Using scope tags
We have seen scope tags throughout this book when we created various policies or applications. Now, it is time to learn what they are used for and how to create them.
First, we will clear up the differences between scope groups and scope tags.
Scope groups are configured within an Intune role and specify which users or devices an administrator can perform actions against for roles with actions configured. They are similar to administrative units within Entra ID, where administrators can be locked out from accessing all devices and users in the tenant.
Scope tags are configured on individual items within the tenant and can be used to allow or restrict access to these items. For example, you could configure a subset of your policies with a specific scope tag and allow only certain administrators to amend this policy. For larger organizations with multiple administrative teams, this can be useful to give the local admins some freedom, but only on their own devices...