This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Contoso has a Seattle help desk team that should be able to reset passcodes and reboot devices for users in the Seattle office, but should not be able to see or modify configuration profiles created for the New York office. What's the most appropriate way to delegate this access in Microsoft Intune?
Assign the built-in Help Desk Operator role to a Seattle-IT security group, set Scope (Groups) to All Seattle Users, and set Scope (Tags) to a Seattle-Scope scope tag applied to Seattle-only objects.
Assign the Global Administrator role directly to each Seattle help desk user so they can perform any device action when needed.
Create a custom role that grants Read access to all configuration profiles, and assign it directly to each Seattle help desk user account.
An Intune administrator creates a new compliance policy and applies a custom scope tag named Executive-IT, but a regional admin without that tag can still see the policy. What's the most likely cause?
The Default scope tag was not removed from the policy, so admins whose role assignments include the Default tag can still see the object.
Custom scope tags only take effect after the regional admin signs out and back into the Intune admin center.
Compliance policies don't honor scope tags; only configuration profiles and apps do.
Your security team wants to be alerted whenever an Intune admin deletes a device compliance policy, and they need to retain that audit history for several years to meet compliance requirements. Which combination of Intune diagnostic settings should you configure?
Send AuditLogs to a Log Analytics workspace for KQL-based alerting on delete operations, and also archive AuditLogs to a storage account for long-term retention.
Manually export the audit logs to CSV from the Intune admin center each week, and store the files on a shared file server.
Stream AuditLogs to an event hub only, and rely on the third-party SIEM to handle both alerting and long-term retention.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?