Intune uses Azure Active Directory (Azure AD) groups to manage devices and users. As an Intune admin, you can set up groups to suit your organizational needs. Create groups to organize users or devices by geographic location, department, or hardware characteristics. Use groups to manage tasks at scale. For example, you can set policies for many users or deploy apps to a set of devices.
You can add the following types of groups:
- Assigned groups – Manually add users or devices into a static group.
- Dynamic groups (Requires Azure AD Premium) – Automatically add users or devices to user groups or device groups based on an expression you create.For example, when a user is added with the manager title, the user is automatically added to an All managers users group. Or, when a device has the iOS/iPadOS device OS type, the device is automatically added to an All iOS/iPadOS devices devices group.
Add a new group
Use the following steps to create a new group.
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Groups > New group:
- In Group type, choose one of the following options:
- Security: Security groups define who can access resources, and are recommended for your groups in Intune. For example, you can create groups for users, such as All Charlotte employees or Remote workers. Or, create groups for devices, such as All iOS/iPadOS devices or All Windows 10 student devices. TipThe users and groups created can also be seen in the Microsoft 365 admin center, Azure Active Directory admin center, and Microsoft Intune in the Azure portal. In your organization tenant, you can create and manage groups in all these areas.If your primary role is device management, we recommend you use the Microsoft Endpoint Manager admin center.
- Office 365: Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. For more information, see Learn about Office 365 Groups.
- Enter a Group name and Group description for the new group. Be specific and include information so others know what the group is for.For example, enter All Windows 10 student devices for group name, and All Windows 10 devices used by students in Contoso high school grades 9-12 for group description.
- Enter the Membership type. Your options:
- Assigned: Administrators manually assign users or devices to this group, and manually remove users or devices.
- Dynamic User: Administrators create membership rules to automatically add and remove members.
- Dynamic Device: Administrators create dynamic group rules to automatically add and remove devices.
- Choose Create to add the new group. Your group is shown in the list.
Consider some of the other dynamic user and device groups you can create, such as:
- All Students in Contoso high school
- All Android Enterprise devices
- All iOS 11 and older devices
- Human Resources
- All Charlotte employees
- All WA employees
Groups and policies
Access to your organization’s resources are controlled by users and groups you create.
- Policies that are specific to a device operating system.
- Policies that are specific to different roles in your organization.
- Policies that are specific to organizational units you defined in Active Directory.
To create the basic compliance requirements of your organization, you can create a default policy that applies to all groups and devices. Then, create more specific policies for the broadest categories of users and devices. For example, you might create email policies for each of the device operating systems.