Intune role-based administration control and devices

This week a little bit about role-based administration control (RBAC) in combination with devices, in Microsoft Intune. I specifically want to look at that combination, as the RBAC-model in Microsoft Intune differs in that area from how the RBAC-model works in Configuration Manager. Within Configuration Manager a delegated administrator would be a combination between a security role (that defines the permissions and a security scope (that defines the objects). In that case the security scope is a combination between tagged objects and users and devices in specified collections. Specifically that last section, regarding the collections, is were the RBAC-model differentiates from Microsoft Intune. In this post I want to provide a short introduction to the different pieces of RBAC in Microsoft Intune, followed by how those pieces together impact the devices within Microsoft Intune.


Now let’s start by having a look at RBAC in Microsoft Intune. RBAC helps administrators to control who can perform various Intune tasks within the organization, and who those tasks apply to. Administrators can either use the built-in roles that cover some common Intune scenarios, or create their own roles. Below is an overview of the different components of an Intune role. The permissions and the assignment.


A summary of the overview would be that an Intune role is defined by:

  • Permissions: The permissions of the Intune role;
  • Assignments: The assignment of the Intune role is the combination of the members, the scope and the scope tags. Those components are used for the following:
    • Members: The user groups that are granted the permissions of the Intune role;
    • Scope: The user or device groups that the members can manage;
    • Scope tag:
      The objects that the members can see.

Bringing the pieces together

Previously an often heard comment was that an administrator could delegate permissions to a delegated administrator, but the delegated administrator would still see all the device objects. That has changed with the introduction (and recent modifications) of Scope tags! This is also the point were the RBAC-model differs from that of Configuration Manager. Main reason, within Microsoft Intune it’s required to specifically tag the objects that the delegated administrators can see. Including the devices. That means, using a Scope to determine which users and/or devices the delegated administrator can manage and using Scope tags to determine which devices the delegated administrator can see.

The Scope tag configuration is a little bit hidden and unknown on devices. The configuration can be found by going to the Properties of a device, as shown below.


As the configuration of a Scope tag is currently done per device, it might be smart to look at automating that process. To help with that automation, Microsoft recently provided a PowerShell example for assigning a Scope tag to a device.

More information

For more information regarding to RBAC in Microsoft Intune, please refer to the following articles:

11 thoughts on “Intune role-based administration control and devices”

  1. Hi, I just tested it, but it doesn’t work for me, I created an scope tag and assigned it to some user devices and to a Role, but the delegated admin can still see all the devices I have in Intune. Should I wait some time for kind of configurations to take effect.


  2. Hi Peter,

    You’re right! that was the problem! the delegated admin was seeing all the specifically tagged devices + all devices without a tag.

    Thank you very very much!


    Jean Chavez

  3. Hi Peter,
    In the MSIntune-RBAC infographic from above you mentioned that a user group can be used as scope. With that the admin can perform action to the devices of those users. I’m currently working on a case, where I’m trying to select all Android devices from a specific country. This can’t be achieved through a dynamic device group, as there are no searchable patterns for these mobiles. The only way to get these devices is a manual match via the device’s primary user setting.
    Do I understand you article right, that we can assign a scope (tag) to the country user group and this should also set this scope to the devices with the corresponding primary user? Currently this is not working for us.
    Thanks a lot for any reply!


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.