Queries Intune devices from Entra ID groups (containing users or devices), filters by OS version, and populates target groups with either the matching devices or their primary users.
# Find users with iOS devices < 18.0 and add to notification group
.\Get-IntuneUsersAndDevicesFromGroups.ps1 -SourceGroupName @("Sales", "Marketing") -IOSVersion "18.0" -Operator "lt" -TargetGroupName "iOS-Update-Notifications" -AddToGroup Users
# Get all Windows 10+ devices from Finance team and add devices to group
.\Get-IntuneUsersAndDevicesFromGroups.ps1 -SourceGroupName @("Finance Team") -WindowsVersion "10" -Operator "ge" -TargetGroupName "Finance-Windows-Devices" -AddToGroup Devices
# Get all devices (iOS and Windows) from a group without version filtering
.\Get-IntuneUsersAndDevicesFromGroups.ps1 -SourceGroupName @("IT Department") -TargetGroupName "All-IT-Devices" -AddToGroup Devices
# Discovery mode - report only, no changes
.\Get-IntuneUsersAndDevicesFromGroups.ps1 -SourceGroupName @("Sales") -WindowsVersion "10" -Operator "ge" -WhatIf $true
# Clear target group and add Windows devices with specific build
.\Get-IntuneUsersAndDevicesFromGroups.ps1 -SourceGroupName @("Team - IT") -WindowsVersion "10.0.22631" -Operator "lt" -TargetGroupName "Windows-Outdated" -AddToGroup Devices -ClearTargetGroup $trueSupports nested groups and works with both users and devices.
Required Microsoft Graph modules:
Microsoft.Graph.AuthenticationMicrosoft.Graph.DeviceManagementMicrosoft.Graph.GroupsMicrosoft.Graph.UsersMicrosoft.Graph.Identity.DirectoryManagement
Install with: Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.DeviceManagement, Microsoft.Graph.Groups, Microsoft.Graph.Users, Microsoft.Graph.Identity.DirectoryManagement
- Interactive Mode: Uses delegated permissions for manual execution
- Azure Automation: Automatically detects and uses managed identity
Required permissions:
DeviceManagementManagedDevices.Read.AllGroup.Read.All/Group.ReadWrite.AllGroupMember.Read.AllUser.Read.AllDevice.Read.All
SourceGroupName (string[], Required)
Array of Entra ID group names containing users or devices to query. Supports nested groups which are expanded recursively.
IOSVersion (string, Optional)
iOS/iPadOS version to filter devices by. Format: X.Y or X.Y.Z (e.g., 18.0, 17.6.1). Must be used with -Operator.
WindowsVersion (string, Optional)
Windows version to filter devices by. Format: X.Y or X.Y.Z.W (e.g., 10, 10.0.22631). Must be used with -Operator.
Operator (string, Optional)
Comparison operator for version filtering. Valid values: eq (equal), ne (not equal), lt (less than), le (less than or equal), gt (greater than), ge (greater than or equal). Default: lt
TargetGroupName (string, Required)
Entra ID group name where results will be added. Must be an existing group.
AddToGroup (string, Required)
What to add to the target group. Valid values:
Devices- Add devices found in source groupsUsers- Add primary users of devices found in source groupsBoth- Add both devices and their primary users
ClearTargetGroup (bool, Optional)
Removes existing members from the target group before adding new ones. Default: $false. Recommended for automated scenarios to prevent incremental growth where users and devices accumulate over time without being removed when no longer relevant.
WhatIf (bool, Optional)
Preview mode that shows what changes would be made without executing them. Default: $false. Always start by running the script with -WhatIf $true to verify the expected results before making actual changes to your groups.
- Martin Bengtsson (https://imab.dk)
- Christian Frohn (https://christianfrohn.dk/)