I currently attend at the MMS Fort Lauderdale conference, where an attendee asked an good question: Is it possible to convert a device group into a user group, and vice versa? The answer is both yes and no. While there’s no out-of-the-box functionality in Intune to achieve this directly, it is possible by leveraging the Microsoft Graph API.
A few years ago, I developed a tool called Intune Tool Box, which was my first attempt at creating a community tool to fill some gaps not addressed by Intune’s native features. This tool included the functionality to convert groups, but it’s no longer maintained. I refactored the code to accomplish this task, and here is the result:
# Install the Microsoft Graph PowerShell module if not already installed
# Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
# Connect to Microsoft Graph with the required scopes
Connect-MgGraph -Scopes "Group.ReadWrite.All", "User.Read.All", "Device.Read.All", "Directory.Read.All"
# Function to convert a group and include associated devices or users
function Convert-Group {
param (
[Parameter(Mandatory = $true)]
[string]$SourceGroupId,
[Parameter(Mandatory = $true)]
[ValidateSet("User", "Device")]
[string]$TargetMembershipType,
[Parameter(Mandatory = $false)]
[string]$NewGroupName
)
# Get the source group
$sourceGroup = Get-MgGroup -GroupId $SourceGroupId
# Get all members of the source group
$members = Get-MgGroupMember -GroupId $SourceGroupId -All
# Initialize an array to hold the target members
$targetMembers = @()
if ($TargetMembershipType -eq "User") {
# For each device, get the assigned user
foreach ($member in $members) {
if ($member.'@odata.type' -eq '#microsoft.graph.device') {
$deviceId = $member.Id
# Get the registered user of the device
$device = Get-MgDevice -DeviceId $deviceId -ExpandProperty registeredOwners
$assignedUsers = $device.RegisteredOwners | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.user' }
foreach ($user in $assignedUsers) {
if (-not $targetMembers.Contains($user.Id)) {
$targetMembers += $user.Id
}
}
}
}
} elseif ($TargetMembershipType -eq "Device") {
# For each user, get all devices assigned to them
foreach ($member in $members) {
if ($member.'@odata.type' -eq '#microsoft.graph.user') {
$userId = $member.Id
# Get devices registered to the user
$userDevices = Get-MgUserRegisteredDevice -UserId $userId -All
foreach ($device in $userDevices) {
if (-not $targetMembers.Contains($device.Id)) {
$targetMembers += $device.Id
}
}
}
}
}
# Set the new group name
if (-not $NewGroupName) {
$NewGroupName = "$($sourceGroup.DisplayName) - Converted to $TargetMembershipType Group"
}
# Create a new security group
$newGroupParams = @{
DisplayName = $NewGroupName
MailEnabled = $false
MailNickname = $NewGroupName -replace ' ', ''
SecurityEnabled = $true
GroupTypes = @()
}
$newGroup = New-MgGroup @newGroupParams
# Add members to the new group
foreach ($memberId in $targetMembers) {
try {
New-MgGroupMemberByRef -GroupId $newGroup.Id -DirectoryObjectId $memberId
} catch {
Write-Warning "Failed to add member with ID $memberId to the group."
}
}
Write-Host "New group created with ID: $($newGroup.Id)"
}
# Example usage:
# Convert a device group to a user group
Convert-Group -SourceGroupId "<SourceGroupId>" -TargetMembershipType "User"
# Convert a user group to a device group
# Convert-Group -SourceGroupId "<SourceGroupId>" -TargetMembershipType "Device"
jannikreinhard.com 
I have one question since we are moving from device to user group for deployment, how we will control install if it user have 3 device and 2 are test and one is primary. How we will control the installation since user added to group all his device get the installation for the application.
LikeLike
Hi,
Thanks for providing this, I had to update line 80 to the following as DirectoryObjectID parameter was invalid.
New-MgGroupMemberByRef -GroupId $newGroup.Id -OdataId “https://graph.microsoft.com/v1.0/directoryObjects/{$memberId}”
Other than that works like a charm.
LikeLike