Use groups to manage users and devices in Microsoft Intune

Nathan Bigman
Contributors

This topic describes how to create groups in Intune. It also provides information about how the management of groups is going to change over the coming months. To learn about the current approach to group management, see Create groups to manage users and devices with Microsoft Intune in this topic.

Notice about coming improvements to the admin experience for groups

Based on your feedback to have one grouping and targeting experience across Enterprise Mobility + Security, we're converting Intune Groups to Azure Active Directory-based Security Groups. This will unify group management across Intune and Azure Active Directory (Azure AD). The new experience will keep you from having to duplicate groups between services, and provides extensibility using PowerShell and Graph.

How does this affect me right now?

This change doesn’t affect you now, but we can tell you what's coming:

  • In September, new accounts provisioned after the monthly service release will use Azure AD security groups rather than Intune user groups.
  • In October, new accounts provisioned after the monthly service release will manage both user and device based groups in Azure AD portal. No impact to existing customers
  • In November, Intune product team will start migrating existing customers to the new Azure AD based group management experience. All user and device groups in Intune today will be migrated to Azure AD security groups. Migration will be done in batches starting in November. We won’t start migrations until we can minimize any impact to your day-to-day work and expect no end-user impact. We will also provide you a notice prior to your account’s migration.

How and when will I migrate to the new groups experience?

Current customers will be migrated over a period of time. We’re finalizing the schedule for that migration and will update this topic in a few weeks to provide more details. You will get a notice before you are migrated. If you have any migration concerns, please contact our migration team at intunegrps@microsoft.com.

What happens to my existing user and device groups?

User and device groups that you created will be migrated to Azure AD security groups. Default Intune groups, such as the All Users group, will only be migrated if you are using them in deployments at the time of migration. Migration may be more complex for some groups, and we will notify you if additional steps are required for migration.

What new features will be available to me?

Here is the new functionality being introduced:

  • Azure AD Security Groups will be supported in Intune for all types of deployments.
  • Azure AD Security Groups will support grouping of devices along with users.
  • Azure AD Security Groups will support dynamic groups with Intune device attributes. For example, you will be able to dynamically group devices based on platform, such as iOS. That way, when a new iOS device is enrolled in your organization, it will automatically be added to the iOS dynamic device group.
  • Shared admin experiences for group management across Azure AD and Intune.
  • The Intune Service Administrator role will be added to Azure AD to allow service admins in Intune to perform group management tasks in Azure AD.

What Intune functionality won’t be available?

Though the group experience will improve, there will be some Intune functionality that will not be available after the migration.

Group management functionality

  • You will not be able to exclude members or groups when you create a new group. However ,Azure AD dynamic groups will allow you to use attributes to create advanced rules to exclude members based on criteria.
  • There won’t be support for Ungrouped Users and Ungrouped Devices groups. Those groups won't be migrated.

Group dependent functionality

  • The Service Admin role will not have Manage groups permissions.
  • You won’t be able to group Exchange ActiveSync devices. Your All EAS Managed Devices group will be converted from a group to a report view.
  • Pivoting with groups in reports will not be available.
  • Custom group targeting of notification rules will not be available.

What should I do to prepare for this change?

We have recommendations that will make this transition easier for you:

  • Clean up any unwanted or unneeded Intune groups before migration.
  • Evaluate your use of exclusion in groups, and consider redesigning your groups so that you don't need to use exclusion.
  • If you have admins who do not have permissions to create groups in Azure AD, ask your Azure AD administrator to add them to the Intune Service Administrator Azure AD role.

Create groups to manage users and devices with Microsoft Intune

This section describes how to create Intune groups in the Intune administration console.

To create and manage groups use the Groups workspace in the Microsoft Intune administration console. The Groups Overview page contains status summaries that help you identify and prioritize issues that require your attention for:

  • Alerts
  • Software updates
  • Endpoint Protection
  • Policy
  • Software management

Also, your group hierarchy is displayed with status summaries to help you identify and resolve problems for members of a selected group.

Tip

When you're creating your groups consider how you will apply policy. For example, you may have policies specific to device operating systems, and policies specific to different roles in your organization, or to Organizational Units you've already defined in Active Directory. Some consider it useful to have device groups specific to iOS, Android, and Windows, as well as user groups for each organizational role.

You'll probably want to create a default policy that applies to all groups and devices, to establish the basic compliance requirements of your company. Then create more specific policies for the broadest categories of users and devices, for example, email policies for each of the device operating systems.

Be careful naming your policies so that you can easily identify them later. For example, a good, descriptive policy name is WP Email Policy for Entire Company.

Each time you create a restrictive policy you'll want to communicate it to your users, so after you create the more general groups and policies pay attention to how you create smaller groups so that you can reduce unnecessary communication.

