002: Device groups
Overview�
-
Overview of Intune Grouping and Targeting Concepts:
- Azure Active Directory (Azure AD) Groups: Intune primarily uses Azure AD groups for grouping and targeting. These groups allow you to assign apps, policies, and other workloads to users and devices. They're also used for role-based administration (RBAC) as scope groups.
- Virtual Groups: The "All users" and "All devices" assignments are Intune's virtual groups. They exist by default in all Intune tenants and don't require manual management. They're highly scalable and optimized.
- Filters: Filters allow you to narrow the assignment scope of apps and policies. You can target user or device groups and filter devices based on specific properties. Filtering is high-performance and evaluated during device check-in without pre-computation¹.
-
Benefits of Device Groups:
- Granularity: Device groups allow precise targeting. You can create groups based on device properties (e.g., OS version, compliance status).
- Efficiency: Assigning policies to smaller device groups reduces synchronization overhead and speeds up deployments.
- Troubleshooting: Device groups help isolate issues by narrowing down the affected devices.
-
Drawbacks and Considerations:
- Synchronization Backlogs: Large Azure AD groups with many users or devices can cause synchronization delays. Policy and app deployments take longer to reach managed devices¹.
- Tattooed Settings: If settings or apps are applied before device filters are evaluated, troubleshooting unexpected configurations becomes challenging².
-
Device Groups vs. User Groups:
- Device Groups: Ideal for device-specific policies (e.g., security settings, app installations).
- User Groups: Useful for user-centric policies (e.g., user-targeted apps, conditional access).