I hope this video helps you understand role-based access control and Scope Tags. Let's chat in the comments!! 💬 ⏱️ Timestamps: 0:00 Intro 1:52 Admin demo - Microsoft Intune Role-Based Access Control (RBAC) and Scope Tags 13:38 End-user (Help Desk) demo - Microsoft Intune Role-Based Access Control (RBAC) and Scope Tags 17:26 Outro
@@1stCube The first step is for a Teams Admin to create a new or modify an update policy and turn on Show preview features. Then users can individually turn on preview features in their Teams client. docs.microsoft.com/en-us/microsoftteams/public-preview-doc-updates Set out of office in Teams: support.microsoft.com/en-us/office/schedule-an-out-of-office-status-in-teams-e3ce705a-cc43-4f7d-9418-0642ec5f6bd8
You're a good teacher. Studying for my md-101 and had a little trouble understanding just this concept and you cleared it up while I had a cup of coffe. Thanks.
Never needed scope tags until today. Could not figure out the difference with a scope tag and a device filter. This video made my misunderstanding super clear. In a nutshell, scope tags are the filters for the RBAC roles. Excellent video. thank you.
Very nice explaination. Thank you for this. One thing i noticed in the video that though you have logged in as London admin, in when you go to devices in the overview it still shows count as 2 where as you could see only one device. So it means if there are 100 devices in the environment, Scop Tag of London are there only for 50 devices still in the overview you will see 100 devices which will confuse the London Administrator. This is a bit of concern. Do we have any solution for this?
Thanks for your video. But I am missing very important thing in the video. How do you create the London device group? In Azure there is not possible to create a dynamic device group that is related to a location. There is no location attribute existing for devices. You can only use the location attribute for user accounts. But if I am not wrong you have to use a device group for scope tags. The only possible way to create the London group is to creat a assignment group and add the device to the group manually. But this is not usable if you have more that 40000 devices. Maybe you can explain how you create the London device group?
This is a case that I am pondering as well - what would be the best practice for creating a "Location-based DEVICE group" and have it automatically filter down if the user is assigned to a User Group that is already location based?
Thanks for the video Harry. I am testing following every step and I had to review it a couple of times. What I understand is that scope tags define what they can see and roles what they can do with those resources. I am trying to figure out why you assigned both London users and London devices group to role and only devices to scope tag. I guess it depens on how you set your organization since everything is contained in groups. But I have seen that scope tags also reflect the assigment of a group of users, right?
Great video, I will definitely use scope tags. If you create all your end user accounts and add them into security groups and add the scope tags, could you have their auto pilot devices be tagged aswell with whatever scope tag the user was in?
Is it possible to have two admin roles, each role assigned to differnet scope tags, with different permission levels on each role? The idea being that An admin who is given both of these roles wil have different levels of permissions on each scope tag? I have tried this, but it appears that permissions get messed up across the scope tags. So, on the one scope you should be able to edit, the other scope tag, view only. I have found that it gives full edit permissions across all scope tags.....
Nice vid m8. Good content and good flow. This about scope tags during custom role creation really confuses me. What is it for and why would you always leave it on default? If you leave it on default, does it then refer to the default scope tag, which all objects are a part of unless set for another scope tag?
Please correct me, we can not only add User Groups into SCope Tag but also we can add the Users Group, is that correct? so that the Admin can control both, users and as well as Devices of that location.
I have a question . I have some issues with intune . If I select some categories like apps or tenant administration I get the error code 403. Then it says no access. Do you know how I can fix this . In intune self or in azure?
Hi, I have use your video to setup intune roles but its not working for anyone other then admin. It just show no permission but I can see users in group and these users are assign to builtin groups e.g. Intune Helpdesk. Any advice as to why its not working
@@sarwanamajid so I figured it out. You can't use the default tag, you Need anything other than default. I've got a ticket with Ms about it right now because that's insane to me, I use sccm to enroll so there isn't a good way to auto tag devices.
@@sarwanamajid everything created starts with "Default" as a tag. In the video he replaces that with London. It seems that "Default" can't be used as the Scope Tag, if you create a new tag and set that new one in the scope it the help desk operator will be able to see the item tagged with the New scope. It's problematic for me because I'm going to have to be tagging things manually since there doesn't seem to be a way to auto apply tags without using enrollment profiles
I hope this video helps you understand role-based access control and Scope Tags. Let's chat in the comments!! 💬
⏱️ Timestamps:
0:00 Intro
1:52 Admin demo - Microsoft Intune Role-Based Access Control (RBAC) and Scope Tags
13:38 End-user (Help Desk) demo - Microsoft Intune Role-Based Access Control (RBAC) and Scope Tags
17:26 Outro
@@1stCube The first step is for a Teams Admin to create a new or modify an update policy and turn on Show preview features.
