Forum Discussion

wienero's avatar
wienero
Copper Contributor
Jan 29, 2025

Limit visibility of local IT support on Sites

Hello all experts, hope you will have a better way to achieve this as we have had, my company have many sites in the country, and every site have a Local IT support, we are in the central IT that ma...
Intune
mobile device management (mdm)
Ankido's avatar
Ankido
Iron Contributor
Jan 29, 2025

Hi wienero,

 

It sounds like you're facing a challenge with limiting the visibility of local IT support across your websites, especially when it comes to users and groups in an Intune/MECM co-managed environment. Here are some ideas and solutions that might help you manage this:

1. **Using RBAC (Role-Based Access Control) in Intune:**
   - **Create custom roles:** In Intune, you can create custom roles with specific permissions. For example, you can create a role that restricts access to certain users or groups, so that local IT support can only see and manage the devices and users relevant to their location.
   - **Assign roles to groups:** Create groups in Azure AD that represent each local IT support team and then assign the custom roles to these groups. This limits their visibility and access to only the devices and users associated with their location.

2. **Using Azure AD Groups to Filter Visibility:**
   - **Create dynamic groups:** Use dynamic groups in Azure AD based on attributes like location or department. These groups can then be used to filter which devices and users should be visible to each local IT support team.
   - **Assign rights based on group membership:** By using these groups, you can assign rights and limit the visibility of local IT support to only the devices and users included in their specific group.

3. **Using Scope Tags in Intune:**
   - **Create Scope Tags:** Scope Tags in Intune can be used to limit the visibility of various objects (such as devices, users, and groups) to certain users or groups. You can create Scope Tags for each local IT support team and assign these to relevant devices and users.
   - **Assign Scope Tags to roles:** Once you've created Scope Tags, you can assign them to the custom roles you created earlier. This ensures that each local IT support team only sees the objects associated with their Scope Tag.

 

 

### Summary:
By combining RBAC, Azure AD groups, Scope Tags, and MECM Boundaries, you should be able to effectively limit the visibility of local IT support. It's also important to have clear policies and training to ensure these restrictions are followed correctly.

If you need further assistance or have more questions, feel free to ask!

Good luck!
Ankido

Resources