%3CLINGO-SUB%20id%3D%22lingo-sub-1444725%22%20slang%3D%22en-US%22%3ERe%3A%20Role-based%20Access%20Control%20in%20Intune%20%E2%80%93%20Identifying%20Tenant-wide%20and%20Delegated%20Configurations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1444725%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it%20nice%20feature.%20Because%20we%20dont%20have%20option%20to%20customize%20the%20roles%20in%20PIM.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1453387%22%20slang%3D%22en-US%22%3ERe%3A%20Role-based%20Access%20Control%20in%20Intune%20%E2%80%93%20Identifying%20Tenant-wide%20and%20Delegated%20Configurations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1453387%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20really%20see%20big%20improvements%20in%20regards%20of%20RBAC.%20However%20I%20unfortunately%20still%20miss%20the%20ability%20to%20separate%20OS%20management%20with%20RBAC%20roles.%3C%2FP%3E%3CP%3EiOS%20Admin%20only%20manages%20iOS%20devices.%20Windows%2010%20Admin%20only%20Windows%2010%20devices.%3C%2FP%3E%3CP%3EToday%2C%20even%20I%20use%20regional%20administration%20and%20maybe%20try%20to%20separate%20OS%20management%20by%20groups%2C%20scope%20tags%20and%20RBAC%20role%20assignments%2C%20it's%20still%20possible%20to%20create%20profile%20I'm%20not%20in%20charge%20of%20and%20assign%20it%20to%20my%20scoped%20groups.%3C%2FP%3E%3CP%3EE.g.%3C%2FP%3E%3CP%3EA%20Win10%20Admin%20can%20create%20an%20iOS%20Profile%20and%20assign%20it%20to%20one%20of%20his%2Fher%20scoped%20user%20groups.%20This%20may%20influence%20users%20in%20case%20they%20have%20both%20device%20types%20enrolled%20-%20Win10%20and%20iOS...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20time%20line%20also%20to%20provide%20also%20this%20functionality%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1460074%22%20slang%3D%22en-US%22%3ERe%3A%20Role-based%20Access%20Control%20in%20Intune%20%E2%80%93%20Identifying%20Tenant-wide%20and%20Delegated%20Configurations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1460074%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272138%22%20target%3D%22_blank%22%3E%40ThomasW%3C%2FA%3E%2C%20thanks%20for%20your%20feedback!%20If%20the%20users%20want%20to%20segregate%20roles%20based%20on%20platform%2FOS%2C%20they%20can%20scope%20the%20role%20assignments%20based%20on%20Azure%20Active%20Directory%20device%20groups%20(based%20on%20OS).%20This%20would%20enable%20the%20regional%20admins%20to%20target%20profiles%20only%20to%20device%20groups%20scoped%20to%20a%20specific%20platform.%20Also%2C%20we%20keep%20working%20on%20features%20and%20improvements%20to%20enable%20various%20scenarios%20that%20customers%20are%20looking%20for.%20Keep%20an%20eye%20out%20on%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Ffundamentals%2Fin-development%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIn%20Development%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Ffundamentals%2Fwhats-new%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat's%20new%3C%2FA%3E%20docs%20for%20new%20features%20coming%20to%20Intune.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1441249%22%20slang%3D%22en-US%22%3ERole-based%20Access%20Control%20in%20Intune%20%E2%80%93%20Identifying%20Tenant-wide%20and%20Delegated%20Configurations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1441249%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%3A%20Pallavi%20Joshi%20%7C%20Program%20Manager%20%7C%20Microsoft%20Endpoint%20Manager%20-%20Intune%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAn%20increasing%20number%20of%20global%20organizations%20rely%20on%20a%20delegated%20model%20to%20manage%20their%20mobile%20devices%2C%20tablets%20and%20laptops.%20These%20global%20orgs%20have%20multiple%20regions%20and%20a%20single%20global%20tenant%20to%20manage.%20The%20central%20IT%20and%20regional%20admins%20are%20organized%20as%20shown%20in%20the%20figure%20below.%20These%20regional%20admins%20have%20a%20detailed%20understanding%20of%20their%20region%E2%80%99s%20end%20users%20and%20their%20requirements.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22RBAC.png%22%20style%3D%22width%3A%20633px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196593iB2779E043DC21BFF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22RBAC.png%22%20alt%3D%22RBAC.