Skip to main content

Scope Groups and Naming Conventions

Audience: Platform Engineering, distributed unit administrators

Purpose: Standardize scope group naming for consistent policy management

Quick Reference

Group TypePrefixPurpose
Device Scope GroupDSGDevice object collections
User Scope GroupUSGUser account groupings
Experience Scope GroupESGCombined policy bundles
Policy Scope GroupPSGPolicy/app assignments
Role Scope GroupRSGPIM role access
File Scope GroupFSGFile permissions
Cloud Scope GroupCSGCloud resource access

Prerequisites: Administrative Units

Required for All Scope Groups

All scope groups (Entra security groups) must be created within the respective unit's designated Administrative Unit.

RequirementDetails
AU NamingAU-[FAMIS CODE] (e.g., AU-VPOP, AU-CLED)
Required RoleGroups Administrator role for the specific AU
ElevationOften requires PIM elevation for the AU-scoped role

This ensures scope group management is controlled by authorized personnel within each unit while maintaining a unified system.

Scope Group Types

Device Scope Group (DSG)

Purpose: Manages all devices enrolled in Intune specific to a unit.

AttributeDescription
MembersDevice objects (e.g., Windows desktops, Android devices)
Use CaseDirect device targeting; commonly nested into ESGs
ExampleDSG - CLED - Faculty Laptops

User Scope Group (USG)

Purpose: Organizes user accounts by roles or departments within a unit.

AttributeDescription
MembersUser and service accounts
Use CaseRole-based access; nested into ESGs for policy targeting
ExampleUSG - CLED - Faculty Users

Experience Scope Group (ESG)

Purpose: Defines a user or device "experience" by grouping USGs and/or DSGs from the same unit.

AttributeDescription
MembersOne or more USGs and/or DSGs from the same FAMIS code
Use CaseSimplified assignment of consistent policy bundles
ExampleESG - CLED - Faculty Standard Experience
Key Concept

ESGs act as the target for policy collections delivered via PSGs. Instead of adding many USGs/DSGs to many PSGs, add them to one ESG, then add that ESG to multiple PSGs.

Policy Scope Group (PSG)

Purpose: Manages specific policy and application assignments within Intune.

AttributeDescription
MembersExperience Scope Groups (ESGs)
Use CaseControls deployment of individual policies and applications
ExamplePSG - Required - User - CLED - Microsoft Office 365

PSG Naming Format

PSG - [Assignment Type] - [Target] - [FAMIS Code] - [Policy/App Name]

For Applications:

  • PSG - Required - User - [FAMIS] - [App Name]
  • PSG - Required - Device - [FAMIS] - [App Name]
  • PSG - Available - User - [FAMIS] - [App Name]
  • PSG - Available - Device - [FAMIS] - [App Name]
  • PSG - Uninstall - User - [FAMIS] - [App Name]
  • PSG - Uninstall - Device - [FAMIS] - [App Name]

For Policies:

  • PSG - Included - User - [FAMIS] - [Policy Name]
  • PSG - Included - Device - [FAMIS] - [Policy Name]
  • PSG - Excluded - User - [FAMIS] - [Policy Name]
  • PSG - Excluded - Device - [FAMIS] - [Policy Name]

Shared Device Exclusion Filter

Required for User PSGs

All User PSGs must have an Exclude filter to prevent user-assigned policies from deploying to shared devices.

FilterDetails
Filter NameShared Device - Filter
Rule Syntax(device.enrollmentProfileName -ne "_TAMU User Driven with Pre Provision")

Role Scope Group (RSG)

Purpose: Provides custom role-based access, often linked to PIM for temporary elevation.

AttributeDescription
MembersSpecific users or USGs requiring elevated access
Use CasePermissions for sensitive or administrative roles
ExampleRSG - CLED - BitLocker Recovery

File Scope Group (FSG)

Purpose: Manages file permissions for cloud-based storage like SharePoint.

AttributeDescription
MembersUser accounts or roles needing file/folder access
Use CaseFine-grained access control for SharePoint content
ExampleFSG - CLED - HR Documents - Edit

Cloud Scope Group (CSG)

Purpose: Grants access to cloud-based resources (SharePoint sites, Loop, Planner).

AttributeDescription
MembersUser accounts needing specific cloud resource access
NamingCSG - [FAMIS Code] - [Site Name] - [Access Level]
Description FieldInclude full URL of the resource

Examples:

  • CSG - VPOP - Research Hub - Edit
  • CSG - CLED - Marketing Planner - Owner
  • CSG - ENGR - Project Loop Site - Contributor

For hub sites, include "Hub" in the name: CSG - VPOP - Research Hub - Read

Implementation Example

Consider the "College of Education Faculty" (FAMIS Code: CLED):

1. Foundation Groups

USG - CLED - Faculty Users          (all faculty user accounts)
DSG - CLED - Faculty Laptops        (all faculty-assigned laptops)

2. Experience Group

ESG - CLED - Standard Faculty Experience
├── USG - CLED - Faculty Users
└── DSG - CLED - Faculty Laptops

3. Policy Groups Targeting the ESG

Assignment TypeTargetGroup NameMembersFilter Mode
RequiredUserPSG - Required - User - CLED - Microsoft Office 365ESGExclude
IncludedUserPSG - Included - User - CLED - OneDrive ComplianceESGExclude
AvailableUserPSG - Available - User - CLED - Adobe Acrobat ProESGExclude
IncludedDevicePSG - Included - Device - CLED - Laptop ConfigESGNone

Workflow Benefits

  • Add new faculty member → Add to USG - CLED - Faculty Users
  • They automatically receive → All policies/apps via ESG membership
  • Change experience → Adjust ESG membership in PSGs
  • Onboarding is simple → Single group membership grants full experience

Standard Naming Format

PSG Format

PSG - [Assignment Type] - [Target] - [FAMIS Code] - [Policy/App Name]
ElementDescription
PSGIdentifies as Policy Scope Group
Assignment TypeRequired, Available, Uninstall (apps) or Included, Excluded (policies)
TargetUser or Device
FAMIS CodeDepartment code (e.g., CLED, VPOP)
NamePolicy or application name

Other Scope Groups Format

[Scope Group Type] - [FAMIS Code] - [Descriptive Name]
ElementDescription
Scope Group TypeDSG, USG, ESG, FSG, RSG, CSG
FAMIS CodeDepartment tracking code
Descriptive NameClear description of purpose or members