Based on your feedback to have one grouping and targeting experience across Enterprise Mobility + Security, Microsoft is converting Intune Groups to Azure Active Directory (Azure AD)-based Security Groups. This new unified group management experience will keep you from having to duplicate groups between services, introduces dynamic grouping for Intune device properties, and provides extensibility using PowerShell and Microsoft Graph.
How does this affect you? A preliminary timeline and a high-level list of what to expect follows. While Microsoft knows many of you are looking forward to this new experience, the timelines shared below may shift. See the documentation page linked below for up-to-date information. Existing Intune customers will see no changes until they start group migrations in November.
|•||In September, some newly provisioned Intune service accounts will start seeing user-based group management and later device-based group management workflows from Azure AD integrated into their Intune console.|
|•||In November, they plan to start migrating existing customers to the new Azure AD based integrated grouping experience. They won’t start group migrations until they can minimize any impact to your day-to-day work and expect no end-user impact. They will also provide notice prior to your tenant’s migration. Once migrated, you’ll still be managing groups, just in Azure AD instead of Intune.|
|•||Documentation and updated migration timelines will be kept current on the grouping docs page. If you have questions or concerns please contact the migration team at firstname.lastname@example.org or support.|
New service functionality being introduced includes:
|•||Azure AD security groups will be supported in Intune for all types of deployments. Prior to this change, you may have used Intune groups for some and Azure AD groups for other types of deployments.|
|•||Azure AD security groups will support grouping of devices along with users, such as ‘all of IT’s test users and devices’ or ‘all of marketing iOS devices’.|
|•||Azure AD Security Groups will support dynamic groups with Intune device attributes, such as ‘put all iOS 8.0 devices into a group’ to get a specific policy.|
|•||‘Intune Service Administrator role’ added in Azure AD to allow Intune service admins to perform group management tasks in Azure AD.|
In addition to changes in group management, the following functionality will be deprecated:
|•||Excluding members or groups while creating a new group in Intune. Note that Azure AD dynamic groups will allow you to use attributes to create advanced rules to exclude members.|
|•||‘Ungrouped Users’ and ‘Ungrouped Devices’ groups|
|•||Service administrators’ ability to manage group access through Intune|
|•||Grouping of EAS devices. ‘All EAS Managed Devices’ group will be converted from a group to a report view.|
|•||Pivoting with groups in reports|
|•||Custom group targeting of notification rules|
What do you need to do to prepare for this change?
|•||Clean up any unwanted groups in your Intune environment.|
|•||By November or by the time you are migrated, discontinue use of the functionality being deprecated.|
|•||Familiarize yourself with how group management works in Azure AD by reviewing the more information link below.|
|•||If you have Intune admins who do not have permissions to create groups in Azure AD, request that your Azure AD administrator add them to a new Azure AD role called ‘Intune Service Administrator’.|
Link to more information, including up-to-date information: http://aka.ms/new_grouping_experience