Tech Accelerator: Microsoft Intune Suite
Apr 11 2023 08:00 AM - Apr 12 2023 11:00 AM (PDT)

Dynamic Device Groups and Scope Tags

Occasional Contributor

I have an interesting requirement, and wondered if someone could clear something up for me.  I am working with a very large client (130,000+ users) who are using scope tags extensively to delegate permissions to various OUs.  Each OU has their own ABM, MGP and KME instances for iOS and Android, and scope tags are applied to automatically enrolled devices according to which tag is set in the connectors / tokens.  Scope tags are also applied using device categories, but these obviously don't get applied until a user enrolls through company portal and selects the relevant category.

I need to create policies and configurations that apply to devices immediately after they register, but before they're user enrolled, and they must apply only to a specific OU's devices, not all devices in the tenant.

From everything I've read, scope tags cannot be used as a mechanism to assign policies to devices.  And I would agree from my experience that this is true, that scope tags "alone" can't be used to assign policies.  My question is, if I have a policy which is assigned to all devices, but it has a specific scope tag attached to it, will that policy only be applied to devices that have a matching tag?  All the literature points to scope tags being only relevant to RBAC.  But, this being the case, what is to stop a user in one OU creating an all devices policy which then impacts all other OUs?


Edit:  I have a supplementary question.  Does anyone know if it's possible to use scope tags in dynamic group filter expressions? I see that the device object class has a systemLabels attribute, but it's not clear from the documentation whether this contains the devices scope tags.


Thank you.

1 Reply
To answer your first question:

Scope tags are only for RBAC, they don't do anything for policy assignments.

So if you assign a policy a tag, but assign it to all devices. All devices will receive it, the tag will not have an impact on this.

I cannot answer your question concerning the dynamic groups. I would advise you to utilize the Graph Explorer to check out the properties of a devices.
That way, you can check what values 'SystemLabels' have