Aim: To understand the benefits of using role-based access control (RBAC) and scope tags to assign delegated admins appropriate permissions to manage subsets of all Intune objects on the tenant.
You can use role-based access control (RBAC) and scope tags to ensure the right admins have the right access to the right Intune objects.
- Roles are used to assign access to an admin user who has objects to manage.
- Scope tags are assigned to objects those admins can see (devices, apps, etc.).
By assigning privileged roles to your Intune administrators, you can limit what they can see and change by adding scope tags to the appropriate Intune objects you want them to manage. Intune objects that support tagging are policies, profiles, and apps.
You may have noticed that the default scope tag is automatically added to all untagged objects that support scope tags. When an admin creates an object in Intune, all scope tags assigned to that admin will be automatically assigned to the new object.
Intune RBAC doesn’t apply to Azure Active Directory roles, so the AAD Intune Service Admins and Global Admins roles have full admin access to administer all Intune objects, regardless of the scope tags those objects have been assigned.
Note that to be able to administer Intune, you must have an Intune license assigned. Alternatively, as a one-off, you can allow non-licensed users to administer Intune by setting Allow access to unlicensed admins to Yes (and once enabled, this cannot be revoked).
Related:
- https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags
- https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control