Merge pull request #2839 from msbemba/patch-106

Update role-based-access-control.md

Author: tiburd

memdocs/intune/fundamentals/role-based-access-control.md

@@ -95,9 +95,12 @@ To see a role assignment, choose **Intune** > **Tenant administration** > **Role
 
 - **Basics**: The assignments name and description.
 - **Members**: All users in the listed Azure security groups have permission to manage the users/devices that are listed in Scope (Groups).
-- **Scope (Groups)**: All users/devices in these Azure security groups can be managed by the users in Members.
+- **Scope (Groups)**: Scope Groups are Azure AD security groups of users or devices or both for which administrators in that role assignment are limited to performing operations on. For example deployment of a policy or application to a user or remotely locking a device. All users and devices in these Azure AD security groups can be managed by the users in Members.
 - **[Scope (Tags)](scope-tags.md)**: Users in Members can see the resources that have the same scope tags.
 
+> [!NOTE]
+> Scope Tags are freeform text values that an administrator defines and then adds to a Role Assignment. The scope tag added on a role controls visibility of the role itself, while the scope tag added in role assignment limits the visibility of Intune objects (such as policies and apps) or devices to only administrators in that role assignment because the role assignment contains one or more matching scope tags.
+
 ### Multiple role assignments
 If a user has multiple role assignments, permissions, and scope tags, those role assignments extend to different objects as follows: