Scope tags & apps

Iron Contributor


I was testing some configurations with scope tags and apps.

The setup is straight forward, I have 3 scope tags based upon security groups containing the devices to represent a region.

Prior to starting with the scope tags, there were already apps imported (Managed Google Play & Apple App Store). These are all assigned to the default scope tag.

Now when I'm logged as a delegated admin which only has permissions to add apps for a region, defined by the scope, I cannot see these apps which is expected because it's not shown (assigned) for that scope (region). When I want to add one of these apps that are already imported, I see 2 different scenarios:

  • Import from Apple App Store: The app is imported in this scope and can be assigned. With the Intune Admin I see 2 instances of the app, one for the default scope and one for the regional scope. This is not blocking but confusing...
  • Import from Managed Google Play: As the app is already approved, there is no way to continue. For the regional admin/operator there is nothing available to import the app again, as the interface does not allow you to do anything. This is very confusing (and annoying) as the regional operator does not have any way to set any assignment for the app for the scope of devices.

I've been thinking about some workarounds for this:

  • creating a process around this, but that doesn't resolve the confusing issue for managed Google Play apps
  • creating a delegation app admin which includes all the scopes so that at least the regional admins can see the apps. This isn't perfect either in my opinion as it would conflict somewhat with the scoped setup.

Has anyone ever come across such a use case or would like to share any thoughts on this?




2 Replies
best response confirmed by bthomas (Iron Contributor)
You raise a very valid point and for the Managed Google Play store, I don't think there is currently a way around it.

I would recommend that a 'delegated admin' doesn't add any apps from the Managed Google Play Store, but instead requests it from a global IT admin who oversees the Intune environment.
This ensures that one person still has the overview

@Thijs Lecomte Thanks for your insights!

I was thinking along the same path in regards for adding apps as there is no technical option to implement this otherwise.


I also noticed that when importing a new app from Managed Google Play by a delegated admin in the scope, that this app is assigned the default scope tag and is only visible by the Intune admin.


I'm also playing with the app assignment for iOS, because even though it's possible to import the app again in the delegated scope and getting 2 instances in the Intune admin view, it isn't clear to me what the result would be when the assignment in required enforced by the global/Intune admin vs assignment by the delegated admin. For the first results it looks like the assignment from the delegated admin has higher precedence, but I haven't tested all the scenario's yet...