Groups. They are in essence one of the fundamental pieces of Intune. If you want to deploy software, assign policies, Compliance Items, anything at all, you are going to need to work with a group to make it happen. Groups can be considered the backbone of Intune.
So, no better place to start then. Let’s talk about groups.
One of the things to remember about Intune is that it consolidates a number of on-prem management platforms. It takes on the tasks normally attributed to not only Configuration Manager, but also Group Policy for example. The organizational “bucket” in Intune is the group and it correlates not only to ConfigMgr collections, but also Organizational Units as well as Security Groups in Active Directory.
The group is the foundational piece of Intune that just about everything relates to. You deploy software to a group. You assign policies to a group. You target software updates to a group. You control permissions with a group. The group is probably a good place to start then.
Groups as Collections
With Configuration Manager you have collections, with Intune you have groups. Fundamentally they are the same, they are simply a “bucket” into which you will gather either devices or users that you want to take some sort of action upon.
Now, some things to point out:
|Can schedule updating membership||No custom scheduling of membership|
|Can nest in folders for organization||Flat structure, no folder organization|
Naming convention is critical!
|User and Device collections isolated||Can mix User and Device group members|
Do not do it!
|Can mix different rules (query, static, include/exclude)||Can NOT mix Static and Dynamic|
(See note blow)
|Include / Exclude collection||Nested groups (includes, no excludes)|
|Rich and customizable query language||Limited query options, no custom inventory items|
|Limiting collections||No equivalent to limiting collections.|
While you can create custom schedules for updating collections in ConfigMgr, you cannot do the same with Intune. Intune will update the group memberships on its own internal schedule.
Intune has a completely flat structure. There are no folders to organize objects like you have with Configuration Manager. Therefore, it is extremely important to have a solid naming convention. Otherwise locating groups and keeping things organized will become exceedingly difficult.
User vs. Device
In Configuration Manager user and device collections are isolated and you cannot mix memberships between the two. With Intune that isolation is not entirely present. While you cannot mix memberships between dynamic groups, you CAN mix users and devices in assigned (aka “static”) groups.
Do not do this! This will most likely lead to headaches and unintended, unexpected results.
Assigned vs. Dynamic
Intune has two (well technically three) types of groups:
- Dynamic Device
- Dynamic User
An “Assigned” group is like a collection made up entirely of directly added resources. No query or rule is involved, it is simply a static assignment of either a user and/or a device. Again, using an assigned group you can include both users and devices. Do not do this.
Dynamic Device / Dynamic User
The other type of group utilizes a query to gather up either devices or users. There is no mixing of the two, as you specify what type when the group is created.
|Not being able to mix Assigned and Dynamic groups is actually rather hazy topic. You could create a dynamic group and leverage the new MemberOf attribute to pull in members from assigned groups as well as other dynamic groups. So, while you cannot mix assigned and dynamic rules within the same group, you could use the MemberOf attribute to achieve the same results.|
Creating a Group
While the console and “wizard” will look different, the process for creating a group in Intune should be very familiar to those who have created collections before.
From within the Intune console, you would select Groups > All Groups. Then select New Group.
When the New Group “wizard” appears you simply fill in the form. You can see that there isn’t a great deal of information required. Group Name, Group Description are self-explanatory. The Membership Type is where you would select Assigned / Dynamic Device / Dynamic User. Overall, it is a very simple process to create a group.
If you choose to create a Dynamic Device or User group, you will then need to add the query that will be used to populate the group with members.
There are links to the Microsoft docs for the in-depth info on creating groups, queries, etc. in the Reference Info section at the end of this post.
Creating and Populating an Assigned Group
After you have created an assigned group, you of course will need to add members to populate it.
Here I have created a simple group named “Demo – Assigned Group”. You can see in the image that there are 0 members (bottom right corner of the image).
To add members, click on the Members link in the far-left column. Of course, there are no members, so click on Add Members.
This will open a pane where you can select what objects you want to add.
I stress objects because as I mentioned above with an assigned group you can add devices and users in the same group. You can also add other groups as well.
Again, you really should not mix memberships like this. If you do so the results could be very unpredictable and lead to a great deal of time troubleshooting. Don’t do it.
Creating and Populating a Dynamic Group
Next, we will create a dynamic group of users. We are going to create a group that pulls in the teachers in the organization. They can be identified by the department value being set to “Teacher” on their user accounts.
So, I’ll create a Dynamic User group named “Demo – Teachers”.
Next, we need to click on the Add dynamic query hyperlink at the bottom of the wizard. This will take use to the query editor.
Here you can build out your query.
- From the Property pulldown list, select Department
- From the Operator pulldown list, select Equals
- In the Value field type Teacher
Once you click outside of that field you will see the query statement populate.
Intune has a nice feature where you can validate your query rule before moving on. At the top of the screen click on Validate Rules (Preview).
Click on the Add Users link and select a series of users, similar to adding members to an assigned group. Intune will then process your query against those selected users and display the results. A red X means that it failed the query (Department did NOT equal “Teacher”) while a green checkmark means it passed the query (Department did equal “Teacher”).
This has just been an intro to groups in Intune. In upcoming posts, we will be using groups heavily and we’ll see how they can be used to achieve our objectives.