Assign configuration profiles using groups and filters

6 minutes

Configuration profiles reach their intended targets through carefully planned assignment strategies. Use user groups for user-specific settings and device groups for device settings. Leverage dynamic groups to automate membership based on attributes like department or OS version. Apply filters to refine assignments based on device properties without creating additional groups. Combine groups and filters for precise, maintainable deployments. Finally, monitor assignments and verify applicability to ensure policies are reaching and applying to the right devices. With these strategies, you can deploy profiles confidently across diverse device populations.

Creating configuration profiles is only half the battle. You also need to decide which devices and users receive each profile. Microsoft Intune provides multiple assignment mechanisms, groups, dynamic groups, and filters, that let you target profiles precisely to the right audience without manual intervention.

Choosing the right assignment strategy ensures your security policies reach the correct devices, user experience settings apply to the right people, and compliance requirements are enforced consistently across your organization.

Understand assignment scopes and group types

When you assign a configuration profile in Intune, you're determining the scope of deployment. You can assign to users, devices, or a combination of both, and the type of group you choose affects how the policy applies.

User groups contain Microsoft Entra ID user accounts. Assign profiles to user groups when the setting is user-specific. For example, Wi-Fi profiles that contain personal credentials, email configurations, or VPN settings tied to user identity. When you assign to a user group, the settings follow the user and apply to any device they sign into.

Device groups contain Microsoft Entra ID devices. These groups are useful for device-specific settings, like encryption requirements, device naming policies, or hardware-specific configurations. When you assign to a device group, the settings apply to that specific device regardless of who signs in.

You can also assign to all devices or all users. A broad approach useful for foundational security policies like firewall rules or Windows Update requirements that apply organization-wide. However, this approach lacks granularity and is best reserved for mandatory, universal settings.

Tip

For most deployments, combine user groups and device groups. Assign user-experience settings (Wi-Fi, email, VPN) to user groups, and assign device-level settings (encryption, Windows updates) to device groups.

Use dynamic groups for automated assignment

Microsoft Entra ID dynamic groups automatically add users or devices based on rules you define. Instead of manually maintaining group membership, dynamic groups apply membership rules continuously, adding or removing members as their attributes change.

Dynamic user groups can add members based on attributes like department, location, job title, or manager. Imagine you're an IT administrator at a retail company. You create a dynamic user group for "Sales Department" that automatically includes all users whose department attribute is "Sales." When new sales employees join the company and their department is set correctly, they're automatically added to the group and receive the Wi-Fi and email profiles assigned to that group.

Dynamic device groups work similarly but operate on device attributes. You can create rules based on operating system version, device model, device category, ownership type (corporate vs personal), or manufacturer. For example, you might create a dynamic device group called "Windows 11 Devices" that automatically includes all devices running Windows 11. Any new devices enrolled with Windows 11 are immediately added to this group and receive the profiles assigned to it.

Using dynamic groups eliminates the need to manually update group membership when business conditions change. New employees in a department are automatically included. Devices upgraded to a new operating system are automatically added to the appropriate policy groups. This reduces administrative overhead and ensures policies stay current as your organization evolves.

Important

Test dynamic group rules thoroughly before assigning critical policies. Rules are evaluated continuously, and a broad rule could unexpectedly include more devices than intended.

Apply Intune filters for granular targeting

Filters provide assignment logic that works alongside groups. While groups determine the primary audience, filters refine that audience further by including or excluding devices based on specific attributes. Filters are especially powerful because they use device properties, not group membership, so you don't need to create separate devices groups for every scenario.

Include filters narrow the audience. Suppose you've assigned a policy to "All Devices." To apply it only to corporate-owned Windows devices, you add an include filter that checks device ownership equals "Corporate" AND device model contains "Surface." Now the policy reaches only corporate Surface devices, even though it's technically assigned to all devices.

Exclude filters remove devices from an assignment. Imagine you assign a Windows Update policy to all Windows 10 and Windows 11 devices. However, you want to exclude test devices from this policy to avoid disrupting your QA environment. You add an exclude filter that checks if the device is categorized as "Test." Now all production devices receive the update policy, but test devices don't.

Filters use device properties like:

Device manufacturer (Dell, HP, Lenovo, Apple)
Device model (Surface Pro, MacBook Pro, iPad)
Operating system version (Windows 10 21H2, Windows 11 23H2)
Device ownership (Corporate, Personal)
Device category (custom tags you assign)

The advantage of filters is flexibility without administrative burden. You don't maintain separate groups for every hardware model or OS version. Instead, filters evaluate device properties in real time. When a device receives an OS update, it automatically matches or stops matching filter rules, and policies adjust accordingly.

Note

Filters evaluate device properties from the Intune service. Some properties, like device model or OS version, are reported by the device during enrollment or Microsoft Entra registration. Ensure your devices are reporting accurate information for filters to work correctly.

Combine groups and filters for precise targeting

The most powerful assignment strategy uses both groups and filters. Groups provide the primary targeting logic (which users or devices get the policy), and filters provide secondary refinement based on device properties.

Consider a practical scenario: Contoso manufactures industrial equipment and has sales teams in three regions: North America, Europe, and Asia Pacific. Each region uses different VPN configurations because they connect to region-specific servers. The company also uses a mix of corporate laptops (all running Windows 11) and personal devices (mix of Windows 10 and Windows 11).

You create three user groups: "Sales NA," "Sales Europe," and "Sales APAC." For the North America region, you assign the NA VPN profile to the "Sales NA" user group. However, you only want corporate devices to receive this VPN configuration, not personal devices. You add an include filter to the assignment: device ownership equals "Corporate." Now the NA VPN profile is assigned to Sales NA users, but only applies to their corporate devices.

This approach offers several advantages. Groups provide clear business logic (region-based user groups). Filters add technical precision (only corporate devices). Together, they reduce the number of groups you need to manage and prevent policy conflicts.

When combining groups and filters, keep these best practices in mind:

Use groups for business logic - Organize around departments, locations, roles, or team structures that your organization understands
Use filters for device properties - Apply technical criteria like ownership, model, or OS version
Avoid conflicting rules - Don't use both include and exclude filters that contradict each other
Test before deploying - Use a test group first to verify the right devices receive the policy
Document your strategy - Keep notes on which policies use which groups and filters to simplify troubleshooting

Monitor assignments and verify applicability

Creating an assignment is only the beginning. You must verify that policies actually apply to intended devices. Intune distinguishes between assignment and applicability. A profile might be assigned to a group, but if the device doesn't meet filter criteria or the device can't apply the settings (for example, a Mac trying to apply a Windows-specific policy), the profile doesn't become applicable.

In the Intune admin center, you can view assignment details for each profile. Navigate to the profile, select Assignments, and review which groups receive the policy and what filters apply. You can also view individual device compliance to see whether devices successfully applied the settings or encountered errors.

When troubleshooting assignment issues, ask these questions:

Is the device a member of the assigned group? Check the group membership in Microsoft Entra ID
Does the device meet the include filter criteria? Verify device properties like ownership or model
Would an exclude filter prevent the policy from applying? Review all filters attached to the assignment
Can the device apply these settings? Some settings are platform-specific; a Windows policy won't apply to macOS devices
Is the device online and able to communicate with Intune? Disconnected devices don't receive policy updates

Start with a small pilot group when deploying configuration profiles. Monitor assignment details and check device logs to confirm policies are being applied correctly before expanding to larger populations. This approach helps you catch assignment issues early and prevents wide-scale policy failures.

Key takeaways

Feedback

Was this page helpful?