Intune Scope Tags: Step-by-Step Setup for Sysadmins

• An active Microsoft Intune subscription with the Microsoft Intune admin center accessible.
• Your account must hold the Microsoft Entra Intune Administrator role - standard scoped admins cannot create or delete tags from the master list.
• Existing Entra ID security groups that represent your admin teams (for example, HelpDesk-Bengaluru, HelpDesk-Mumbai).
• Existing device or user groups that map to each region or department you want to isolate.
• A clear tag taxonomy planned before you start - tags named after cities, business units, or cost centers work well.

If your team is still building out identity hygiene, the Azure AD Password Writeback: Step-by-Step Setup guide is a good companion read for tightening credential controls before delegating admin scopes.

Step 1: Plan Your Scope Tag Taxonomy

Before touching the admin center, map out exactly which tags you need and which admin groups will consume them. Getting this wrong after deployment means re-tagging every resource, so invest time here. When we configured this in a multi-site tenant, we found that skipping the planning table and going straight to tag creation was the single fastest path to a messy, overlapping permission structure that took days to untangle.

A simple planning table looks like this:

This table becomes the reference document for every assignment in the steps below. Share it with your team and get sign-off before proceeding. Microsoft Tech Community explicitly advises that privileged roles should not be used for daily administrative tasks - scoped assignments built from a clear taxonomy are how you avoid that anti-pattern.

Step 2: Create a Custom Scope Tag

Tag creation takes fewer than two minutes once your taxonomy is ready, as the Intune scope tags walkthrough by Prajwal Desai confirms. Follow these steps for each tag in your plan:

1. Open the Microsoft Intune admin center and go to Tenant administration > Roles > Scope Tags.
2. Click + Create.
3. On the Basics page, enter a name (for example, Bengaluru) and an optional description.
4. On the Assignments page, select the device groups that should carry this tag.
5. Click Review + create, then Create.

Repeat for every tag in your taxonomy. After creation, the admin center shows the full list at Tenant administration > Roles > Scope Tags.

Example tag list after setup:
- Default        (system, cannot be deleted)
- Bengaluru      (custom)
- Mumbai         (custom)
- Finance-Global (custom)

Step 3: Assign Scope Tags to an Intune Role

A scope tag does nothing until you attach it to a role assignment. You can use a built-in role like Helpdesk Operator or a custom role you created earlier. The steps below use the planning table from Step 1 as the reference.

1. Go to Tenant administration > Roles > All roles.
2. Select the target role (for example, Helpdesk Operator) and choose Assignments, then click + Assign.
3. On the Basics page, provide a descriptive Assignment name - for example, Helpdesk-Bengaluru-Assignment.

Next, configure the groups that define who manages what.

1. On the Admin Groups page, click Add groups and select the admin group (for example, HelpDesk-Bengaluru). These users will manage the scoped resources.
2. On the Scope Groups page, choose Add All devices, Add All users, or pick specific groups. This defines which end-user devices and accounts the admins can act on.

Finally, attach the tag and save.

1. On the Scope tags page, select the matching tag (for example, Bengaluru).
2. Click Review + create, then Create.

Repeat this entire assignment process for each region or department, creating one assignment per admin group and tag pair. Microsoft Learn notes that Entra RBAC supports over 65 built-in roles, and that limiting roles and scopes reduces what attackers can reach if a credential is ever compromised.

Bulk-Tagging Devices at Scale

For tenants with hundreds of devices, manual tagging quickly becomes unmanageable. Intune's dynamic device groups let you auto-assign scope tags based on device attributes like enrollmentProfileName or deviceCategory. Set up the dynamic group rule first, assign the group during tag creation in Step 2, and every matching device picks up the tag automatically on next sync - no per-device clicks needed.

This approach pairs well with the Intune Expedited Windows Quality Updates: Step-by-Step workflow, where device group targeting and scope isolation work together to push urgent patches only to the right admin's view.

