Configure scoped administration for regional or business unit separation

  • 9 minutes

As an Intune administrator, you often need to delegate authority without granting full global access. By configuring Scope Tags and Role Assignments, you can ensure that regional or departmental admins can only view and manage the specific objects (policies, apps, devices) relevant to their role.

This guide details the specific configuration steps required to partition administrative access.

Step 1: Create Scope Tags

Scope tags are the labels you use to define visibility. Before you can partition access, you must define the tags (e.g., "Seattle-IT," "HR-Department"). This requires the Intune Administrator role.

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Tenant administration > Roles > Scope (Tags).
  3. Select Create.
  4. Name: Enter a clear, descriptive name (e.g., Seattle-Scope or Project-Alpha).
  5. Description: Optional, but recommended for identifying the tag's purpose.
  6. Select Next to assign the tag to specific devices (optional) or just select Next > Create to initialize the tag.

Step 2: Assign Scope Tags to Objects

Once the tags exist, you must apply them to the specific items (policies, profiles, apps) you want to categorize.

To tag a Configuration Profile or Compliance Policy:

  1. Navigate to Devices > Windows (or relevant platform) > Configuration profiles.
  2. Select the configuration profile you want to assign the tag to.
  3. Go to Properties.
  4. Scroll down to Scope tags and select Edit.
  5. Select scope tags: Choose Seattle-Scope.
  6. Important: If you want to hide this object from general admins, remove the Default scope tag.
  7. Select Review + save.

To tag an Application:

  1. Navigate to Apps > All apps.
  2. Select the application (e.g., HR Benefits App).
  3. Go to Properties > Scope tags > Edit.
  4. Add the custom tag (e.g., HR-Scope) and save.

Step 3: Configure the Role Assignment

The Role Assignment is where you bind the user, their permissions, and their scope together.

  1. Go to Tenant administration > Roles > All roles.
  2. Choose a built-in role (e.g., Policy and Profile Manager) or a custom role you created.
  3. Select Assignments > Assign.
  4. Basics: Enter a name for the assignment (e.g., Seattle IT Policy Manager).
  5. Admin Groups: Select the user group containing the admins you're delegating to (e.g., Seattle IT Staff).
  6. Scope (Groups):
    • Select Add groups.
    • Choose the user/device group that these admins are allowed to target (e.g., All Seattle Users).

      Note

      This prevents the Seattle admin from deploying policies to New York users.

  7. Scope (Tags):
    • Select Add scope tags.
    • Choose the tag you created in Step 1 (e.g., Seattle-Scope).

      Note

      This ensures the admin can only see objects with this tag.

  8. Select Review + create.

Verification

To verify the configuration is working:

  1. Ask a member of the Seattle IT Staff to sign in to the Intune admin center.
  2. Have them navigate to Devices > Configuration profiles.
  3. Confirm Visibility: They should only see the profiles tagged with Seattle-Scope. Profiles tagged with Default or New York-Scope should be invisible.
  4. Confirm Targeting: Have them attempt to assign a profile. They should only be able to select the All Seattle Users group (or groups within that scope).

Best Practices

  • Remove the 'Default' Tag: Every new object gets the Default tag automatically. To fully secure an object (like an executive's device policy), you must explicitly remove Default and add a restricted tag (e.g., Executive-IT).
  • Naming Conventions: Use a consistent prefix for your tags (e.g., Loc-Seattle, Dept-HR) to keep them organized in the selection list.
  • Distributed IT: If you have many regions, create a "Global" role assignment for your Central IT team that includes all scope tags, ensuring they retain full visibility while local admins are restricted.
  • Multi Admin Approval (MAA): Enable Multi Admin Approval to require a second administrator to approve RBAC changes, protecting against unauthorized or accidental role assignment modifications. Covered changes include updates to role permissions, admin group memberships, and member group assignments. This dual-authorization model prevents a single compromised or careless admin from escalating privileges across the tenant. See the Multi Admin Approval documentation for setup steps.