Azure 入口網站中的 Microsoft Intune 傳統群組Microsoft Intune classic groups in the Azure portal

我們已收到您的意見反應,將會對如何在 Microsoft Intune 中使用群組進行一些變更。We've heard your feedback and have made changes to how you work with groups in Microsoft Intune. 如果您從 Azure 入口網站使用 Intune,則您的 Intune 群組即已遷移至 Azure Active Directory 安全性群組。If you are using Intune from the Azure portal, your Intune groups have been migrated to Azure Active Directory security groups.

對您而言,優點是您現在在所有 Enterprise Mobility + Security 和 Azure AD 應用程式都能使用相同的群組體驗。The benefit to you is that you now use the same groups experience across all of your Enterprise Mobility + Security, and Azure AD apps. 此外,您還可以使用 PowerShell 和 Graph API 來擴充和自訂這項新功能。Additionally, you can use PowerShell and Graph API to extend and customize this new functionality.

Azure AD 安全性群組支援使用者和裝置的所有 Intune 部署類型。Azure AD security groups support all types of Intune deployments to both users and devices. 此外,您還可以使用 Azure AD 動態群組,根據您提供的屬性自動進行更新。Additionally, you can use Azure AD dynamic groups that automatically update based on the attributes you supply. 例如,您可以建立可執行 iOS 9 的裝置群組。For example, you could create a group of devices that run iOS 9. 只要註冊執行 iOS 9 的裝置,裝置就會自動出現在動態群組中。Whenever a device running iOS 9 enrolls, the device automatically appears in the dynamic group.

不適用的範圍為?What is not available?

Azure AD 中不提供您先前可能使用過的某些 Intune 群組功能︰Some of the Intune groups capabilities you previously might have used are not available in Azure AD:

  • 將不再提供 [已取消群組的使用者] 與 [已取消群組的裝置] Intune 群組。The Ungrouped Users and Ungrouped Devices Intune groups are no longer available.

  • 從 Azure 入口網站中不存在的群組,[排除特定成員] 的選項。The option to Exclude specific members from a group does not exist in the Azure portal. 不過,您可以搭配使用 Azure AD 安全性群組與進階規則來複寫這項行為。You can, however, use an Azure AD security group with advanced rules to replicate this behavior. 例如,若要建立進階規則來包含安全性群組中 Sales 部門的所有人員,但排除職稱中有 "Assistant" 這個字的群組,您可以使用這個進階規則︰For example, to create an advanced rule that includes all people in your Sales department in a security group, but excludes those groups with the word "Assistant" in their title, you could use this advanced rule:

    (user.department -eq "Sales") -and -not (user.jobTitle -contains "Assistant")(user.department -eq "Sales") -and -not (user.jobTitle -contains "Assistant").

  • Intune 傳統主控台中的 [所有受 Exchange ActiveSync 管理的裝置] 群組將不會移轉至 Azure AD。The All Exchange ActiveSync Managed Devices group in the Intune classic console was not migrated to Azure AD. 不過,您仍然可以從 Azure 入口網站存取 EAS 受管理裝置的相關資訊。You can, however, still access information about EAS-managed devices from the Azure portal.

如何開始使用?How to get started?

Intune 群組發生什麼事?What happened to Intune groups?

在 Azure 入口網站中,將群組從 Azure 入口網站移轉至 Intune 時,會套用下列規則︰When groups are migrated from the Azure portal to Intune in the Azure portal, the following rules are applied:

Intune 中的群組Groups in Intune Azure AD 的群組Groups in Azure AD
靜態使用者群組Static user group 靜態 Azure AD 安全性群組Static Azure AD security group
動態使用者群組Dynamic user group 含有 Azure AD 安全性群組階層的靜態 Azure AD 安全性群組Static Azure AD security groups with an Azure AD security group hierarchy
靜態裝置群組Static device group 靜態 Azure AD 安全性群組Static Azure AD security group
動態裝置群組Dynamic device group 動態 Azure AD 安全性群組Dynamic Azure AD security group
包含 include 條件的群組A group with an include condition 靜態 Azure AD 安全性群組,包含 Intune 中 include 條件的任何靜態或動態成員Static Azure AD security group containing any static or dynamic members from the include condition in Intune
包含 exclude 條件的群組A group with an exclude condition 未移轉Not migrated
內建群組:The built-in groups:
- 所有使用者- All Users
- 已取消群組的使用者- Ungrouped Users
- 所有裝置- All Devices
- 已取消群組的裝置- Ungrouped devices
- 所有電腦- All Computers
- 所有行動裝置- All Mobile Devices
- 所有 MDM 管理裝置- All-MDM managed devices
- 所有 EAS 管理裝置- All EAS-managed devices
Azure AD 安全性群組Azure AD security groups

群組階層Group hierarchy

在 Intune 主控台中,所有群組都會有父群組。In the Intune console, all groups had a parent group. 群組只能包含其父群組的成員。Groups could only contain members of their parent group. 在 Azure AD 中,子群組可以包含其父群組中沒有的成員。In Azure AD, child groups can contain members not in their parent group.

群組屬性Group attributes

屬性是可用於定義群組的裝置內容。Attributes are device properties that may be used in defining groups. 本表說明這些準則如何移轉至 Azure AD 安全性群組。This table describes how those criteria migrate to Azure AD security groups.

Intune 中的屬性Attribute in Intune Azure AD 中的屬性Attribute in Azure AD
裝置群組的組織單位 (OU) 屬性Organizational Unit (OU) attribute for device groups 動態群組的 OU 屬性。OU attribute for dynamic groups.
裝置群組的網域名稱屬性Domain name attribute for device groups 動態群組的網域名稱屬性。Domain Name attribute for dynamic groups.
作為使用者群組屬性的安全性群組Security group as an attribute for user groups 群組不能是 Azure AD 動態查詢中的屬性。Groups cannot be attributes in Azure AD dynamic queries. 動態群組只能包含使用者或裝置特定屬性。Dynamic groups can only contain user or device-specific attributes.
使用者群組的 manager 屬性Manager attribute for user groups 動態群組中 manager 屬性的進階規則Advanced Rule for manager attribute in dynamic groups
父使用者群組中的所有使用者All users from the parent user group 該群組為成員的靜態群組Static group with that group as a member
父裝置群組中的所有行動裝置All mobile devices from the parent device group 該群組為成員的靜態群組Static group with that group as a member
Intune 所管理的所有行動裝置All mobile devices managed by Intune 'MDM' 為動態群組值的管理類型屬性Management Type attribute with ‘MDM’ as value for dynamic group
靜態群組內的巢狀群組Nested groups within static groups 靜態群組內的巢狀群組Nested groups within static groups
動態群組內的巢狀群組Nested groups within dynamic groups 有一層巢狀的動態群組Dynamic group with one level of nesting

您先前部署的原則與應用程式會發生什麼事?What happens to policies and apps you previously deployed?

就像以前一樣,原則和應用程式會繼續部署到群組。Policies and apps continue to be deployed to groups, just like before. 不過,您現在是從 Azure 入口網站管理這些群組,不是從 Intune 主控台。However, you now manage these groups from the Azure portal, instead of the Intune console.