This post introduces the new and Updated Intune Group Assignment Script. The original was useful but limited; the new version of the Intune Group Assignment Script supports dynamic groups, scope tags, exclusion assignments, and a much cleaner CLI for use in pipelines.
A few months ago I released a script which lists you all assignments of a Microsoft Entra ID group in Intune. With this blog post I will release a new version of this script which includes more configuration objects and improves a lot of the code parts. If you manage a large tenant, the Intune Group Assignment Script will save you hours of manual clicking in the portal.
This is Intune Suite Part 1: Easy start with Remote Help — the first deep-dive in my series on the Microsoft Intune Suite add-on. Remote Help is the lowest-friction Intune Suite component to deploy, so it is a useful starting point for any tenant evaluating the Suite licence.
Welcome to my Intune Suite series. In this series I will go over the features that are part of the Intune suite piece by piece. We will start with remote help. Every good device management tool has a remote support solution. To meet this use case Microsoft has introduced remote help. In this post I want to show you how to implement and use this tool.
The best password is the password that is not needed. Statistics show that the more often you have to change the password, the more insecure it becomes. Users write down the password or simply increment it. How about a possibility that is secure but does not require a password, as one part of a broader Ultimate MEM Tour endpoint security guide strategy. In this blog I want to show you how easy it is to enable passwordless authentication for your organization.
Moving away from passwords is one of the most effective steps you can take to reduce account compromise, phishing and credential theft. Microsoft has invested heavily in this area, and you can read the official guidance on passwordless sign-in with Microsoft Entra ID on Microsoft Learn. In the next sections I will walk you through what the technology does, how the sign-in flow works behind the scenes, and the exact steps to roll it out for your users.
To Sync Azure AD Group membership with a kiosk configuration profile is mainly about keeping the assignment target reliable. When you Sync Azure AD Group objects to the kiosk policy, the group should clearly describe the kiosk scenario, the device ownership model, and the config profile it belongs to.
Before using the approach in production, validate the group membership, profile assignment, and device check-in behavior on a small number of test devices. This makes it easier to separate assignment problems from kiosk shell or application configuration problems. The goal of this guide is to Sync Azure AD Group members automatically so the kiosk logon list always stays current.
I have already described in a previous blog how to deploy a device as a kiosk device using Intune. This actually works really well. There is only one small thing that is really inconvenient. If a Microsoft Entra ID (formerly Azure AD) user or group is selected as the logon type (only specific users are allowed to log on to these devices), this policy must not only be assigned to a group, but the allowed users must also be defined in the profile.
The option also allows you to add Microsoft Entra ID users and groups, and the SIDs of these objects are written to the local group, but Windows cannot resolve the Microsoft Entra ID groups (bug or feature?). The resolution of whether the user who is trying to log in is a member of one of the groups is done by Windows via Graph; when MFA is disabled, it works. But if MFA is enabled, Windows fails to get the token.
In this blog I want to show you how you can easily work around this and Sync Azure AD Group members with this configuration profile automatically.
In your environment you have multiple groups to create assignments of an app or a configuration profile. If you later realize it would be better if this was not a device group but a user group, it is hard to change this without the user having an impact or you have big efforts. I have written a script that you can convert a user group into a device group or a device group into a user group based on the user assigned to a device or based on the devices assigned to the user.
All assignments in Intune are based on Microsoft Entra ID (formerly Azure AD) groups. If you have ever needed to list all Intune assignments of an Azure AD Group, you already know the pain: you want to find out to which Intune object a certain Microsoft Entra ID group is assigned, but there is no built-in way in the portal to surface this. To solve this problem I have written a PowerShell script that gives you exactly this output, so you can list all Intune assignments of an Azure AD Group in seconds.
In the previous blogs we have looked at all the features Intune offers for device management, application management, endpoint security and reporting. Now we will look at the Intune Users and Groups menu. This blog about Intune Users and Groups will be the last blog in this series.
In this blog we will look at how you can add an Azure AD group to local group membership using Intune and custom profiles. Adding a Microsoft Entra ID (formerly Azure AD) group or user to a local group is one of the most common requests for endpoint admins who want to grant elevated rights without managing each device by hand. By the end of this guide you will be able to add an Azure AD group to local group membership on every managed Windows device in a fully automated, repeatable way.
In the Active Directory it was possible to allow a user to log in only to certain computers. This is no longer so easy with Microsoft Entra ID and Intune. In this blog we would like to look at how you can restrict the login to dedicated users with Intune using a custom profile, so that only approved accounts can sign in to a device.
Once you start treating Windows 11 as a different deployment ring than Windows 10, you’ll need a clean way to Group Windows 11 Devices with Intune so you can scope policies, applications and Conditional Access to “all Windows 11 devices in the tenant” — without manually maintaining a static group. The good news is that Entra ID supports a Windows 11 dynamic group with rich rule syntax, and you can target Windows 11 by OS version, build number or device-category attribute with a single line of dynamic-membership rule. This post lays out the membership rules I use in production tenants, with examples for Windows 11 21H2 through 23H2 and beyond.
With Windows 11 widely deployed across enterprise estates, you might want to test configurations or apps specifically on Windows 11 devices. For that testing you need a group in Microsoft Entra ID. In this blog I want to show you how to create a dynamic group that contains all Windows 11 devices. I also want to show you how to create a device filter for Windows 11. By the end you will be able to Group Windows 11 Devices with Intune confidently and repeatably.