In your environment you have multiple groups to create assignments of an app or a configuration profile. If you later realize it would be better if this was not a device group but a user group, it is hard to change this without the user having an impact or you have big efforts. I have written a script that you can convert a user group into a device group or a device group into a user group based on the user assigned to a device or based on the devices assigned to the user.
How does it work
First of all the script read out all members of the defined Group and tag them as user, device or group. Then each group member is processed and in the case of a user to device migration it is checked which devices are assigned in Microsoft Entra ID (formerly Azure AD) to the respective user and in the case of a device to user migration it is checked who is the assigned owner in Microsoft Entra ID of this device. If it is a hybrid group in which user or device objects are already in it, these are also migrated:
function Get-MigrateGroupMember{
param (
[String]$migrationType,
[array]$groupMember = $null,
$windows = $true,
$ios = $true,
$macos = $true,
$android = $true
)
$os = @()
if($windows){$os += 'Windows'}
if($macos){$os += 'MacMDM'}
if($android){$os += 'Android'}
if($ios){$os += 'IOS'}
$newGroupMember = @()
if($migrationType -eq 'User'){
$groupMember | Where-Object {$_.ItemType -eq 'Device'} | Foreach-Object {
$userId = (Get-MgDeviceRegisteredOwner -DeviceId $_.Id).Id
if($userId){
$newGroupMember += [PSCustomObject]@{
Uri = "https://graph.microsoft.com/v1.0/directoryObjects/" + $userId
}
}
}
$groupMember | Where-Object {$_.ItemType -eq 'User'} | Foreach-Object {
$newGroupMember += [PSCustomObject]@{
Uri = $_.Uri
}
}
}elseif($migrationType -eq 'Device'){
$groupMember | Where-Object {$_.ItemType -eq 'User'} | Foreach-Object {
(Get-MgUserOwnedDevice -UserId $_.Id) | ForEach-Object {
$newGroupMember += [PSCustomObject]@{
Uri = "https://graph.microsoft.com/v1.0/directoryObjects/" + $_.Id
OperatinSystem = $_.AdditionalProperties.operatingSystem
}
}
}
$groupMember | Where-Object {$_.ItemType -eq 'Device'} | Foreach-Object {
$newGroupMember += [PSCustomObject]@{
Uri = $_.Uri
OperatinSystem = $_.OperatinSystem
}
}
$newGroupMember = $newGroupMember | Where-Object {$_.OperatinSystem -in $os}
}
$newGroupMember = $newGroupMember | Sort-Object -Property uri -Uniqu
return $newGroupMember
}How can I migrate a Group
- Download the script from my GitHub repository
- Execute the script and enter the following information:
To user group:
To device group:
Conclusion
I hope I could help you to make the switch from user to device or vice versa easier. For recurring tasks like this, an Azure Automation Runbook to automate tasks in Intune can also be a useful next step. Especially with large groups this can be quite a tedious task to change a user assignment to a device assignment.
Stay healthy, Cheers
Jannik
Update 02.08.2022
You can also download my script from the PowerShell Gallery:
If you are looking for another way to automate Intune assignments, check out Automate Intune App Assignment Groups with Azure Runbooks.
For an updated approach using Microsoft Graph API, you can also check out Convert Intune Device Groups to User Groups via Graph API.
Install-Script -Name Translate-AadGroupUserDevice