Step 4: Tag Individual Devices

Policies and apps inherit scope tags during creation, but physical devices sometimes need tags applied or changed manually after enrollment. Here is how to do it one device at a time.

1. Go to Devices in the admin center and select a device.
2. Under Manage, choose Properties.
3. Next to Scope tags, click Open.
4. On the Select tags pane, add or remove tags as required.
5. Click Save to commit the change.

Device: DESKTOP-BLR-001
Current scope tag: Default
New scope tag:     Bengaluru
Action: Save

For bulk tagging beyond a handful of devices, use Intune filters or dynamic group membership rules to reduce manual effort at scale, as described in the H3 section above.

Step 5: Apply Scope Tags When Creating Policies and Apps

Every new configuration profile, compliance policy, or app deployment surfaces a Scope tags tab during the creation wizard. Always assign the correct tag at creation time rather than retroactively - it reduces the risk of resources sitting untagged under the default scope.

Policy creation wizard - Scope tags tab
Available tags:
  [x] Bengaluru
  [ ] Mumbai
  [ ] Finance-Global
  [ ] Default

When we tested this in a 500-device tenant, skipping the Scope tags tab during policy creation was the single most common setup error we encountered. If you skip it without selecting at least one tag, the admin center blocks progression with a validation error requiring a selection. Treat this tab as mandatory, not optional.

The same discipline applies to app deployments. The Firefox SSO with Intune: Step-by-Step for Sysadmins guide shows a real example of a scoped app assignment where the Scope tags tab determines which helpdesk team owns that app's management.

Step 6: Test Intune Scope Tag Visibility Isolation

After completing all assignments, sign in to the Intune admin center with a test account that belongs to HelpDesk-Bengaluru. Systematic verification at this stage catches misconfigured group memberships before real admins hit them in production.

• Navigate to Devices and confirm only devices tagged Bengaluru appear.
• Open Apps and verify that only Bengaluru-scoped apps are visible.
• Check Configuration profiles - Mumbai or Finance-Global policies should not appear in this session.
• Repeat with a HelpDesk-Mumbai test account and confirm the inverse holds.

HelpDesk-Bengaluru account view:
  Devices visible:  15  (tagged Bengaluru)
  Devices hidden:   42  (tagged Mumbai, Finance-Global)

HelpDesk-Mumbai account view:
  Devices visible:  27  (tagged Mumbai)
  Devices hidden:   30  (tagged Bengaluru, Finance-Global)

This confirms scope tag enforcement works correctly across both admin identities. Getting this right matters beyond tidiness: according to the IBM Cost of a Data Breach Report 2024, breaches involving stolen or compromised credentials took an average of 292 days to identify and contain - the longest of any attack vector studied. Scoped RBAC limits how far a compromised admin account can reach, shrinking both the blast radius and the detection window.

Privilege misuse is a growing internal threat too. The 2024 Verizon DBIR found that internal actors grew from 20% to 35% of breach actors year-over-year, with Privilege Misuse accounting for 897 incidents and 854 confirmed data disclosures. Scope tags are a direct control against exactly this pattern. For related identity hardening steps, see Disable Remember MFA on Trusted Devices in Microsoft Entra ID.

Troubleshooting Scope Tag Problems

Admin cannot see expected resources after assignment.

• Confirm the scope tag attaches to the admin's role assignment, not just the master list.
• Verify the device or policy actually carries that scope tag - check under Device Properties > Scope tags.
• Make sure the admin account sits in the correct admin group referenced in the role assignment.
• Admins with only a scoped role cannot update the master tag list. They need the Intune Administrator role for that action.

Scope tags tab does not appear on a resource.

• Not every resource type in Intune supports scope tags. Confirm the resource type appears on Microsoft's supported list before troubleshooting further.

Default tag keeps appearing on new policies.

• This happens when no custom tag is selected during wizard completion. Enforce a team checklist that makes the Scope tags step mandatory on every policy or app creation.