Access to Intune
Naming Standards
- All computer objects created by departments must be prefixed with: DEPT-
- All groups created for Intune use should begin with: Intune-DEPT-
These naming standards allow for easy identification and searching. Note that the Intune portal displays all EntraID and AD groups, not only Intune-related groups.
Departmental Catch-All Groups and Scope Tagging
The following groups are created during onboarding:
- Intune-DEPT-All Users
- Intune-DEPT-All Devices
- Intune-DEPT-All Groups
These groups function as catch-all containers for departmental users and devices. Membership is managed dynamically. Any user or device in these groups is automatically assigned the scope tag for the department. The Intune-DEPT-All Groups group must include all department-created groups as nested members. If a group is not nested, policy, configuration, and application assignments to departmental device groups will fail due to permission scoping.
Departments should not assign policies directly to the main catch-all groups. These groups should be used for reference purposes only. If adjustments are needed to the dynamic membership queries for these groups, departments must submit a request using the EPM form "
Service - Device Management and Protection".
Similarly, an Entra ID Administrative Unit (AU) is created to contain all departmental devices. This AU is used to scope Entra ID roles such as BitLocker Reader, LAPS Password Reader, and others so that administrative access can be granted only where needed. Scoping roles to the AU ensures appropriate delegation while limiting visibility and permissions to devices owned by the department.
Scope Tag Expectations
All objects created by departments and included in the catch-all or nested catch-all member groups are automatically assigned the DEPT scope tag. If the DEPT scope tag is missing on a given device, ensure that the device is a direct or transitive member of your "Intune-Dept All Devices" group before contacting the Intune support team.
Shared Scope Tag
A scope tag named Shared is available and is intended for policies, configurations, or applications meant to be used across departments. Any object tagged as Shared is readable by all departmental administrators, and other units may assign it to their own groups. Creators are responsible for maintaining Shared items and should be aware that objects assigned outside the creator’s scope, or assigned to Entra ID groups that are later deleted, typically cannot be deleted until those assignments are removed. The Shared scope tag should only be used when this level of visibility and shared responsibility is intended.
Autopilot and Device Procurement
Autopilot is currently supported with the following vendors:
Other vendors can be added upon request. When ordering devices, departments must ensure Autopilot is included in the quote. Vendors may charge separate fees for this service. Departments must also specify a group tag when ordering devices so the vendor can upload them correctly.
Group tag guidance:
- No spaces
- No known length limit
- Should clearly reflect the deployment purpose (for example: DEPT-Staff)
Group tags are used to dynamically assign devices to groups, allowing deployments to be fully automated. Each deployment profile requires its own unique group tag and a corresponding dynamic group. Requests for dynamic groups must be submitted through the EPM form.
Communication and Documentation