Build the Right Device Groups
Groups are how Intune targets policies, apps, and compliance checks to the right devices. Learn to plan dynamic, assigned, and nested groups in Microsoft Entra ID.
Why do device groups matter?
Think of groups as mailing labels on parcels.
You wouldn’t send the same parcel to every address. Groups let you label devices so the right policies, apps, and settings reach the right machines. “All Windows laptops in Finance” get the Finance apps. “All shared tablets in the warehouse” get kiosk mode. Without groups, you’d be stuck applying everything to everyone — or nothing to anyone.
Types of groups
Chen Wei at Meridian Bank manages 10,000+ devices. Manually adding devices to groups would take weeks and fall out of date immediately. That’s why understanding group types is critical.
| Feature | Assigned Groups | Dynamic Device Groups | Dynamic User Groups |
|---|---|---|---|
| Members added by | Admin manually | Automatic rules based on device properties | Automatic rules based on user properties |
| Updates automatically | No — admin must maintain | Yes — re-evaluated as properties change | Yes — re-evaluated as properties change |
| Best for | Pilot groups, exceptions, small sets | Large-scale targeting by OS, model, department | Targeting by user location, job title, department |
| Licence required | Any Entra ID tier | Entra ID P1 or P2 | Entra ID P1 or P2 |
| Example rule | N/A (manual) | device.deviceOSType -eq 'Windows' | user.department -eq 'Finance' |
| Evaluation time | Instant (manual add) | Minutes to hours (depends on tenant size) | Minutes to hours |
Dynamic membership rules
Dynamic groups use rules that automatically add or remove members based on properties. Here are the most common patterns for device groups:
Common device group rules
| Scenario | Rule Syntax |
|---|---|
| All Windows devices | (device.deviceOSType -eq "Windows") |
| All iOS devices | (device.deviceOSType -eq "iPhone") -or (device.deviceOSType -eq "iPad") |
| All Android devices | (device.deviceOSType -contains "Android") |
| All Autopilot devices | (device.devicePhysicalIds -any (_ -startsWith "[ZTDID]")) |
| Devices with a specific naming prefix | (device.displayName -startsWith "TUI-") |
| Corporate-owned devices only | (device.deviceOwnership -eq "Company") |
| Devices enrolled in the last 7 days | (device.registeredDateTime -ge "2026-04-14T00:00:00Z") |
Exam tip: Autopilot device group rule
The rule (device.devicePhysicalIds -any (_ -startsWith "[ZTDID]")) is a frequently tested concept. It catches all devices registered via Windows Autopilot using their Zero-Touch Device ID. This is how you target Autopilot deployment profiles to the right devices before they even boot up for the first time.
If the exam asks “how do you assign an Autopilot profile to devices before they’re enrolled?” — the answer involves a dynamic group with this ZTDID rule.
Planning a group strategy
Chen Wei’s group strategy at Meridian Bank:
| Group Name | Type | Rule / Members | Purpose |
|---|---|---|---|
| All Corporate Windows | Dynamic Device | deviceOSType -eq "Windows" AND deviceOwnership -eq "Company" | Windows security baselines, BitLocker encryption |
| All Corporate iOS | Dynamic Device | deviceOSType -eq "iPhone" OR deviceOSType -eq "iPad" | iOS compliance policy, managed app config |
| Autopilot Devices | Dynamic Device | devicePhysicalIds contains ZTDID | Autopilot deployment profile targeting |
| Finance Department | Dynamic User | user.department -eq "Finance" | Finance-specific apps and DLP policies |
| Pilot Group - IT Team | Assigned | 15 IT staff manually added | Test new policies before broad rollout |
| Kiosk Tablets | Assigned | 50 shared warehouse tablets | Kiosk mode config profile |
| VIP Executives | Assigned | C-suite manually added | Relaxed compliance (longer grace periods) |
Key principles
- Use dynamic groups for scale — anything over 50 devices should be dynamic
- Use assigned groups for exceptions — pilot groups, VIPs, special hardware
- Avoid overlapping groups with conflicting policies — a device in two groups with different Wi-Fi configs gets unpredictable results
- Name groups consistently — prefix with purpose:
Intune-Compliance-,Intune-Config-,Intune-Apps- - Test dynamic rules before going live — Entra admin center has a “Validate rules” feature
Deep dive: nested groups and limitations
Nested groups (groups inside groups) are supported in Entra ID but have important limitations in Intune:
- App assignments support nested groups
- Compliance policies support nested groups
- Configuration profiles do NOT evaluate nested group membership — only direct members
If Chen Wei adds a group inside another group, some policies will apply to nested members and others won’t. The safest approach: use flat, non-nested groups for Intune targeting unless you’ve confirmed the specific workload supports nesting.
Exam tip: If a question involves a device not receiving a configuration profile and it’s in a nested group — that’s likely the issue.
Device categories
When devices enroll, users can select a device category (e.g., “Corporate”, “BYOD”, “Shared”). Admins create these categories in Intune, and they flow to Entra ID as a device property — which dynamic groups can use.
This creates a workflow:
- Admin creates device categories in Intune admin center
- User selects a category during enrollment
- Device automatically joins a dynamic group based on that category
- Policies and apps assigned to that group apply immediately
Example: Aroha at CloudForge creates categories “Corporate Laptop” and “Shared Kiosk.” When a device enrolls as “Shared Kiosk,” it automatically gets kiosk-mode policies.
🎬 Video walkthrough
🎬 Video coming soon
Build the Right Device Groups — MD-102 Module 2
Build the Right Device Groups — MD-102 Module 2
~10 minFlashcards
Knowledge Check
Chen Wei needs to automatically target a compliance policy to all corporate-owned Windows devices at Meridian Bank. Which approach is most efficient?
A device at Meridian Bank is assigned to a configuration profile through a nested group, but the profile isn't applying. What's the most likely cause?
Next up: Intune Enrollment Essentials — configuring enrollment settings so devices can start receiving policies.