Want to use Scope Tags in Intune to allow different sites to only see their devices? I want to show you our solution to automatically tag devices based on the location of the “Enrolled by” User in Intune.
We needed a solution for Windows / iOS and Android Devices to automatically assign Scope Tags based on the Location of the User. Unfortunately this is not easily possible with the built in assignment, as it is not possible to create dynamic AzureAD Device Groups based on User Attributes like “useage location” that we are using in this example Script.
Just like in my Blog Entry about automatic Autopilot Uploads, we will use an Azure Automation PowerShell based Runbook for this task. If you want to see, how to create the Automation Account and assign permissions to the Managed Identity, please check out my old Blog: Automate Autopilot Uploads with Azure Automation Runbooks – Mike’s MDM Blog (mikemdm.de)
For our ScopeTag Script, we are using the same Automation Account and create a new additional Runbook based on this Script: Scripts/Set-ScopeTags.ps1 at main · mmeierm/Scripts (github.com)
This Script will allow us to run the assignment Logic in three different Modes:
Full, Inc, and Webhook
Depending on your device count you can simply always use the Full Mode but in my environment the Full cycle takes multiple hours and can only run on a hybrid runbook worker as we exceed the given limits of the Azure Sandbox environment in regards to used RAM and the runtime of more then three hours, so we decided to use the Full Sync only on the weekend and use the other two methods to dynamically update the Tags based on the EnrollmentDate and Audit Log in case of the Inc Mode or for new Windows Devices also based on a Powershell Script that triggers the Webhook for a even faster way to trigger it
Requirements / Permissions
We need the following Requirements to be able to set the ScopeTags:
First we need to grant additional API Permissions to our System Managed Identitiy:
– DeviceManagementRBAC.ReadWrite.All (In order to set the Tags)
– User.Read.All (In order to read the useage Location of the Users)
Mode: Full
For the Mode Full, we are using the Azure Automation built-in Scheduling. Select the Schedule based on your needs and set the Parameter Mode to “Full”
Mode: Inc
For the Mode Inc, we want the incremental Sync to check all devices that are enrolled in the last two days (based on the EnrollmentDate in Intune).
As this Script will have a much shorter runtime, we want it to run is every few minutes, since this is not possible with the integrated Scheduling, we use a very small Azure Logic App to trigger the Runbook
The LogicApp itself is pretty simple, we start with a Recurrence trigger and create a Azure Automation Job with the needed Parameters:
Mode: Webhook
The third and last Mode, the Webhook Mode is used to quickly set the ScopeTag for newly enrolled Windows Autopilot Devices, as the Enrollment Date is sometimes not accurate here and represents the day of the Autopilot registration rather than the actual Intune Enrollment.
In order to use this we created a small PowerShell Script for the Intune “Scripts” Section and assign it to all Windows Devices. The Script itself checks if it is currently in the OOBE / ESP Phase by checking for the running OOBE Processes.
I uploaded the Client Script on my GitHub: Scripts/ClientScopeTag.ps1 at main · mmeierm/Scripts (github.com)
You just need to add the Webhook URI from your Runbook and you should be good to go
Leave a Reply