Intune

Script – Bulk create common AAD Groups for MSIntune

Hello there, I want to share with you my a script that bulk creates common Azure AD dynamic queries that are used for Intune deployments, I work for a managed service provider and find that I create the same groups over and over again, so I thought I would create a script that automates this. The script currently creates 25 dynamic groups, all of which are documented in this post, the script will prompt you for which section of groups to create, e.g. you may only use Intune for Windows and Autopilot so you can choose NOT to deploy Android and iOS/iPadOS groups, the script also gives you an option to prefix the groups with something like ‘MEM’.

The Script

Click the PowerShell logo below for a link to the latest script on my Github page.

downloading the Intune script to bulk create common AAD groups

Running the script

The script will:

  • Prompt you to sign into AzureAD after installing the AzureADPreview module.
  • Prompt you to select which sections of groups to create, prompt for a prefix (recommendation is to use 3 or 4 characters, e.g. MEM).
  • If you’ve selected Autopilot, it’ll prompt for a desired group tag.

like so:

Naming Convention

The following naming convention is applied:

<Prefix> – <Platform> – <TypeofGroup> – <Description>

Type of group:

  • DU = Dynamic User
  • DD = Dynamic Device

Examples:

  • MEM-AUTO-DD-ALLDevices = Microsoft Endpoint Manager – Autopilot – Dynamic Device – All Autopilot Devices
  • MEM-ALL-DD-BYODOwned = Microsoft Endpoint Manager – All Devices – Dynamic Device – All BYOD Devices

What groups are created?

The script creates 25 groups, but are numbered and sectioned off, I will list them all for completeness.

General MEM Groups

NoGroup NameDescriptionDynamic Query
1<Prefix>-ALL-DU-IntuneLicencedContains all users licenced for Microsoft Intuneuser.assignedPlans -any (assignedPlan.servicePlanId -eq “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -eq “Enabled”)
2<Prefix>-ALL-DD-CorpOwnedContains all corporate owned devices within MEM(device.deviceOwnership -eq “Company”)
3<Prefix>-ALL-DD-BYODOwnedContains all personally owned devices within MEM(device.deviceOwnership -eq “Personal”)

Autopilot Groups

NoGroup NameDescriptionDynamic Query
4<Prefix>-AUTO-DD-AllDevicesContains all Autopilot devices within MEM(device.devicePhysicalIDs -any (_ -contains “[ZTDId]”))
5<Prefix>-AUTO-DD-<GroupTag>DevicesContains all Autopilot devices with a group tag of ‘$GroupTag’ within MEM(device.devicePhysicalIds -any _ -eq “[OrderID]:$GroupTag”)
6<Prefix>-AUTO-DD-AllDevicesExcept<GroupTag>Contains all Autopilot devices without a group tag of ‘$GroupTag’ within MEM(device.devicePhysicalIDs -any _ -contains “[ZTDId]”) -and (device.devicePhysicalIDs -notcontains “[OrderID]:$GroupTag”)

Android Groups

NoGroup NameDescriptionDynamic Query
7<Prefix>-AND-DD-AllDevicesContains all Android devices within MEM(device.deviceOSType -match “Android”)
8<Prefix>-AND-DD-AllCorpDevicesContains all corporate owned Android devices within MEM(device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Company”)
9<Prefix>-AND-DD-AllBYODDevicesContains all personally owned Android devices within MEM(device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Personal”)
10<Prefix>-AND-DD-AllEntDevicesContains all Android Enterprise devices within MEM(device.deviceOSType -match “AndroidEnterprise”)
11<Prefix>-AND-DD-WPDevicesContains all Android Work Profile devices within MEM(device.deviceOSType -eq “AndroidForWork”) and (device.managementType -eq “MDM”)
12<Prefix>-AND-DD-FullMgdDevicesContains all Android Fully Managed devices within MEM(device.deviceOSType -eq “AndroidEnterprise”) -and (device.enrollmentProfileName -eq null)

iOS/iPadOS Groups

NoGroup NameDescriptionDynamic Query
13<Prefix>-iPad-DD-AllDevicesContains all iPad devices within MEM(device.deviceOSType -eq “iPad”)
14<Prefix>-iPhone-DD-AllDevicesContains all iPhone devices within MEM(device.deviceOSType -eq “iPhone”)
15<Prefix>-iPad-DD-AllCorpDevicesContains all Corporate owned iPad devices within MEM(device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Company”)
16<Prefix>-iPad-DD-AllBYODDevicesContains all personally owned iPad devices within MEM(device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Personal”)
17<Prefix>-iPhone-DD-AllCorpDevicesContains all Corporate owned iPhone devices within MEM(device.deviceOSType -eq “iPhone”) -and (device.deviceOwnership -eq “Company”)
18<Prefix>-iPhone-DD-AllBYODDevicesContains all personally owned iPhone devices within MEM(device.deviceOSType -eq “iPhone”) -and (device.deviceOwnership -eq “Personal”)

macOS Groups

NoGroup NameDescriptionDynamic Query
19<Prefix>-Mac-DD-AllDevicesContains all macOS devices within MEM(device.deviceOSType -eq “MacMDM”)
20<Prefix>-Mac-DD-AllCorpDevicesContains all corporate owned macOS devices within MEM(device.deviceOSType -eq “MacMDM”) -and (device.deviceOwnership -eq “Company”)
21<Prefix>-Mac-DD-AllBYODDevicesContains all personally owned macOS devices within MEM(device.deviceOSType -eq “MacMDM”) -and (device.deviceOwnership -eq “Personal”)

Windows Groups

NoGroup NameDescriptionDynamic Query
22<Prefix>-WIN-DD-AllDevicesContains all Windows devices within MEM(device.deviceOSType -eq “Windows”) -and (device.managementType -eq “MDM”)
23<Prefix>-WIN-DD-AllW10DevicesContains all Windows 10 devices within MEM(device.deviceOSType -eq “Windows”) and (device.deviceOSVersion -contains “10.0.1”) -and (device.managementType -eq “MDM”)
24<Prefix>-WIN-DD-AllW11DevicesContains all Windows 11 devices within MEM(device.deviceOSType -eq “Windows”) and (device.deviceOSVersion -contains “10.0.2”) -and (device.managementType -eq “MDM”)
25<Prefix>-WIN-DD-SCCMMgdDevicesContains all Windows devices managed by ConfigMgr within MEM(device.deviceManagementAppId -eq “54b943f8-d761-4f8d-951e-9cea1846db5a”)

That’s all folks, any issues or suggestions let me know! Hope this helps.

One thought on “Script – Bulk create common AAD Groups for MSIntune

Comments are closed.