Deep dive into Role Based Access Control (RBAC) in Intune

Published Sep 20 2020 01:08 PM 5,105 Views
Subject Matter Experts:
Do you have regional IT teams that work independently? This session talks about Role-based Access Control (RBAC), scope tags and how to use them in real world scenarios. Build delegated admin model and identify Intune configurations that impact all the users. Use RBAC to enable security, productivity and scalability in your org.
Senior Member

@Pallavi_Joshi I want to give admins that are scoped to certain devices the right to delete those devices.

Although when I apply Manged devices-->delete yes, this give that role the option to delete devices, but it also gives access to "set device clean up rules" for the whole tenant. Can the "device clean-up rules" be denied in some way?? 

Occasional Visitor

@Pallavi_Joshi What is the best way to dynamically add computers to Azure Device Groups that can be assigned to a scope tag.  At our University we have two Configuration Manager Sites that will joined to one tenant and are currently unsure if we can dynamically assign one Configuration Manager Site systems two one dynamic group and the other Configuration Manager Site systems to another dynamic group assigned to their own scope tags for RBAC permissions.

Senior Member

@Tim_Wolf you have you tried making a dynamic group with organizational unit? or you could try display name if you have a naming convention for both sites.

(device.displayName -contains "Site1-computer1") or (device.organizationalUnit -contains "OU=1stfloor")


Occasional Visitor

@hotdogh2o thanks.  we can use the second query.  Does that show up once a system is co-managed?


@hotdogh2o Thanks for going through the video and posting the query. As you mentioned, the configuring of device cleanup rules should be allowed only to specific admins given their tenant-wide impact. Let me check if there are specific permissions for allowing/blocking its configuration.

Senior Member

@Pallavi_Joshi where you able to reproduce the same results in a test tenant when giving a user delete permissions on devices? 

Occasional Contributor

@Tim_Wolf - If you enable tenant attach in the ConfigMgr site, you can enable cloud sync for a collection. This will allow you to sync all hybrid-aad joined devices in that collection into an AAD security group. You can then assign an Intune scope tag to that security group.

Regular Visitor

@Pallavi_Joshi : Hello,


thank for the video. Is there also a video available, how to create the mentioned dynamic device groups?

I don't know how to create a device group that show e.g. all german iOS devices or all device of finance. This is not described in your video. I can just filter in dynamic USER groups for regional settings as e.g. Germany. I need a group that includes all devices of users that are located in a specific location e.g. Berlin. How can I make that?

The filter with the organizational units isn't working either for me, because in Azure there is just a flat structure available without OUs. So how do I find out in which OUs are e.g. iOS devices?



@Martin_Reisinger There are various ways to create device groups to identify a user's device:


  • You can create dynamic device groups based on enrolment profile name or device categories. In case of device categories, you can create separate categories for each region, and users would be expected to select the category using Company Portal. The device would then get added to the relevant group based on category selected. This group can be added to a scope tag directly. This relies on end user selecting the right device category for their region. More information about device category here - Categorize devices into groups in Intune - Microsoft Intune | Microsoft Docs
  • You can use a PowerShell script to identify a user’s devices and add them to a device group. Here’s the link - scripts/Apply Device Scope Tag Script.pdf at master · scottbreenmsft/scripts · GitHub to sample PowerShell script to add devices to groups based on user group membership. It also has an example and link to Azure Automate in case it needs to be scheduled. Once the device group has list of user’s devices from the relevant region, it can be associated to the scope tag.

    I hope this helps.
Regular Visitor

@Pallavi_Joshi: Hello,


thank you very much for your fast reply.

Unfortunately that helps not much. We have appr. 500 locations. It isn't practical to create 500 categories to assign them to scope tags. Furthermore it is not user-friendly if a user have to scroll through a list of 500 entries while the enrollment. Users are making mistakes. We cannot ensure that the user will choose the correct location.
Due to the script you mentioned: We are a global player with over 200.000 user objects and appr. 40.000 devices. How long will the script take to go through all user accounts and devices to collect them in a device group? Furthermore in the Azure there are also many ghost device entries, that we don't want to be a member in those device groups.


1. The information of the location is available in the Active Directory. Why is it not possible to grap such information from it?

2. Could you please describe how did you create all german devices in your example? As I know the filter "usageLocation" is only available for user objects.



Thanks in advance



@Martin_Reisinger  Hi, you can do a full run of the script once a day/week and then have a separate version that runs more frequently based on the enrolment date being between now and the last time the script ran to optimize the script. 


Please feel free to suggest your ideas around usageLocation querying on user voice - Azure Active Directory: Groups/Dynamic groups (109 ideas) – Customer Feedback for ACE Community Tool...



Version history
Last update:
‎Oct 04 2021 05:14 PM
Updated by:

Session Resources