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EIn%20this%20model%2C%20the%20Central%20IT%20team%20needs%20to%20perform%20certain%20configurations%20to%20setup%20the%20tenant%20for%20regional%20admins.%20These%20central%20configurations%20are%20global%20and%20impact%20the%20entire%20tenant%20(and%20all%20the%20regions).%20Once%20these%20configurations%20are%20set%2C%20the%20regional%20admins%20can%20start%20managing%20users%2C%20devices%20and%20apps%20for%20their%20regions.%20The%20central%20IT%20team%2C%20which%20has%20complete%20admin%20access%2C%20needs%20to%20clearly%20identify%20these%20configurations%20and%20provide%20the%20right%20level%20of%20access%20to%20regional%20admins%20to%20enable%20them%20to%20perform%20management%20activities%20for%20their%20region.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Intune%2C%20there%20are%20a%20set%20of%20configurations%20that%20impact%20the%20entire%20tenant%20and%20hence%20need%20to%20be%20done%20by%20the%20Central%20IT%20team.%20Besides%20that%2C%20there%20are%20other%20configurations%20which%20can%20be%20delegated%20to%20region%20admins%20using%20scope%20tags.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Ffundamentals%2Frole-based-access-control%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERole-based%20access%20control%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Ffundamentals%2Fscope-tags%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Escope%20tags%3C%2FA%3E%20allow%20the%20regional%20admins%20to%20define%20configurations%2C%20apps%20and%20policies%20and%20assign%20them%20to%20users%20of%20their%20region%20and%20not%20touch%20entities%20of%20other%20regions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20blog%20is%20focused%20on%20identifying%20these%20configurations%20in%20Intune%20%E2%80%93%20those%20that%20are%20centralized%20and%20have%20tenant-wide%20impact%2C%20those%20that%20need%20to%20be%20managed%20by%20Central%20IT%20team%20and%20those%20that%20can%20be%20delegated%20using%20scope%20tags.%20This%20would%20enable%20Central%20IT%20teams%20to%20setup%20the%20configurations%20in%20Intune%20and%20enable%20regional%20admins%20to%20manage%20their%20regions%20independently.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETenant-wide%20configurations%20in%20Intune%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EHere%E2%80%99s%20the%20list%20of%20global%20settings%20that%20have%20a%20tenant-wide%20impact%20in%20Intune%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMDM%20Authority%3C%2FLI%3E%0A%3CLI%3EApple%20MDM%20Push%20Certificate%3C%2FLI%3E%0A%3CLI%3EManaged%20Google%20Play%20account%3C%2FLI%3E%0A%3CLI%3EWindows%20Hello%20for%20Business%3C%2FLI%3E%0A%3CLI%3EWindows%20Automatic%20Enrollment%20%E2%80%93%20MDM%20and%20MAM%20user%20scope%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Store%20for%20Business%3C%2FLI%3E%0A%3CLI%3EAndroid%20Enterprise%20%E2%80%93%20Corporate%20owned%20fully%20managed%20enrollment%3C%2FLI%3E%0A%3CLI%3EApp%20Categories%3C%2FLI%3E%0A%3CLI%3EDevice%20Cleanup%20Rules%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EOnce%20these%20configurations%20are%20set%2C%20Central%20IT%20can%20define%20roles%20and%20permissions%20for%20regional%20admins.%20They%20can%20use%20either%20one%20of%20the%20%5B%23%24dp17%5Dbuilt-in%20roles%2C%20or%20create%20a%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Ffundamentals%2Fcreate-custom-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecustom%20role%3C%2FA%3E%20as%20follows%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERole%20Name%20%E2%80%93%20Region%20Admin%3C%2FLI%3E%0A%3CLI%3EPermissions%20%E2%80%93%20As%20per%20requirements%2C%20using%20the%20long%20set%20of%20toggles%3C%2FLI%3E%0A%3CLI%3EAssignments%20%E2%80%93%20One%20assignment%20per%20region%20can%20be%20created%3A%3CUL%3E%0A%3CLI%3EAssignment%20Name%20%E2%80%93%20Region%201%20assignment%3C%2FLI%3E%0A%3CLI%3EMembers%20%E2%80%93%20Region%201%20admin%20group%3C%2FLI%3E%0A%3CLI%3EScope%20(Groups)%20%E2%80%93%20Region%201%20user%20group%3C%2FLI%3E%0A%3CLI%3EScope%20Tags%20%E2%80%93%20Region%201%20scope%20tag%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EThe%20role%20definition%20and%20permissions%20allow%20the%20region%20admins%20to%20perform%20management%20of%20devices%2C%20apps%20and%20define%20relevant%20configurations%20for%20their%20regions.