Assign and scope compliance policies using groups and filters
Creating a compliance policy is only half the process; ensuring it applies to the correct devices is equally critical. In a Zero Trust environment, applying the wrong policy can accidentally block entire departments from working, while missing devices can leave severe security gaps.
In this unit, you will learn how to strategically target your Microsoft Intune compliance policies using Microsoft Entra groups, dynamic groups, and assignment filters.
Why scoping matters
Scoping is the process of defining exactly who and what receives a policy. An effective scoping strategy ensures that:
- You target the right users and devices: A strict 15-character password requirement intended for IT admins should not accidentally apply to warehouse kiosk devices.
- You reduce unnecessary exceptions: Instead of creating dozens of micro-groups to handle edge cases, you can use broad assignments combined with intelligent filters.
- You avoid policy conflicts: Over-assigning policies can lead to overlapping rules on a single device, causing conflicts that instantly render the device noncompliant.
Assign compliance policies using groups
The foundation of Intune targeting relies on Microsoft Entra groups. When you assign a policy, you deploy it to either a User group or a Device group.
User vs. Device targeting
Understanding the difference between these two targeting methods is critical for predictable deployments:
- Assigning to User Groups: The policy applies to the user, and by extension, any device that user signs into or enrolls.
- Use case: Standard compliance baselines. If you require BitLocker for the Finance team, assigning the policy to the "Finance Users" group ensures that whether a user logs into their primary laptop, a backup device, or a mobile phone, the policy evaluates them.
- Assigning to Device Groups: The policy applies directly to the hardware, regardless of who is signed in.
- Use case: Shared devices, kiosks, or conference room systems. If you assign a policy to "Warehouse Kiosk Devices," the compliance requirements remain strictly enforced even if multiple different shift workers log into the machine throughout the day.
Include and Exclude assignments
When assigning policies, you can use a combination of Included groups and Excluded groups. For example, you can include the "All Users" group but exclude the "Executive Team" group to prevent them from receiving a specific strict policy during a phased rollout.
Scope with dynamic groups
To automate policy assignments at scale, you should leverage Dynamic Groups in Microsoft Entra ID. Instead of manually adding and removing users, dynamic groups use rule-based logic to maintain membership.
- How it works: You create a binary expression based on user or device attributes. For example,
(user.department -eq "Engineering")or(device.deviceOwnership -eq "Company"). - The Benefit: When an HR system updates a user's department to "Engineering," Microsoft Entra ID automatically adds them to the dynamic group. Intune sees this new group membership and automatically pushes the Engineering compliance policy to their device without any IT intervention.
Limitations and considerations:
- A dynamic group must contain either users or devices; it cannot contain both.
- Device dynamic rules can only reference device attributes (e.g., OS version, manufacturer), not the attributes of the user who enrolled it.
- Security Note: Group membership depends entirely on the attributes defined in the rule. Ensure you have strict governance over who in your organization has the permissions to edit Microsoft Entra user and device attributes.
Scope with Intune assignment filters
Dynamic groups are powerful, but creating a new Microsoft Entra group for every minor policy variation leads to "group bloat." To solve this, Intune offers Assignment filters.
Filters allow you to narrow the scope of a policy after it has been assigned to a broad group, based on specific device properties (like OS version, manufacturer, or ownership).
Include vs. Exclude filters
Filters evaluate at the time the device checks in, operating in one of two modes:
- Include: The policy applies only to devices in the assigned group that also match the filter.
- Exclude: The policy applies to all devices in the assigned group except those that match the filter.
Practical Example
You want to deploy a strict iOS compliance policy that requires devices to be fully managed and block specific apps.
- The Assignment: You assign the policy to the "All Users" group. (If you stop here, users' personal BYOD iPhones will receive the strict policy, causing massive frustration).
- The Filter: You apply a filter to the assignment in Include mode. The filter rule is
(device.deviceOwnership -eq "Corporate"). - The Result: When Alice enrolls her corporate iPhone, the filter matches, and the strict policy applies. When Alice enrolls her personal iPad, the filter does not match, and the strict policy is skipped. You achieved granular targeting without needing to create separate "Corporate Users" and "BYOD Users" groups.
Step-by-step: Create an assignment filter
Before you can apply a filter to a policy assignment, you must create the filter in your tenant.
- Sign in to the Microsoft Intune admin center.
- Navigate to Tenant administration > Filters (you can also access the filters page via Devices > Filters).
- Select Create and choose Managed devices.
- On the Basics tab, enter a descriptive Filter name (e.g., Corporate iOS Devices) and select the target Platform (e.g., iOS/iPadOS). Select Next.
- On the Rules tab, use the rule builder to define your criteria:
- Property: Select
deviceOwnership - Operator: Select
Equals - Value: Select
Corporate - (Note: You can also use the syntax editor to manually type
(device.deviceOwnership -eq "Corporate"))
- Property: Select
- Select Next, review your settings, and select Create.
- You can now select this filter when assigning any compliance policy, configuration profile, or app deployment targeted to iOS devices.
Validation and expected results
Once you configure your assignments and filters, the policy does not apply instantly.
- Device Check-in: The targeted devices must run their next scheduled sync with the Intune service (typically every 8 hours, though it occurs more frequently immediately after enrollment).
- Filter Evaluation: During check-in, Intune evaluates the device against any assigned filters.
- Compliance Evaluation: If the device passes the filter (or if no filter is applied), it receives the compliance policy, evaluates its local settings against the rules, and reports its status (Compliant or Noncompliant) back to the Intune admin center.