I currently attend at the MMS Fort Lauderdale conference, where an attendee asked a good question: Is it possible to convert a device group into a user group, and vice versa? The answer is both yes and no. While there’s no out-of-the-box functionality in Intune to achieve this directly, it is possible by leveraging the Microsoft Graph API.
Microsoft Graph” class=”wp-image-7184″ />A few years ago, I developed a tool called Intune Tool Box, which was my first attempt at creating a community tool to fill some gaps not addressed by Intune’s native features. This tool included the functionality to convert groups, but it’s no longer maintained. I refactored the code to accomplish this task, and here is the result:
# Install the Microsoft Graph PowerShell module if not already installed # Install-Module Microsoft.Graph -Scope CurrentUser Import-Module Microsoft.Graph # Connect to Microsoft Graph with the required scopes Connect-MgGraph -Scopes "Group.ReadWrite.All", "User.Read.All", "Device.Read.All", "Directory.Read.All" # Function to convert a group and include associated devices or users function Convert-Group { param ( [Parameter(Mandatory = $true)] [string]$SourceGroupId, [Parameter(Mandatory = $true)] [ValidateSet("User", "Device")] [string]$TargetMembershipType, [Parameter(Mandatory = $false)] [string]$NewGroupName ) # Get the source group $sourceGroup = Get-MgGroup -GroupId $SourceGroupId # Get all members of the source group $members = Get-MgGroupMember -GroupId $SourceGroupId -All # Initialize an array to hold the target members $targetMembers = @() if ($TargetMembershipType -eq "User") { # For each device, get the assigned user foreach ($member in $members) { if ($member.'@odata.type' -eq '#microsoft.graph.device') { $deviceId = $member.Id # Get the registered user of the device $device = Get-MgDevice -DeviceId $deviceId -ExpandProperty registeredOwners $assignedUsers = $device.RegisteredOwners | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.user' } foreach ($user in $assignedUsers) { if (-not $targetMembers.Contains($user.Id)) { $targetMembers += $user.Id } } } } } elseif ($TargetMembershipType -eq "Device") { # For each user, get all devices assigned to them foreach ($member in $members) { if ($member.'@odata.type' -eq '#microsoft.graph.user') { $userId = $member.Id # Get devices registered to the user $userDevices = Get-MgUserRegisteredDevice -UserId $userId -All foreach ($device in $userDevices) { if (-not $targetMembers.Contains($device.Id)) { $targetMembers += $device.Id } } } } } # Set the new group name if (-not $NewGroupName) { $NewGroupName = "$($sourceGroup.DisplayName) - Converted to $TargetMembershipType Group" } # Create a new security group $newGroupParams = @{ DisplayName = $NewGroupName MailEnabled = $false MailNickname = $NewGroupName -replace ' ', '' SecurityEnabled = $true GroupTypes = @() } $newGroup = New-MgGroup @newGroupParams # Add members to the new group foreach ($memberId in $targetMembers) { try { New-MgGroupMemberByRef -GroupId $newGroup.Id -DirectoryObjectId $memberId } catch { Write-Warning "Failed to add member with ID $memberId to the group." } } Write-Host "New group created with ID: $($newGroup.Id)" } # Example usage: # Convert a device group to a user group Convert-Group -SourceGroupId "<SourceGroupId>" -TargetMembershipType "User" # Convert a user group to a device group # Convert-Group -SourceGroupId "<SourceGroupId>" -TargetMembershipType "Device"
I have one question since we are moving from device to user group for deployment, how we will control install if it user have 3 device and 2 are test and one is primary. How we will control the installation since user added to group all his device get the installation for the application.
Hi,
Thanks for providing this, I had to update line 80 to the following as DirectoryObjectID parameter was invalid.
New-MgGroupMemberByRef -GroupId $newGroup.Id -OdataId “https://graph.microsoft.com/v1.0/directoryObjects/{$memberId}”
Other than that works like a charm.