- last edited on
09-24-2020 08:43 AM
@Pallavi_Joshi I want to give admins that are scoped to certain devices the right to delete those devices.
Although when I apply Manged devices-->delete yes, this give that role the option to delete devices, but it also gives access to "set device clean up rules" for the whole tenant. Can the "device clean-up rules" be denied in some way??
09-24-2020 12:03 PM
@Pallavi_Joshi What is the best way to dynamically add computers to Azure Device Groups that can be assigned to a scope tag. At our University we have two Configuration Manager Sites that will joined to one tenant and are currently unsure if we can dynamically assign one Configuration Manager Site systems two one dynamic group and the other Configuration Manager Site systems to another dynamic group assigned to their own scope tags for RBAC permissions.
09-24-2020 12:12 PM
@Tim_Wolf you have you tried making a dynamic group with organizational unit? or you could try display name if you have a naming convention for both sites.
(device.displayName -contains "Site1-computer1") or (device.organizationalUnit -contains "OU=1stfloor")
09-24-2020 12:43 PM
@hotdogh2o thanks. we can use the second query. Does that show up once a system is co-managed?
09-28-2020 06:54 AM
@hotdogh2o Thanks for going through the video and posting the query. As you mentioned, the configuring of device cleanup rules should be allowed only to specific admins given their tenant-wide impact. Let me check if there are specific permissions for allowing/blocking its configuration.
10-06-2020 07:21 AM
@Pallavi_Joshi where you able to reproduce the same results in a test tenant when giving a user delete permissions on devices?
10-06-2020 01:38 PM
@Tim_Wolf - If you enable tenant attach in the ConfigMgr site, you can enable cloud sync for a collection. This will allow you to sync all hybrid-aad joined devices in that collection into an AAD security group. You can then assign an Intune scope tag to that security group.