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConfigurations%20to%20be%20set%20by%20Central%20IT%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20section%20contains%20list%20of%20configurations%20that%20do%20not%20have%20a%20tenant-wide%20impact%2C%20since%20they%20can%20have%20multiple%20instances%20and%20can%20be%20assigned%20to%20various%20groups%20e.g.%20multiple%20Apple%20Configurator%20profiles%20can%20be%20created%20in%20Intune%20and%20each%20profile%20can%20be%20assigned%20to%20groups%20of%20a%20specific%20region%2C%20if%20required.%20These%20configurations%20need%20to%20be%20set%20by%20the%20Central%20IT%20team.%20These%20configurations%20can%20also%20be%20set%20by%20regional%20admins%2C%20as%20they%20will%20have%20visibility%20of%20all%20the%20instances%20of%20these%20configurations%20and%20their%20access%20can%20be%20limited%20to%20user%20or%20device%20groups%20of%20their%20regions.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EApple%20User%20enrollment%3C%2FLI%3E%0A%3CLI%3EApple%20Configurator%20profiles%3C%2FLI%3E%0A%3CLI%3EEnrollment%20Status%20Page%3C%2FLI%3E%0A%3CLI%3EIntune%20Company%20Portal%20-%20Branding%20and%20Customization%3C%2FLI%3E%0A%3CLI%3EConditional%20Access%20%E2%80%93%20Requires%20Azure%20Active%20Directory%20permissions%3C%2FLI%3E%0A%3CLI%3ECustom%20notifications%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3E%3CBR%20%2F%3EConfigurations%20to%20be%20set%20by%20regional%20admins%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20following%20configurations%20can%20be%20completely%20delegated%20to%20regional%20admins%20using%20role-based%20access%20control%20and%20scope%20tags%20in%20Intune.%20Using%20scope%20tags%2C%20regional%20admins%20can%20create%20their%20own%20configurations%2C%20assign%20them%20to%20user%20or%20device%20groups%20of%20their%20regions%20and%20not%20be%20able%20to%20view%20or%20assign%20these%20configurations%20to%20other%20regions.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EApple%E2%80%99s%20Automated%20Device%20Enrollment%3C%2FLI%3E%0A%3CLI%3EAndroid%20Enterprise%20-%20Corporate%20Owned%20Dedicated%20Devices%3C%2FLI%3E%0A%3CLI%3EAutopilot%20Profile%3C%2FLI%3E%0A%3CLI%3EDevice%20Categories%3C%2FLI%3E%0A%3CLI%3EDevice%20Management%3C%2FLI%3E%0A%3CLI%3EApp%20Management%3C%2FLI%3E%0A%3CLI%3EDevice%20Compliance%20Policies%3C%2FLI%3E%0A%3CLI%3EDevice%20Configuration%20Profiles%3C%2FLI%3E%0A%3CLI%3EApp%20Configuration%20Policies%3C%2FLI%3E%0A%3CLI%3EApp%20Protection%20Policies%3C%2FLI%3E%0A%3CLI%3EiOS%20App%20Provisioning%20Profiles%3C%2FLI%3E%0A%3CLI%3EApple%20VPP%20tokens%3C%2FLI%3E%0A%3CLI%3EPolicy%20Sets%3C%2FLI%3E%0A%3CLI%3ERole%20based%20access%20control%20and%20scope%20tags%3C%2FLI%3E%0A%3CLI%3ESecurity%20Baselines%3C%2FLI%3E%0A%3CLI%3ETerms%20and%20Conditions%3C%2FLI%3E%0A%3CLI%3EUpdate%20policies%20for%20iOS%2FiPadOS%3C%2FLI%3E%0A%3CLI%3EWindows%2010%20update%20rings%3C%2FLI%3E%0A%3CLI%3EEnrollment%20restrictions%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EWe%20hope%20this%20identification%20of%20what%20to%20centralize%20and%20what%20to%20delegate%20helps%20you%20in%20defining%20relevant%20configurations%20in%20Intune%20and%20enabling%20the%20global%20and%20regional%20admins%20towards%20a%20successful%20deployment%20path.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20any%20questions%20on%20this%20post%2C%20just%20let%20us%20know%20by%20commenting%20back%20You%20can%20also%20ask%20quick%20questions%20at%20-ERR%3AREF-NOT-FOUND-%40IntuneSuppTeam%26nbsp%3Bout%20on%20Twitter.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBlog%20post%20updates%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E6%2F17%2F20%3A%20Formatting%20fix%2C%20and%20an%20update%26nbsp%3Bto%20include%20-ERR%3AREF-NOT-FOUND-scope%20tag%20support%20for%20enrollment%20restrictions.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1441249%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20to%20learn%20more%20about%20identifying%20Tenant-wide%20and%20Delegated%20Configurations%20with%20Role-based%20Access%20Control%20in%20Intune.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1441249%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERBAC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERole-based%20Access%20Control%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EScope%20tags%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

