During my engagements I have the chance to see many different environments and learn how customers transform to a modern workplace. In this series I will share the top 5 questions which arise. In this blog I will answer:
How can I assign some policies just to a specific department or device model?
Definitely a good question, but also hard to solve. Unless a few months ago you had to maintain Azure AD groups. Today you can use in some scenarios also Device Filters which bring high performance benefits as the filtering is done within the Intune service. But now we will first see all options:
- MEM Filter
- Dynamic Azure AD Group
- MEM Configuration Manager Synced Collections
- Azure Automation Based AD Group Membership
MEM Filter
MEM Filters are a new functionality within MEM which allows filtering directly in the MEM service. Compared to Azure AD groups new memberships are detected way faster, but sadly there are not much more properties available compared to Dynamic Azure AD Groups. So In my opinion they are a good solution to replace Azure AD Dynamic groups and for some other use cases like groups based on Enrollment Profile or Category is possible. When a few properties like Device Scopes and User based properties are available, then they will save my life in the future.
Dynamic Azure AD Group
Dynamic Azure AD groups will play a not so important role in the future for MEM Admins. But for other tasks which are based on Azure AD groups like subscription assignments and roles they will still be great. Also for user based assignments and scoping AAD groups are the way to go as “Device Filters” do not support users.
MEM Configuration Manager Synced Collections
Collections in MEMCM are one of the most flexible solution because MEMCM is able to import properties of devices, inventory and much more. Complex queries, include, exclude and limiting collections is a very powerful framework. With the ability to sync memberships to Azure AD groups many new possibilities arise, but with the limitation that you need to have MEMCM installed.
Azure Automation based AD Group Membership
When no MEMCM infrastructure is available and you need a highly dynamic possibility to assign profiles and applications, then you can use an Azure Automation Account with a PowerShell Script to manage group memberships. With the help of MS Graph you can leverage all properties like software inventory, assigned user properties and much more.
Summary
As you can see there are multiple options built-in available within Microsoft Endpoint Manager and there is no right way. For each problem another option could be more beneficial. In my projects I try to leverage the functionalities in the order I used in this blog post.
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
0 Comments