Forum Discussion

wienero's avatar
wienero
Copper Contributor
Jan 29, 2025

Limit visibility of local IT support on Sites

Hello all experts,

hope you will have a better way to achieve this as we have had, my company have many sites in the country, and every site have a Local IT support, we are in the central IT that manage the whole microsoft enviroment, our problem is that we have Intune/mecm co-managed enviroment and we want to limit the visibility of the local support, we achieved this in devices but not finding a way to do the same with users and groups, we thought about doing this with intune for education but now we see that it doesnt support Android devices (most of our devices), any idea would be appreciated.

thanks in advance

Intune
mobile device management (mdm)

2 Replies

  • wienero's avatar
    wienero
    Copper Contributor
    Feb 03, 2025

    thanks for the reply,

     

    we have made a Custom Role for the Locals and Scope Tags are in place, AD groups are on place too for all, but the locals still have visibiliy of all sites (out of devices), devices because of Tags have correctly limited the visibilty, thats why i asked here because im sure we are not looking at something.

     

    thanks in advance for the help

  • Ankido's avatar
    Ankido
    Iron Contributor
    Jan 29, 2025

    Hi wienero,

     

    It sounds like you're facing a challenge with limiting the visibility of local IT support across your websites, especially when it comes to users and groups in an Intune/MECM co-managed environment. Here are some ideas and solutions that might help you manage this:

    1. **Using RBAC (Role-Based Access Control) in Intune:**
       - **Create custom roles:** In Intune, you can create custom roles with specific permissions. For example, you can create a role that restricts access to certain users or groups, so that local IT support can only see and manage the devices and users relevant to their location.
       - **Assign roles to groups:** Create groups in Azure AD that represent each local IT support team and then assign the custom roles to these groups. This limits their visibility and access to only the devices and users associated with their location.

    2. **Using Azure AD Groups to Filter Visibility:**
       - **Create dynamic groups:** Use dynamic groups in Azure AD based on attributes like location or department. These groups can then be used to filter which devices and users should be visible to each local IT support team.
       - **Assign rights based on group membership:** By using these groups, you can assign rights and limit the visibility of local IT support to only the devices and users included in their specific group.

    3. **Using Scope Tags in Intune:**
       - **Create Scope Tags:** Scope Tags in Intune can be used to limit the visibility of various objects (such as devices, users, and groups) to certain users or groups. You can create Scope Tags for each local IT support team and assign these to relevant devices and users.
       - **Assign Scope Tags to roles:** Once you've created Scope Tags, you can assign them to the custom roles you created earlier. This ensures that each local IT support team only sees the objects associated with their Scope Tag.

     

     

    ### Summary:
    By combining RBAC, Azure AD groups, Scope Tags, and MECM Boundaries, you should be able to effectively limit the visibility of local IT support. It's also important to have clear policies and training to ensure these restrictions are followed correctly.

    If you need further assistance or have more questions, feel free to ask!

    Good luck!
    Ankido

Resources