By: Pallavi Joshi | Program Manager | Microsoft Endpoint Manager - Intune

 

An increasing number of global organizations rely on a delegated model to manage their mobile devices, tablets and laptops. These global orgs have multiple regions and a single global tenant to manage. The central IT and regional admins are organized as shown in the figure below. These regional admins have a detailed understanding of their region’s end users and their requirements.

RBAC.png

In this model, the Central IT team needs to perform certain configurations to setup the tenant for regional admins. These central configurations are global and impact the entire tenant (and all the regions). Once these configurations are set, the regional admins can start managing users, devices and apps for their regions. The central IT team, which has complete admin access, needs to clearly identify these configurations and provide the right level of access to regional admins to enable them to perform management activities for their region.

 

In Intune, there are a set of configurations that impact the entire tenant and hence need to be done by the Central IT team. Besides that, there are other configurations which can be delegated to region admins using scope tags. Role-based access control and scope tags allow the regional admins to define configurations, apps and policies and assign them to users of their region and not touch entities of other regions.

 

This blog is focused on identifying these configurations in Intune – those that are centralized and have tenant-wide impact, those that need to be managed by Central IT team and those that can be delegated using scope tags. This would enable Central IT teams to setup the configurations in Intune and enable regional admins to manage their regions independently.

 

Tenant-wide configurations in Intune

Here’s the list of global settings that have a tenant-wide impact in Intune:

  • MDM Authority
  • Apple MDM Push Certificate
  • Managed Google Play account
  • Windows Hello for Business
  • Windows Automatic Enrollment – MDM and MAM user scope
  • Microsoft Store for Business
  • Android Enterprise – Corporate owned fully managed enrollment
  • App Categories
  • Device Cleanup Rules

Once these configurations are set, Central IT can define roles and permissions for regional admins. They can use either one of the built-in roles, or create a custom role as follows:

  • Role Name – Region Admin
  • Permissions – As per requirements, using the long set of toggles
  • Assignments – One assignment per region can be created:
    • Assignment Name – Region 1 assignment
    • Members – Region 1 admin group
    • Scope (Groups) – Region 1 user group
    • Scope Tags – Region 1 scope tag

The role definition and permissions allow the region admins to perform management of devices, apps and define relevant configurations for their regions.

 

Configurations to be set by Central IT

This section contains list of configurations that do not have a tenant-wide impact, since they can have multiple instances and can be assigned to various groups e.g. multiple Apple Configurator profiles can be created in Intune and each profile can be assigned to groups of a specific region, if required. These configurations need to be set by the Central IT team. These configurations can also be set by regional admins, as they will have visibility of all the instances of these configurations and their access can be limited to user or device groups of their regions.

  • Apple User enrollment
  • Apple Configurator profiles
  • Enrollment Status Page
  • Intune Company Portal - Branding and Customization
  • Conditional Access – Requires Azure Active Directory permissions
  • Custom notifications


Configurations to be set by regional admins

The following configurations can be completely delegated to regional admins using role-based access control and scope tags in Intune. Using scope tags, regional admins can create their own configurations, assign them to user or device groups of their regions and not be able to view or assign these configurations to other regions.

  • Apple’s Automated Device Enrollment
  • Android Enterprise - Corporate Owned Dedicated Devices
  • Autopilot Profile
  • Device Categories
  • Device Management
  • App Management
  • Device Compliance Policies
  • Device Configuration Profiles
  • App Configuration Policies
  • App Protection Policies
  • iOS App Provisioning Profiles
  • Apple VPP tokens
  • Policy Sets
  • Role based access control and scope tags
  • Security Baselines
  • Terms and Conditions
  • Update policies for iOS/iPadOS
  • Windows 10 update rings
  • Enrollment restrictions

We hope this identification of what to centralize and what to delegate helps you in defining relevant configurations in Intune and enabling the global and regional admins towards a successful deployment path.

 

If you have any questions on this post, just let us know by commenting back You can also ask quick questions at @IntuneSuppTeam out on Twitter.

 

Blog post updates:

3 Comments
Senior Member

Yes, it nice feature. Because we dont have option to customize the roles in PIM.

Senior Member

I can really see big improvements in regards of RBAC. However I unfortunately still miss the ability to separate OS management with RBAC roles.

iOS Admin only manages iOS devices. Windows 10 Admin only Windows 10 devices.

Today, even I use regional administration and maybe try to separate OS management by groups, scope tags and RBAC role assignments, it's still possible to create profile I'm not in charge of and assign it to my scoped groups.

E.g.

A Win10 Admin can create an iOS Profile and assign it to one of his/her scoped user groups. This may influence users in case they have both device types enrolled - Win10 and iOS...

 

Any time line also to provide also this functionality?

 

Hi @ThomasW, thanks for your feedback! If the users want to segregate roles based on platform/OS, they can scope the role assignments based on Azure Active Directory device groups (based on OS). This would enable the regional admins to target profiles only to device groups scoped to a specific platform. Also, we keep working on features and improvements to enable various scenarios that customers are looking for. Keep an eye out on our In Development and What's new docs for new features coming to Intune.