Forum Discussion

underQualifried's avatar
underQualifried
Copper Contributor
Jan 21, 2025

Dynamic device group from InTune user groups

We've onboarded a number of users into InTune, and we're all new to it. Previously, they were on MaaS360, which had both device groups and user groups, and you could assign to either individually. A bit shocked InTune can only assign down to the group level. (I know Filters exist, but these only filter by Devices, and take longer than just creating a new group)... Anyway, trying to rebuild things as closely to MaaS as possible. For onboarding, we created user groups, so when a user enrolled, they would automatically get the right policies. We couldn't create a device group until the devices were enrolled AND logged in, and showing in Entra. However, the tenant actually wants the groups to be by DEVICE for various reasons (replacing people, for example). So I have two questions - 

Is there a way to dynamically generate the device groups, based off each user's group association? 

Also, since devices can't be grouped without an associated Entra ID (either dynamically or manually), if a user leaves/signs out, will that device automatically lose all it's group associations?

 

if there is another way to get the structure the tenant wants, I'm all ears. But essentially, the devices have different hardware, and they want their department to be tracked even if they have no user.

  • CaedenV's avatar
    CaedenV
    Jan 21, 2025

    Intune is often very 'device centric' in how things are applied, so that is likely related to the issues they are running into wishing for user assignment to apply more like machine assignments.

    When you apply things to a user group, then you have a bit of 'tyranny of the previous user' as many system level settings won't apply until the next login after the setting is applied.  Especially in environments where there may be 1 primary user on a device, but others may use or borrow a device on occasion, it can become a real policy troubleshooting mess if things are assigned primarily at the user group level.  Best practice is to always assign to the machine group wherever practical, and do your best to keep user assignments to things that only affect the user... But at least with Intune you have much more flexibility to apply system level changes to user accounts where it is needed, so it isn't all bad... just different from AD in subtle ways that people don't realize at first.

    That being said... a lot of this (but not all of it) can be avoided with Autopilot and setting up multiple autopilot policies that dump devices into useful default groups when they are ingested, and assigning the right devices to the right policies for the right initial machine group assignment.  Or pre-assigning a users at the autopilot level so that the initial login applies that user's group assignments on first login (and preventing the wrong user from taking that first login) instead of having to log in once, open company portal, force a sync, and reboot to get the 'real first experience' the user is expecting.

  • Hi I don't see the point here, you can also use dynamic user groups, for example : 

    • all users with title = Manager :(user.jobTitle -eq « Manager »)
    • all users from France : (user.country -eq « France »)
    • all users with an enterprise licence : (user.assignedPlans -any (assignedPlan.servicePlanId -eq « 43de0ff5-c92c-492b-9116-175376d08c38 » -and assignedPlan.capabilityStatus -eq « Enabled »)

    (and so many other attributes)

    • CaedenV's avatar
      CaedenV
      Copper Contributor

      Intune is often very 'device centric' in how things are applied, so that is likely related to the issues they are running into wishing for user assignment to apply more like machine assignments.

      When you apply things to a user group, then you have a bit of 'tyranny of the previous user' as many system level settings won't apply until the next login after the setting is applied.  Especially in environments where there may be 1 primary user on a device, but others may use or borrow a device on occasion, it can become a real policy troubleshooting mess if things are assigned primarily at the user group level.  Best practice is to always assign to the machine group wherever practical, and do your best to keep user assignments to things that only affect the user... But at least with Intune you have much more flexibility to apply system level changes to user accounts where it is needed, so it isn't all bad... just different from AD in subtle ways that people don't realize at first.

      That being said... a lot of this (but not all of it) can be avoided with Autopilot and setting up multiple autopilot policies that dump devices into useful default groups when they are ingested, and assigning the right devices to the right policies for the right initial machine group assignment.  Or pre-assigning a users at the autopilot level so that the initial login applies that user's group assignments on first login (and preventing the wrong user from taking that first login) instead of having to log in once, open company portal, force a sync, and reboot to get the 'real first experience' the user is expecting.

      • underQualifried's avatar
        underQualifried
        Copper Contributor

        This is exactly it. The tenant wants the configurations to be assigned to the device, not the user. 


        I had to look up Autopilot - these are iOS devices, and hadn't encountered it. But it seems to be equivalent to Automated Device Enrollment. I didn't set this up (it was set up, just not by me), but researching has led me to Device Categories as a simple way of associating devices to departments, independent of users. Still wondering though, if a device doesn't have a user, will a dynamic group picking categories grab that device? Seemed like devices weren't available for grouping without a user. 

         

Resources