Support for Dynamic (User & Device) Groups
Providing support of dynamic groups for both users and devices. We heard a lot of feedback of customers which are looking for dynamic group support in Intune. Currently groups can be populated based on parent group inheritance or AD security groups. However this is limited to user objects only and doesn't support managed device/computer objects. Customers are looking for a more granular way to automatically populate groups to ease operational management.
Microsoft Intune and EMS Conditional Access capabilities are both now Generally Available in the Azure portal. From this point forward, all new Intune and conditional access features will be delivered in the new portal, so keep an eye out. https://blogs.technet.microsoft.com/enterprisemobility/2017/06/08/the-new-intune-and-conditional-access-admin-consoles-are-ga/
We still have a very small number of customers who haven’t been migrated due to bugs on our side, and we’re fixing those as fast as we can. There are also accounts we haven’t migrated because they have configurations we can’t support in Azure. For more information, including how to tell if your account has been migrated, see http://aka.ms/intunemigrationblockers. But since we hit “GA”, we’ll call this complete.
Chad Simmons commented
There is a definite need to be able to create dynamic user, device, and computer groups by any/all user/device attributes.
Thomas K commented
An absolute must, why is that still missing?
Marc V commented
We would like this as well. We are in trial mode right now and this is a feature we really want in our environment.
We currently are using SCCM 2007 and looking to see if switching to just an InTune standalone without a SCCM hybrid solution would work for us since we are a smaller org with under 1000 managed PCs. We are mainly looking into using InTune as a alternative to SCCM or SCCM/InTune hybrid.
We are of course interested in the other nice features with users and mobile device management but our immediate need is PC device management and currently we use many dynamic collections in sccm and wanted to do the same or something similar in InTune and currently it does not look possible.
Thom McKiernan commented
We use the computer name to enable us to manage our various tablet roles, e.g. POS-1234 for point of sale tablets or BOH-1234 for back office tablets.
It would be great if I could set a rule to say "if Computer name starts POS* then add to "POS" group"
Even better would be a rule "if Computer name starts POS-0001 to POS-0100 then add to "POS Pilot" group, else Add to "POS Rollout" group "
William Bracken commented
Kyle Townend commented
Dynamic device groups based on device OS, version, etc would all be very useful. Additionally dynamic membership based on what user domain is assigned to a device. For example, firstname.lastname@example.org's devices all get moved to the SALES group to get Sales policies, and email@example.com's devices all get moved to the ENGINEERING group, etc.
Nils van Woensel commented
Gary Emmerton commented
Definitely needed - the need to deploy correct policies to devices by dynamically adding them to the correct groups is essential, especially for Azure AD joined (i.e. not on-premise AD domain joined).
Track V commented
Not being able to select AD security Groups or to create dynamic groups for DEVICES. This is a deal breaker.
Microsoft Intune Developers - please create this feature A.S.AP.
Devices group management has to be more flexible like having dynamic groups based on OS type for example. This way, you will be able to have a group for iOS, Android and let's say MDM managed Windows 10.
Takema Murata commented
I strongly agree this idea! And also getting OU information from local AD is not dynamic too. Information acquisition of OU is only when enroll the device. Customer who managed Intune groups with OU criteria can't update OU rename and delete information into Intune Admin Console. By performing the information acquisition of OU more dynamically , operation becomes efficient.
I just had this discussion with the folks who manage our Azure AD deployment. The easiest thing to do is make the dynamic groups in AD. We are doing ours by the department field. From there you can link those dynamic groups to your Intune groups.
I do agree though that having this functionality in Intune would be a bonus as Intune administrators don't always have access to modify groups in AD.