Intune scope tags allow you to manage a large organisations IT infrastructure while giving each department/region/sub company/… the flexibility to configure their own settings. Scope tags in Microsoft Intune allow administrators to divide devices in their organization into logical groups. These groups, also known as tags, can be used to make certain settings, applications, and policies available only to specific users or devices. By using Intune scope tags, you can streamline your IT infrastructure, improve security and make your life easier.

Create a group of devices for a specific area

Uploading a device hash to Intune and creating a dynamic group based on this tag can be done in a few simple steps:

• Collect the device hash: Use the PowerShell script “get-windowsautopilotinfo.ps1 -grouptag Germany -online” to collect the device hash of the device you want to upload to Intune.

• When this is done we have to create a dynamic group based on this attribute
• Select Groups from the left menu bar
• Click New group
• Select Security as Group type, enter an group name and select Dynamic Device as Membership type
• Click on Add dynamic query

• Click Edit and enter the following filter
  • The OrderID can be freely defined (in my example: “AutoPilotTest1”).

1	(device.devicePhysicalIds -any _ -eq "[OrderID]:Germany")

• Click Create

Unlocking the Power of Scope Tags

• In the first step we have to create a new scope Tag.
• Open the Intune console and navigate to Tenant admin > Roles > Scope tags
• Click + Create

• Enter an Name and click Next

• Select the previous created group and select Next > Create

• In the next step we have to create a custom role for this scope tag. For this select the All roles menu
• Select a role and click Duplicate or create a new one with + Create

• Enter an name and click Next > Next
• Select the previous created scope tag and click Next > Create

• When you now create a new configuration in Intune, you can attache the new scope tag.