In this part of the Intune Delegation with RBAC guide, I’ll go over the pieces you need. In the first part of this guide, I went over the terminology and concepts, so go back to that if you haven’t already read it. We’ll use those concepts and terms heavily from here on out. For this guide, we’ll be building the scopes shown in the RBAC scheme I outlined in part 1, as shown below:
In case that doesn’t make complete sense, we’ll be creating the parts of the RBAC scheme that are in the Red ovals. As I mentioned in my last post, there are a number of ways to develop the same role. Since we’re just learning here, try to stick to the diagram as we go through this.
1 – RBAC Scope Groups
A scope group holds the devices, users, functions, and other objects that we can assign a scope to. You’ll note that the scope group in the above diagram is the “All Devices Scope Group.” This is fine, but we want to be able to assign the scopes without having to assign each one individually. Ultimately, we’re looking for automation here, so we’re going to create dynamic groups that will add the devices to itself without administrative action.
- First, go to Groups in Intune
- Next, click New Group
- You will see the group creation blade. When that is visible, give the group a name, select the Dynamic Device group type, then click Create.
- A Dynamic Device group will only target Devices, but you should note that for Windows 10 devices it will include all On-prem domain joined computers unless you build the group correctly. We’ll build the Windows 10 group first, so set the following rule.
The reason we build the group like this is to exclude any on-prem domain joined devices. DeviceOSType will equal Windows for all devices enrolled with Intune. The DeviceOSVersion value should start with 10 (unless you want to include Windows 7, 8, and 8.1). The Management Type should also equal MDM. These three requirements will ensure that only devices enrolled through Intune are added to the group. Click save, then click create to build the group. Note: A dynamic group will not have any devices in it until the group creation replicates through Azure AD. That takes up to 30 minutes. Wait at least that long before changing your dynamic rule before changing it, or you’ll be chasing your tail for a while.
- For information, the rules for Android and iOS devices are below (These rules are simpler because iOS and Android cannot be joined to AD):
iOS: device manufacturer -contains “Apple”
Android: deviceOSType -contains “Android”
2 – RBAC Scopes
Once we have Scopes are used to define the objects (and sometimes functions) that will apply to the role. We’ll use the scopes later, but first we have to set them up.
- First, create a new scope in Intune by going to Roles > Scope (Tags) > Create to bring up the blade below. Give the scope a name, then hit Create.
- Create a scope tag for each device type. Just perform step 1 again for each device type.
3 – Assign Scope Tags to Devices
Creating a scope tag is fairly simple, but assigning them is more complicated. Until fairly recently (as of September 2019) tags had to be assigned manually to each device. In small environments, that is find, but in large enterprise organizations, that method made tagging devices a very repetitive, boring, and laborious job. Now, however, we can assign scopes by group. This greatly simplifies the process. Follow the below instructions to assign the Windows 10 Device scope tag to the Windows 10 dynamic group we created.
- Open the scope we created in step 1 and click “Assign scope tag to all devices in selected groups”. Click the group you want to assign the scope tag and it will be added to the list as shown below.
- Click Select to add the group, then click Save on the Scope Tag blade to save the changes. Do the same for Android and iOS devices to assign those scopes to the appropriate devices.
- Once this is done wait 30 minutes, then look at one of the devices in your dynamic device group. Go to Devices, then find one of the devices you want in the list. Open it up, and you should now see one Scope Tag assigned.
Note: Another pitfall you should be aware of here is that adding a scope to a device removes it from the Default scope. That means your normal admin users won’t be able to see the scoped objects. You can fix this by creating a scope meant for all administrators and assign that scope to the All Devices group. You will need an Administrative Role as well.
- Perform this step for the other device types to finish building the three scopes we want.
Once these steps are performed, you’ll be ready to move on to creating the roles you need. I’ll be covering how to do that as well as how to verify that the scope has applied properly in the next post for this series.