Share via

MDM User Scope is greyed out

Martha Velazquez 0 Reputation points
2026-03-31T19:25:48.5066667+00:00

I can't change the MDM user scope even though I have the role of Intune Administrator. I've already double checked and the MDM authority is set to Intune. Do I not have sufficient privilege to change the MDM user scope? I thought Intune Administrator was sufficient enough. Any help at all would be greatly appreciated, thank you in advance.

Screenshot 2026-03-31 141312

Screenshot 2026-03-31 141040I

Microsoft Security | Intune | Configuration

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prathista Ilango 1,065 Reputation points Microsoft Employee
    2026-04-01T15:46:07.98+00:00

    Hello Martha Velazquez,

    As mentioned by @Rahul Jindal, the Microsoft documentation confirms that changing the MDM user scope requires Global Administrator permissions. Refer to: https://learn.microsoft.com/en-us/intune/intune-service/enrollment/windows-enroll#prerequisites

    Hope this helps!

    If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

    0 comments
  2. Q&A Assist
    2026-03-31T19:26:09.01+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Changing the MDM user scope is not controlled by the Intune Administrator role itself but by tenant‑level configuration and licensing.

    From the available information:

    • An MDM authority must be set before MDM user scope can be used. This tenant already has MDM authority = Microsoft Intune, so that prerequisite is satisfied.
    • Auto‑enrollment behavior is then controlled by the MDM user scope and MAM user scope settings. These determine which users can enroll devices and whether devices are MDM‑enrolled or only managed by MAM/Windows Information Protection.

    When the MDM user scope controls are greyed out even for an Intune Administrator, it indicates that the tenant‑wide enrollment configuration is locked at the directory level rather than by Intune RBAC. In this state, only higher‑privileged directory roles (for example, those that can change Microsoft Entra auto‑enrollment and tenant‑wide device settings) can modify the MDM user scope.

    To resolve the issue, have a directory admin with sufficient tenant permissions review and update the Windows automatic enrollment settings so that:

    1. The correct users have a valid Intune license assigned.
    2. The MDM user scope is set to All or Some (with the appropriate group) in the automatic enrollment configuration.
    3. The MAM user scope is set appropriately (for example, None for education/corporate scenarios where full MDM enrollment is required).

    Once a directory admin updates these tenant‑level enrollment settings, the MDM user scope options will no longer be greyed out for that configuration page, and Intune Administrator can then manage enrollment behavior through policy.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.