Then users can individually turn on preview features in their Teams client.
docs.microsoft.com/en-us/microsoftteams/public-preview-doc-updates
Set out of office in Teams:
support.microsoft.com/en-us/office/schedule-an-out-of-office-status-in-teams-e3ce705a-cc43-4f7d-9418-0642ec5f6bd8
You're a good teacher. Studying for my md-101 and had a little trouble understanding just this concept and you cleared it up while I had a cup of coffe. Thanks.
Thank you so much! I'm glad this video helped you get a girl of the concept of RBAC
Never needed scope tags until today. Could not figure out the difference with a scope tag and a device filter. This video made my misunderstanding super clear. In a nutshell, scope tags are the filters for the RBAC roles. Excellent video. thank you.
Glad it helped
Many thanks Harry!, greetings from South America!
@@JoseCobo-m8z greetings!!
Very nice explaination. Thank you for this. One thing i noticed in the video that though you have logged in as London admin, in when you go to devices in the overview it still shows count as 2 where as you could see only one device. So it means if there are 100 devices in the environment, Scop Tag of London are there only for 50 devices still in the overview you will see 100 devices which will confuse the London Administrator.
This is a bit of concern. Do we have any solution for this?
Thank you so much. I am glad it was helpful! That is a fantastic question I will have to do some research on that concern.
Thanks for your video. But I am missing very important thing in the video. How do you create the London device group? In Azure there is not possible to create a dynamic device group that is related to a location. There is no location attribute existing for devices. You can only use the location attribute for user accounts. But if I am not wrong you have to use a device group for scope tags. The only possible way to create the London group is to creat a assignment group and add the device to the group manually. But this is not usable if you have more that 40000 devices. Maybe you can explain how you create the London device group?
This is a case that I am pondering as well - what would be the best practice for creating a "Location-based DEVICE group" and have it automatically filter down if the user is assigned to a User Group that is already location based?
Thanks for the video Harry. I am testing following every step and I had to review it a couple of times. What I understand is that scope tags define what they can see and roles what they can do with those resources. I am trying to figure out why you assigned both London users and London devices group to role and only devices to scope tag. I guess it depens on how you set your organization since everything is contained in groups. But I have seen that scope tags also reflect the assigment of a group of users, right?
Great video, I will definitely use scope tags. If you create all your end user accounts and add them into security groups and add the scope tags, could you have their auto pilot devices be tagged aswell with whatever scope tag the user was in?
thanks for you video, i have one question. is it possible to use the same custom role for differents scopes ?
Is it possible to have two admin roles, each role assigned to differnet scope tags, with different permission levels on each role?
The idea being that An admin who is given both of these roles wil have different levels of permissions on each scope tag?
I have tried this, but it appears that permissions get messed up across the scope tags. So, on the one scope you should be able to edit, the other scope tag, view only. I have found that it gives full edit permissions across all scope tags.....
Nice vid m8. Good content and good flow.
This about scope tags during custom role creation really confuses me.
What is it for and why would you always leave it on default?
If you leave it on default, does it then refer to the default scope tag, which all objects are a part of unless set for another scope tag?
Please correct me, we can not only add User Groups into SCope Tag but also we can add the Users Group, is that correct? so that the Admin can control both, users and as well as Devices of that location.
I have a question . I have some issues with intune . If I select some categories like apps or tenant administration I get the error code 403. Then it says no access. Do you know how I can fix this . In intune self or
in azure?
Very nice and clear, as always 🙂
Cheers Michiel!
How do we manage users and application using the same method?
Hi, I have use your video to setup intune roles but its not working for anyone other then admin. It just show no permission but I can see users in group and these users are assign to builtin groups e.g. Intune Helpdesk.
Any advice as to why its not working
I'm having the same issue. Are you hybrid joined by chance?
@@Roastedpot Yes we are
@@sarwanamajid so I figured it out. You can't use the default tag, you Need anything other than default. I've got a ticket with Ms about it right now because that's insane to me, I use sccm to enroll so there isn't a good way to auto tag devices.
@@Roastedpot What you mean by you cant use default tag. Can you please explain in details
@@sarwanamajid everything created starts with "Default" as a tag. In the video he replaces that with London. It seems that "Default" can't be used as the Scope Tag, if you create a new tag and set that new one in the scope it the help desk operator will be able to see the item tagged with the New scope. It's problematic for me because I'm going to have to be tagging things manually since there doesn't seem to be a way to auto apply tags without using enrollment profiles
It was really Helpful