When setting up permissions in Microsoft Endpoint manager (Intune) you may add users to the predefined roles such as “Intune administrator” and “Cloud device administrator”. This will allow users to manage Intune.
If you have different types of devices or polices and they needed to be managed by different support groups then this is where Scope Tags and RBAC comes in.
Please note if you give a user Intune Admin or another role then this will override the custom role.
In the example below i will concentrate on Android and Windows devices and they are managed by different teams.
Firstly, I created four groups, one for Windows Management and one for Android Management, then a dynamic device group for Windows where operating system type contains “Windows” and dynamic device group for Android devices where operating system contains “Android”
Then create two scope tags, again one for Windows and assign to “Windows devices” dynamic group and one for Android and assign to the “Android devices” dynamic group.
Then create the two custom roles. The permissions are custom to your requirements but don’t give permissions to edit, create, delete, update or assign roles (the user can change his permissions with these) and add the Windows device management group to one and Android device management group to the other.
Once the custom role is created you can assign the “members” to the correct management group and add the scope group as the devices and tag as the tag created earlier.
This way now only users part of the “Android management” group can manage Android devices and “Windows management” group manage Windows devices.
This now also means you can assign the tags to configuration profiles.
The example below shows a Windows administrative template profile with a scope tag of “Windows Management”. Users in the “Android Management” group will not be able to view this profile.