Create a device group

  1. In the Intune administration console, choose Groups > Overview > Create Group.

  2. Provide a name and optional description for the group and select a device group as the parent group. Choose Next.

  3. On the Define Membership Criteria page, select the type of devices the group will include. Additional options to configure the group depend on the type of devices you select:

    • Computer: Specify whether to include all members of the parent group, the Organizational Units (OU) you want to include or exclude, and the domains you want to include or exclude. The OU and domain information for a computer is obtained from inventory.

    • Mobile: Specify to include only mobile devices that are managed by Intune, those managed by Exchange ActiveSync, or both.

    • All devices: This option includes all devices with no exclusions based on criteria.

  4. On the Define Direct Membership page, include or exclude individual devices you specify by clicking Browse. If you use the option to select devices that are not in the parent group you specified, those devices are automatically added to the parent group.

  5. On the Summary page, review the actions that will be taken. Choose Finish.

You can find the newly created group in the Groups list, in the Groups workspace, under the parent group. From here, you can also edit or delete the group.

Create a user group

  1. In the Intune administration console, choose Groups > Overview > Create Group.

  2. Provide a name and optional description for the group and select a user group as the parent group. Choose Next.

  3. On the Define Membership Criteria page, specify whether to include all members of the parent group or to start with an empty group. You can then include or exclude members based on the Security groups of users that you manually configure in the Office 365 admin center or that synchronize from your local Active Directory. If the membership of a security group changes, membership of user groups based on that security group can also change.

    Important

    Currently, if your group includes members from specific security or manager groups, and you also exclude members from specific groups, the members you initially included will be removed. To create a group that has both included members and excluded members, we recommend that you first create a parent group with the included members, and then create a child to that group in which you list the excluded members. You can then use that child group as appropriate for Intune policies, profiles, and app distribution.

    Note

    In the Azure Management Portal you can create a group based on the manager that the users report to. The group will be dynamic, changing as employees are added to or removed from that manager's team in Azure Active Directory. The procedure for creating an Azure group based on a manager is described in Using attributes to create advanced rules in the section called To configure a group as a “Manager” group.

  4. On the Define Direct Membership page, include or exclude individual users you specify by clicking Browse. If you use the option to select users that are not in the parent group you specified, those devices are automatically added to the parent group. At the bottom of the Select Members dialog you will find the option of adding a user manually. This is helpful if you want to add a user who does not yet have an enrolled device.

  5. On the Summary page, review the actions that will be taken. Choose Finish.

You can find the newly created group in the Groups list, in the Groups workspace, under the parent group. From here, you can also edit or delete the group.

Tip

Security groups are a great resource for populating user groups. Since your security groups define who has access to which resources, that can translate well into Intune user groups. Security groups that are synced from Active Directory to Azure Active Directory, or that are created directly in Azure Active Directory through the Office 365 admin center or the Azure Administration portal, are all available to you for creating user groups in Intune.

Tailor views to admin roles

Filtered group views let you tailor the view admins can see based on their role and restrict which groups each IT admin can manage. This can be useful when:

  • Your IT admins should only be able to deploy items to specific users and devices.

  • You want to display only relevant groups to each IT admin.

You can configure filtered group views for service administrators in the Intune administrator console. For details, see What to know before you start Microsoft Intune.

After you configure filtered group views for a service administrator, that administrator:

  • Can view and select only the groups you specified when deploying software or policies, or when using reports

  • Does not receive status information on the following pages of the administration console:

    • System Overview

    • Groups Overview

    • Endpoint Protection Overview

    • Alerts Overview

    • Software Overview

    • Policy Overview

Configure filtered group views

  1. In the Intune administration console, choose Admin > Administrator Management > Service Administrators.

  2. Select the service administrator for whom you want to filter groups, and then click Manage Groups.

  3. In the Select the groups that will be visible to this service administrator dialog box, add the groups that the selected service administrator will be able to access, and then click OK.

After you configure the filtered group views, the IT admin will be able to view and select only the groups you selected.

Manage your groups

After you create your groups, you will continue to manage them according to the needs of your organization.

You can edit your group to change its name and description and who belongs to the group.

You can delete a group that no longer serves the needs of your organization. Deleting a group does not delete the users that belong to that group.

Next steps

Check your design

After you set up your groups and policies, check the practical implications of your design by reviewing the Intended Value and the Status.

  1. Select any device from a device group and browse through the categories of information at the top of the screen.
  2. Select Policy . You'll see something like this screenshot of an Android device's policy settings.

Example iOS settings policy

Each policy has an Intended Value and a Status. The intended value is what you meant to achieve when assigning the policy. The status is what you actually achieved when all of the policies that apply to the device, as well as the restrictions and requirements of the hardware and the operating system, are considered together. In the screenshot you can see two clear examples:

  • Allow simple passwords is set to Yes, as shown in the Intended Value column, but its Status is Not applicable. This is because simple passwords are not supported for Android devices.

  • Similarly, the expanded policy item, Email settings for iOS devices, is not applied to this device, because it is an Android device.

Note

Remember that when two policies with different levels of restriction apply to the same device or user, the more restrictive policy applies in practice.

To submit product feedback, please visit Intune Feedback