Title: Importing Intune Settings Catalog policies fails when tenant does not use Default scope tag, and removing roleScopeTagIds does not resolve the issue

[N0SynAck]

Description

When attempting to import an Intune Settings Catalog policy into a tenant that does not use the built‑in Default scope tag, the import consistently fails with a 400 BadRequest error from Microsoft Graph.
The tenant uses only a custom scope tag assigned to my admin role.

The error message always includes:

Added a tag which is not allowed by the current role: 0

Even when I manually remove the "roleScopeTagIds" property from the JSON before importing, the same error occurs.
This happens because Microsoft Graph automatically assigns the Default scope tag (ID 0) if no scope tag is provided in the payload.
Since my admin role is not allowed to use the Default tag, the request fails every time.

---

Steps to Reproduce

1. Use a tenant where:
   • The Default scope tag is not assigned to the admin role
   • Only a custom scope tag exists (e.g., IntuneScope_MyRole)
2. Export a Settings Catalog profile.
3. Try importing it into this tenant.
4. Optional: Remove "roleScopeTagIds" from the JSON before import.
5. Observe that the import fails with Added a tag which is not allowed by the current role: 0.

---

Actual Behavior

• Importing the Settings Catalog policy fails with a 400 error.
• Removing "roleScopeTagIds" does not help.
• Graph forces the "0" scope tag internally, which the current admin role is not permitted to use.
• The tool provides no way to map or select the correct custom scope tag during import.

---

Expected Behavior

The import tool should:

• Detect when the tenant cannot use the Default (0) scope tag
• Allow selecting or mapping to an existing custom scope tag
• Or avoid sending/forcing the Default tag when the tenant configuration does not allow it
• Or provide a clear warning with actionable instructions

---

Request

Please add support in the tool for:

• Overriding or mapping scope tags during import
• Detecting invalid or unavailable scope tags
• Preventing automatic injection of "0" when the tenant does not permit it

This would allow importing policies into tenants that use custom RBAC scope tags instead of the Default one.

[Micke-K]

Hello,

You need to export the ScopTags as well. The script will use that to map the ScopeTag object from the exported environment to the destination environment.

This will work as long as they have the same name and the folder for the ScopeTags are available.

Cheers!

[N0SynAck]

I think you may have misunderstood what I meant.
I exported a policy that includes the default scope tag, and I want to import it into another tenant where the default scope tag also exists, but I am not assigned to it. When I try to import the policy, I receive the error mentioned above.

[Micke-K]

Hello,

Yes, that ton't work. But my suggestion is to make sure you export it with a Scope tag that you have permission to add and the export that Scope Tag as well. The script will then translate the id to the target tenant and set the correct Scope Tag id before import.

Cheers!

[N0SynAck]

Is there any way to map the Default scope tag from the source tenant to an xyz scope tag in the target tenant?
For example, can policies exported from Tenant2 (with the Default scope tag) always be created in Tenant1 using my scope tag (IT Support)?
Or do you know of a way to change the scope tag? When I modify the scope in the JSON file from 0 (Default) to 3 (IT Support), it still won’t import.

[Micke-K]

Hello,

I would expect it work if you change the ScopeTag to an id you have access to.

Doest it happen on all policies? Or could it be something else in the policy that breaks it?

Can you attach the policy?

Cheers!

[N0SynAck]

Here is one policy where it happens:

Windows_Update_Chrome.json

Yes it happens on all policies

[Micke-K]

Hello,

I imported this and it worked for me, but I don't have any specific permissions on ScopeTags.

However, I just want to make sure that you import from a folder that is called SettingsCatalog.
You will get 400 (Bad Request) if you try to import it from any other folder. The name of the parent folder specifies the API it will use for the import.

Cheers!