I hope this video helps you understand role-based access control and Scope Tags. Let's chat in the comments!! 💬 ⏱️ Timestamps: 0:00​​ Intro 1:52​​ Admin demo - Microsoft Intune Role-Based Access Control (RBAC) and Scope Tags 13:38​ End-user (Help Desk) demo - Microsoft Intune Role-Based Access Control (RBAC) and Scope Tags 17:26​ Outro

You're a good teacher. Studying for my md-101 and had a little trouble understanding just this concept and you cleared it up while I had a cup of coffe. Thanks.

Many thanks Harry!, greetings from South America!

Never needed scope tags until today. Could not figure out the difference with a scope tag and a device filter. This video made my misunderstanding super clear. In a nutshell, scope tags are the filters for the RBAC roles. Excellent video. thank you.

great video with clear explanation

Very nice explaination. Thank you for this. One thing i noticed in the video that though you have logged in as London admin, in when you go to devices in the overview it still shows count as 2 where as you could see only one device. So it means if there are 100 devices in the environment, Scop Tag of London are there only for 50 devices still in the overview you will see 100 devices which will confuse the London Administrator. This is a bit of concern. Do we have any solution for this?

thanks for you video, i have one question. is it possible to use the same custom role for differents scopes ?

Very nice and clear, as always 🙂

Great video, I will definitely use scope tags. If you create all your end user accounts and add them into security groups and add the scope tags, could you have their auto pilot devices be tagged aswell with whatever scope tag the user was in?

Thanks for the video Harry. I am testing following every step and I had to review it a couple of times. What I understand is that scope tags define what they can see and roles what they can do with those resources. I am trying to figure out why you assigned both London users and London devices group to role and only devices to scope tag. I guess it depens on how you set your organization since everything is contained in groups. But I have seen that scope tags also reflect the assigment of a group of users, right?

Hey! Maybe i didn´t really get it but why did you add the lodon devices to the scope group section? They´re already linked with the scope tag so only the london devices are visible.

Thanks for your video. But I am missing very important thing in the video. How do you create the London device group? In Azure there is not possible to create a dynamic device group that is related to a location. There is no location attribute existing for devices. You can only use the location attribute for user accounts. But if I am not wrong you have to use a device group for scope tags. The only possible way to create the London group is to creat a assignment group and add the device to the group manually. But this is not usable if you have more that 40000 devices. Maybe you can explain how you create the London device group?

Hi harry.. Thanks for the vidoe. But if the user select all groups and he can able to view all the other groups devices. But i wanted to control that and only assigned groups should be able to view. possible?

Is it possible to have two admin roles, each role assigned to differnet scope tags, with different permission levels on each role? The idea being that An admin who is given both of these roles wil have different levels of permissions on each scope tag? I have tried this, but it appears that permissions get messed up across the scope tags. So, on the one scope you should be able to edit, the other scope tag, view only. I have found that it gives full edit permissions across all scope tags.....

It was really Helpful

Nice vid m8. Good content and good flow. This about scope tags during custom role creation really confuses me. What is it for and why would you always leave it on default? If you leave it on default, does it then refer to the default scope tag, which all objects are a part of unless set for another scope tag?

Please correct me, we can not only add User Groups into SCope Tag but also we can add the Users Group, is that correct? so that the Admin can control both, users and as well as Devices of that location.

How do we manage users and application using the same method?

I have a question . I have some issues with intune . If I select some categories like apps or tenant administration I get the error code 403. Then it says no access. Do you know how I can fix this . In intune self or in azure?

Hi, I have use your video to setup intune roles but its not working for anyone other then admin. It just show no permission but I can see users in group and these users are assign to builtin groups e.g. Intune Helpdesk. Any advice as to why its not working