top of page
Search

Mastering Intune Groups: A Comprehensive Guide to Static and Dynamic Groups

Overview of Group Types and Creation in Intune: Learn the differences between Static and Dynamic Groups, how to create them, and their respective advantages in Microsoft Intune management.
Overview of Group Types and Creation in Intune: Learn the differences between Static and Dynamic Groups, how to create them, and their respective advantages in Microsoft Intune management.

  • Groups in Intune: Collections of users or devices used to assign apps, policies, and configurations.

  • Types of Groups:

    • User Groups → Target policies/apps to people.

    • Device Groups → Target policies/apps to hardware.

  • Membership Types:

    • Static (Assigned) → Admins manually add/remove members.

    • Dynamic (Rule-based) → Membership auto-updates based on attributes.

  • Creating Static Groups: Go to Intune portal → Groups → New group → Add members manually.

  • Creating Dynamic Groups: Go to Intune portal → Groups → New group → Define membership rules (e.g., OS type, department).

  • Advantages of Static Groups: Simple, predictable, good for small/stable environments.

  • Disadvantages of Static Groups: Manual effort, less scalable, prone to human error.

  • Advantages of Dynamic Groups: Automated, scalable, less admin overhead.

  • Disadvantages of Dynamic Groups: Complex rules, risk of mis-targeting if rules aren’t precise.


Prerequisites for creating Intune groups

  • Access: Azure AD roles like Intune Administrator or User Administrator.

  • Portal: Use Microsoft Intune admin center (Endpoint Manager) or Microsoft Entra admin center.

  • Scope: Decide if you need a User group (target people) or Device group (target hardware).

  • Naming: Define a clear naming convention (e.g., INT-DEV-W11-Autopilot-DYN).


Create a static (assigned) group


Static user group (manual membership)

  1. Open groups:

    • Go to Microsoft Entra admin center → Groups → All groups → New group.

  2. Choose type:

    • Label: Group type

    • Select “Security” (recommended for Intune targeting).

  3. Set details:

    • Label: Group name & description

    • Add meaningful name and description (include scope/purpose).

  4. Membership type:

    • Label: Assigned

    • Pick “Assigned” for static membership.

  5. Add members:

    • Label: Users

    • Select users to include; confirm and create.


Static device group (manual membership)

  1. Open groups:

    • Entra admin center → Groups → All groups → New group.

  2. Choose type:

    • Label: Group type

    • Select “Security.”

  3. Set details:

    • Label: Group name & description

    • Use device-focused naming (e.g., INT-DEV-Shared-Kiosk-ASSN).

  4. Membership type:

    • Label: Assigned

    • Pick “Assigned.”

  5. Add members:

    • Label: Devices

    • Search and add devices; create the group.


Create a dynamic (rule-based) group

Dynamic user group (attribute-based membership)

  1. Open groups:

    • Entra admin center → Groups → All groups → New group.

  2. Choose type:

    • Label: Group type

    • Select “Security.”

  3. Set details:

    • Label: Group name & description

    • Example: INT-USR-Dept-Finance-DYN.

  4. Membership type:

    • Label: Dynamic User

    • Choose “Dynamic User.”

  5. Define rule:

    • Label: Rule syntax

    • Use dynamic membership rule (e.g., department equals “Finance”). Example:

      Code

      (user.department -eq "Finance")

  6. Validate & save:

    • Label: Rule validation

    • Use “Validate rules” with sample users → Save → Create.


Dynamic device group (attribute-based membership)

  1. Open groups:

    • Entra admin center → Groups → All groups → New group.

  2. Choose type:

    • Label: Group type

    • Select “Security.”

  3. Set details:

    • Label: Group name & description

    • Example: INT-DEV-Win11-Managed-DYN.

  4. Membership type:

    • Label: Dynamic Device

    • Choose “Dynamic Device.”

  5. Define rule:

    • Label: Rule syntax

    • Use device attributes (OS, enrollmentProfileName, deviceOwnership, etc.).

  6. Validate & save:

    • Label: Rule validation

    • Validate against sample devices → Save → Create.


Validate membership and use groups in Intune

  • Check membership: Open the group → Members tab → Confirm users/devices appear. Dynamic groups may take several minutes to populate.

  • Assign in Intune: Intune admin center → Apps/Policies/Configurations → Assignments → Select your group → Choose include/exclude as needed.

  • Test targeting: Pilot with a small group before broad rollout; confirm compliance, app install, and policy application.


Tips, advantages, and trade-offs

  • Static groups: Simple and predictable; best for small, stable sets. Manual maintenance; less scalable; risk of stale membership.

  • Dynamic groups: Automated and scalable; great for Autopilot, OS targeting, departments. Requires precise rules; mis-targeting if attributes are inconsistent.

  • Rule hygiene: Prefer equals/startsWith over complex logic; document rule intent in group description.

  • Naming convention: Include audience, platform, scope, and type (e.g., INT-DEV-iOS-Corp-DYN).

  • Governance: Limit who can create groups; review membership regularly; use excludes for exceptions.


 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating

Disclaimer: The above content is created at Tek-Doyen's sole discretion. Razorpay shall not be liable for any content provided here and shall not be responsible for any claims and liability that may arise due to merchant’s non-adherence to it.

bottom of page