Intune use Azure AD group to manage Users and Devices. As a Admin, You can setup a group in Intune console or Azure AD console based on your origination required like, Departments, geographic location geographic location, Hardware device.
Group Types
In Intune, we have two types of the group.
Security Group :- Security group define that who can access the resources in Intune.
- Security groups can contain users or devices or both.
- Security group can be created as Device or User Dynamic group, both rule can’t be adding in one group.
Microsoft 365 groups – Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more
- Microsoft 365 groups can be accessed through mobile apps such as Outlook for iOS and Outlook for Android.
- Group members can send as or send on behalf of the group email address.
- It used for collaboration between users, both inside and outside your company.
Membership types
There are three types of Group membership used to create group.
Assigned – Assigned membership type use to add user or devices manually and can be add device or user both in a single group.
Dynamic User – You can assign user based on user department, locations and with other identity that will automatically add or remove into the group.
Dynamic Device- We can create a group to add or remove devices automatically based on their identity like Device OS Type, Device OS version, and with the other Identity.
For the “Security” group type, there are three types (Assigned, Dynamic User, Dynamic Device) of membership can used.
For the “Microsoft 365” group type, there are three types (Assigned, Dynamic User, Dynamic Device) of membership can used.
- Owners– Group owners can add or remove members and have unique permissions like the ability to delete conversations from the shared inbox or change different settings about the group. Group owners can rename the group, update the description or picture and more.
- Members– Members can access everything in the group but can’t change group settings. By default, group members can invite guests to join your group.
- Roles– Choose admin roles that you want to assign to this user.
How to Create Device Security Groups
Device group is a combination for the devices that are added manually in groups. It can be different types of combination like, All Windows, MAC device, Android device with the multiple filters.
Open Intune console and Click on New Group under Groups.
Select the Group type as “Security” and Group Name, Group Description. Under the membership type choose Assigned.
Select the group Owners,
Click on membership to add devices or user in the group.
Verify all the details you filled and then click on Create.
Click All groups to and search the group name that created.
How to Create Dynamic Group
Devices can be added as an assigned or Dynamic device or Dynamic User types. Dynamic groups for User and Devices can’t be add to a single group. Roles can’t assign to a Device containing groups.
Here is a scenario to create a Dynamic device group.
Open Intune Console and click on Create new group under the Groups tab as shows below.
Select the Security under Group Type and Under Membership type select “Dynamic Device” then assign the group Owners. Click on Add Dynamic query.
Click on add expressions to create a dynamic query.
Select the property, Operators and the value ( here is example to create Windows 10 dynamic query). Click on Add expressions to add multiple queries in group.
Verify the details and click on create.
Click on All groups to view the group that was created.
Here is examples for Device dynamic query.
Device attribute | Values | Example |
accountEnabled | true false | (device.accountEnabled -eq true) |
displayName | any string value | (device.displayName -eq “Rob iPhone”) |
deviceOSType | any string value | (device.deviceOSType -eq “iPad”) -or (device.deviceOSType -eq “iPhone”) |
(device.deviceOSType -contains “AndroidEnterprise”) | ||
(device.deviceOSType -eq “AndroidForWork”) | ||
(device.deviceOSType -eq “Windows”) | ||
deviceOSVersion | any string value | (device.deviceOSVersion -eq “9.1”) |
(device.deviceOSVersion -eq “10.0.17763.0”) | ||
deviceCategory | a valid device category name | (device.deviceCategory -eq “BYOD”) |
deviceManufacturer | any string value | (device.deviceManufacturer -eq “Samsung”) |
deviceModel | any string value | (device.deviceModel -eq “iPad Air”) |
deviceOwnership | Personal, Company, Unknown | (device.deviceOwnership -eq “Company”) |
enrollmentProfileName | Apple Device Enrollment Profile name, Android Enterprise Corporate-owned dedicated device Enrollment Profile name, or Windows Autopilot profile name | (device.enrollmentProfileName -eq “DEP iPhones”) |
isRooted | true false | (device.isRooted -eq true) |
managementType | MDM (for mobile devices) | (device.managementType -eq “MDM”) |
PC (for computers managed by the Intune PC agent) | ||
deviceId | a valid Azure AD device ID | (device.deviceId -eq “d4fe7726-5966-431c-b3b8-cddc8fdb717d”) |
objectId | a valid Azure AD object ID | (device.objectId -eq “76ad43c9-32c5-45e8-a272-7b58b58f596d”) |
devicePhysicalIds | any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID | (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) (device.devicePhysicalIds -any _ -eq “[OrderID]:179887111881”) (device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:76222342342”) |
systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | (device.systemLabels -contains “M365Managed”) |