Intune 中一种使用组的新方法A new way of using groups in Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

我们已得到了你的反馈,将对在 Microsoft Intune 中处理组的工作方式进行某些更改。We've heard your feedback and are making some changes to how you work with groups in Microsoft Intune. 我们正在将我们所有的客户 Intune 组迁移到 Azure Active Directory 安全组。We are in the process of migrating all of our customers Intune groups to Azure Active Directory security groups.

为你带来的好处是,现在你可在你所有的企业移动性 + 安全性应用和 Azure AD 应用中使用相同的组体验。The benefit to you is that you will now use the same groups experience across all of you Enterprise Mobility + Security, and Azure AD apps. 此外,还能够使用 PowerShell 和 Graph API 来扩展和自定义此新功能。Additionally, you'll be able to use PowerShell and Graph API to extend and customize this new functionality.

Azure AD 安全组支持将所有类型的 Intune 部署到用户和设备。Azure AD security groups support all types of Intune deployments to both users and devices. 此外,还可使用基于所提供的属性自动更新的 Azure AD 动态组。Additionally, you can use Azure AD dynamic groups that automatically update based on the attributes you supply. 例如,可创建一组运行 iOS 9 的设备。For example, you could create a group of devices that run iOS 9. 每当注册运行 iOS 9 的新设备时,该设备都将自动添加到动态组。Whenever a new device that runs iOS 9 is enrolled, it will be automatically added to the dynamic group.

何时发生这种情况?When is this happening?

可立即进行迁移过程。The migration process is underway right now. 迁移前,你将收到通知。You'll be notified before we migrate you. 如果你已迁移,则尝试从经典 Intune 控制台访问组时,会看到以下类似消息:If you've already been migrated, you'll see a message similar to this when you try to access groups from the classic Intune console:


哪些功能将不可用?What won't be available?

Intune 组某些现有功能在 Azure AD 中不可用:Some existing capabilities of Intune groups are not available in Azure AD:

  • 将不迁移“未分组用户”和“未分组设备”Intune 组。The Ungrouped Users and Ungrouped Devices Intune groups won't be migrated.
  • Intune 中当前存在的用于从某个组中排除特定成员的选项不存在于 Azure 门户中。The option to Exclude specific members from a group that currently exists in the Intune console does not exist in the Azure portal. 但是,可使用具有高级规则的 Azure AD 安全组复制此行为。However, you can use an Azure AD security group with advanced rules to replicate this behavior. 例如,可使用以下高级规则,在安全组中创建包含“销售”部门所有成员的高级规则,但不包含职位中含有“助手”一词的成员:(user.department -eq "Sales") -and -not (user.jobTitle -contains "Assistant")For example, you could create an advanced rule that includes all people in your Sales department in a security group, but not those who have the word "Assistant" in their title, by using this advanced rule: (user.department -eq "Sales") -and -not (user.jobTitle -contains "Assistant").
  • 内置于 Intune 控制台中的“所有 Exchange ActiveSync 托管设备”组将不会迁移到 Azure AD。The All Exchange ActiveSync Managed Devices group that's built-in to the Intune console will not be migrated to Azure AD. 但仍可从 Azure 门户访问 EAS 托管设备的相关信息。However, you can still access information about EAS managed devices from the Azure portal.
  • 将不能在经典 Intune 控制台中按组筛选报表。You won't be able to filter reports by groups in the classic Intune console.

如何做好准备How to get ready

  • 阅读以下 Azure AD 主题,了解 Azure AD 安全组及其工作原理:Read the following Azure AD topics to learn about Azure AD security groups and how they work:
  • 请考虑删除迁移前不再使用的任何 Intune 组。Consider removing any Intune groups you no longer use before you migrate.
  • 确保将任何需要创建组的管理员添加到 Intune 服务管理员 Azure AD 角色。Make sure that any admins who need to create groups are added to the Intune Service Administrator Azure AD role. 请注意,Azure AD 服务管理员角色没有管理组权限。Note that the Azure AD Service Admin role does not have Manage Group permissions.
  • 如果使用含“排除特定成员”选项的组,请考虑你是否可重新设计这些组,而不需排除项,或是否可在 Azure AD 查询中使用高级规则以达到相同的结果。If you use groups with the option Exclude specific members, consider whether you can redesign these groups to not need exclusions, or whether you can use advanced rules in your Azure AD query to achieve the same result.

