Thanks for your kindness in advance. : )