In your environment you have multiple groups to create assignments of an app or a configuration profile. If you later realize it would be better if this was not a device group but a user group, it is hard to change this without the user having an impact or you have big efforts. I have written a script that you can convert a user group into a device group or a device group into a user group based on the user assigned to a device or based on the devices assigned to the user.

How does it work

First of all the script read out all members of the defined Group and tag them as user, device or group. Then each group member is processed and in the case of a user to device migration it is checked which devices are assigned in the AAD to the respective user and in the case of a device to user migration it is checked who is the assigned owner in the AAD of this device. If it is a hybrid group in which user or device objects are already in it, these are also migrated:

function Get-MigrateGroupMember{
    param (
        [String]$migrationType,
        [array]$groupMember = $null,
        $windows = $true,
        $ios = $true,
        $macos = $true,
        $android = $true
    )

    $os = @()
    if($windows){$os += 'Windows'}
    if($macos){$os += 'MacMDM'}
    if($android){$os += 'Android'}
    if($ios){$os += 'IOS'}
    
    $newGroupMember = @()

    if($migrationType -eq 'User'){
        $groupMember | Where-Object {$_.ItemType -eq 'Device'} | Foreach-Object {
            $userId = (Get-MgDeviceRegisteredOwner -DeviceId $_.Id).Id
            if($userId){
                $newGroupMember += [PSCustomObject]@{
                    Uri = "https://graph.microsoft.com/v1.0/directoryObjects/" + $userId 
                }  
            }
        }
        $groupMember  | Where-Object {$_.ItemType -eq 'User'} | Foreach-Object {
            $newGroupMember += [PSCustomObject]@{
                Uri             = $_.Uri
            }
        }
    }elseif($migrationType -eq 'Device'){
        $groupMember  | Where-Object {$_.ItemType -eq 'User'} | Foreach-Object {

            (Get-MgUserOwnedDevice -UserId $_.Id) | ForEach-Object {
                $newGroupMember += [PSCustomObject]@{
                    Uri             = "https://graph.microsoft.com/v1.0/directoryObjects/" + $_.Id
                    OperatinSystem  = $_.AdditionalProperties.operatingSystem
                }
            }                        
        }
        $groupMember  | Where-Object {$_.ItemType -eq 'Device'} | Foreach-Object {
            $newGroupMember += [PSCustomObject]@{
                Uri             = $_.Uri
                OperatinSystem  = $_.OperatinSystem
            }
        }
        $newGroupMember = $newGroupMember | Where-Object {$_.OperatinSystem -in $os}
    }
    $newGroupMember = $newGroupMember | Sort-Object -Property uri -Uniqu 
    return $newGroupMember
}

How can I migrate a Group

• Download the script from my Git hub repository
• Execute the script and enter the following Information’s:

To user group:

To device group:

Conclusion

I hope I could help you to make the switch from user to device or vice versa easier. Especially with large groups this can be quite a tedious task to change a user assignment to a device assignment.

Stay healthy, Cheers
Jannik

Update 02.08.2022

You can also download my script from the PowerShell Gallery:

Install-Script -Name Translate-AadGroupUserDevice