Introduction
If you work with device management – whether Intune or ConfigMgr – you’ve hit this scenario:
- You have a group of users, but you need to target their devices. Not just any devices they log into, but those specific devices.
- Or you have a device group, but you need to reach the users – send them notifications or deploy user-context apps or configurations.
The problem is simple: You’re given one object type, but you need the other. A user group when you need devices. A device group when you need users. Manual cross-referencing through the portal is tedious and doesn’t scale.
Coming from ConfigMgr with on-prem AD? You’re used to very flexible collection queries that could say ‘all devices of users in the Finance group located in the London OU’.
This script handles some of the translation for Intune. Point it at your source groups (containing either users or devices), and it populates your target group with whichever object type you actually need. Add OS version filtering if you want to narrow it down – like notifying users whose devices are below a certain iOS version or assigning policies to Windows devices owned by specific teams.
The best part? The script detects Azure Automation and uses managed identity authentication, so you can schedule it as a runbook to keep your groups updated automatically. 🙂
PowerShell
The script is available on GitHub: imabdk/Get-IntuneUsersAndDevicesFromGroups
Required PowerShell modules
- Microsoft.Graph.Authentication
- Microsoft.Graph.DeviceManagement
- Microsoft.Graph.Groups
- Microsoft.Graph.Users
- Microsoft.Graph.Identity.DirectoryManagement
Install with: Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.DeviceManagement, Microsoft.Graph.Groups, Microsoft.Graph.Users, Microsoft.Graph.Identity.DirectoryManagement
Basic Usage
# Find users with iOS devices < 18.0 and add to notification group
.\Get-IntuneUsersAndDevicesFromGroups.ps1 `
-SourceGroupName @("Sales", "Marketing") `
-IOSVersion "18.0" `
-Operator "lt" `
-TargetGroupName "iOS-Update-Notifications" `
-AddToGroup Users
# Get all Windows 10+ devices from Finance team and add devices to group
.\Get-IntuneUsersAndDevicesFromGroups.ps1 `
-SourceGroupName @("Finance Team") `
-WindowsVersion "10" `
-Operator "ge" `
-TargetGroupName "Finance-Windows-Devices" `
-AddToGroup Devices
Note: More usage examples are available in the GitHub repository.
The script supports nested groups and works with both users and devices. Use -WhatIf to preview changes before execution.
Authentication
- Interactive Mode: Uses delegated permissions for manual execution
- Azure Automation: Automatically detects and uses managed identity
Running with Azure Automation
Schedule this as an Azure Automation runbook to keep your target groups updated automatically.
Setup
- Create an Azure Automation Account (or use an existing one)
- Follow Microsoft’s official guide: Create a standalone Azure Automation account | Microsoft Learn
- Enable System-Assigned Managed Identity (Identity → System assigned → Status: On)
- The script requires a system-assigned managed identity for authentication.
Reference: Using a system-assigned managed identity for an Azure Automation account | Microsoft Learn
- The script requires a system-assigned managed identity for authentication.
- Grant Graph API Permissions to the managed identity:
- DeviceManagementManagedDevices.Read.All
- Group.Read.All
- GroupMember.ReadWrite.All
- User.Read.All
- Device.Read.All
- Use the included Set-ManagedIdentityGraphPermissions.ps1 script to assign permissions.
- Create a PowerShell Runbook and add the script content
- Import required modules (Microsoft.Graph.*) into your Automation Account
- Configure parameters (source groups, target group, OS filters)
- Schedule it to run at your preferred interval
System assigned managed identity
Graph API permissions
Automation Account runbook
Required modules
Real-World Scenario
IT Department Device Targeting
Our IT department user group is managed automatically – HR system feeds employee data into Entra ID, and users are assigned to the “IT Department” group based on their department attribute. But when I need to deploy policies, software, or configurations to the IT devices specifically, I need a device group, not a user group.
This script runs daily as an Azure Automation runbook:
.\Get-IntuneUsersAndDevicesFromGroups.ps1 `
-SourceGroupName @("IT Department") `
-TargetGroupName "IT-Department-Windows-Devices" `
-WindowsVersion "10" `
-Operator "ge" `
-AddToGroup Devices `
-ClearTargetGroup $true
Feedback and contributions welcome on GitHub: imabdk/Get-IntuneUsersAndDevicesFromGroups 🙂