One of the principles of proper AD administration is to congregate your users into groups to make it easier to assign permissions and rights. We use groups within Intune as well for this same reason. In this case, Intune uses Azure AD to manage access to your company’s resources which is controlled using roles in the directory. There are two default groups within every implementation of Intune.
- All devices
- All users
If you are using Intune for Education and you use School Data Sync to import you school records, you have two additional default groups.
- All teachers
- All users
These default groups represent a very broad scope and by themselves probably aren’t of much use. That is why we need to create custom groups that can be tailored to the needs of our organization. There are two types of custom created groups in Intune, one being Assigned Groups. Assigned groups are used when you want to manually add specific users or devices to a group. You can create groups by a number of criteria such as geographic location, department, hardware characteristics, etc. For instance, you could create one assigned group for your Windows 10 devices and one for your iPads. You could create one for your desktop PCs and one for your mobile devices. You can separate users into separate groups as well such as HR, Finance and Marketing. You can then use those groups to assign policies to users or deploy apps to a set of devices. Note that the ability to create custom groups is available in any MDM service, not just Intune.
Creating a group is easy. Go to the Groups section of Intune and click “New Group.” Then add the required information for that group. In this case we would select “Assigned” as the membership type.
Once the group is made, you can then assign users to that group. Note that just as in domain joined AD, you can nest groups within one another. These subgroups can be used to break down large groups into smaller more manageable sizes. Groups have a hierarchical structure to them in Intune which allows for inheritance. Parent groups are at the top of the hierarchy and any settings applied to these parent groups are passed down to the subgroups. This settings inheritance feature makes it easer to apply settings to large numbers of users and devices. Know that you can only create subgroups under assigned groups.