Intune 组会出现什么情况?What happens to Intune groups?

Intune 中的组Groups in Intune Azure AD 中的组Group in Azure AD
静态用户组Static user group 静态 Azure AD 安全组Static Azure AD security group
动态用户组Dynamic user group 具有 Azure AD 安全组层次结构的静态 Azure AD 安全组Static Azure AD security groups with an Azure AD security group hierarchy
静态设备组Static device group 静态 Azure AD 安全组Static Azure AD security group
动态设备组Dynamic device group 动态 Azure AD 安全组Dynamic Azure AD security group
含有 include 条件的组A group with an include condition 静态 Azure AD 安全组,包含 Intune 中 include 条件允许的任意静态/动态成员。Static Azure AD security group containing any static or dynamic members from the include condition in Intune.
含有 exclude 条件的组A group with an exclude condition 不迁移Not migrated
内置组:“所有用户”、“未分组用户”、“所有设备”、“未分组设备”、“所有计算机”、“所有移动设备”、“所有 MDM 托管设备”和“所有 EAS 托管设备”The built-in groups, All Users, Ungrouped Users, All Devices, Ungrouped devices, All Computers, All Mobile Devices, All MDM managed devices, and All EAS managed devices Azure AD 安全组。Azure AD security groups.

在 Intune 中,所有组都必须具有父组。In Intune, all groups have to have a parent group. 组只能包含来自其父组的成员。Groups can only contain members from their parent group. 在 Azure AD 中,子组可包含父组不具有的成员。In Azure AD, child groups can contain members that the parent group does not have.

属性是指可用于定义组的设备属性。Attributes are device properties that may be used in defining groups. 下表描述如何将这些条件迁移到 Azure AD 安全组。This table describes how those criteria will be migrated to Azure AD security groups.

Intune 中的属性Attribute in Intune Azure AD 中的属性Attribute in Azure AD
设备组的组织单位 (OU) 属性Organizational Unit (OU) attribute for device groups 动态组的 OU 属性。OU attribute for dynamic groups.
设备组的域名属性Domain name attribute for device groups 动态组的域名属性。Domain Name attribute for dynamic groups.
作为用户组属性的安全组Security group as an attribute for user groups 在 Azure AD 动态查询中组不能作为属性。Groups cannot be attributes in Azure AD dynamic queries. 动态组只能包含用户或设备特定的属性。Dynamic groups can only contain user or device specific attributes.
用户组的管理器属性Manager attribute for user groups 动态组中管理器属性的高级规则Advanced Rule for manager attribute in dynamic groups
父用户组中的所有用户All users from the parent user group 包含该组(作为成员)的静态组Static group with that group as a member
父设备组中的所有移动设备All mobile devices from the parent device group 包含该组(作为成员)的静态组Static group with that group as a member
由 Intune 托管的所有移动设备All mobile devices managed by Intune 动态组值为“MDM”的管理类型属性Management Type attribute with ‘MDM’ as value for dynamic group
静态组内的嵌套组Nested groups within static groups 静态组内的嵌套组Nested groups within static groups
动态组内的嵌套组Nested groups within dynamic groups 含有一级嵌套的动态组Dynamic group with one level of nesting

已部署的策略和应用会出现什么情况?What happens to policies and apps you've already deployed?

像之前一样,策略和应用仍会部署到组。Policies and apps continue to be deployed to groups, just like before. 但现在将从 Azure 门户,而非经典 Intune 控制台来管理这些组。However, you'll now manage these groups from the Azure portal, instead of the classic Intune console.