Manage user and device groups for application delivery
User and device groups in Microsoft Intune help organize users and devices for application delivery. User groups contain users, while device groups contain devices. By assigning an application to a group, you control who receives the app and how it is made available or installed.
Intune groups integrate with Microsoft Entra ID, so you can use existing directory groups or create new ones for Intune-specific scenarios. This supports consistent group management across your Microsoft 365 environment.
Groups simplify app delivery by letting you target sets of users or devices instead of managing assignments individually. They can be based on roles, departments, or device types to help ensure the right apps reach the right audience. Groups also support security and compliance by letting administrators make apps available for optional installation or require them for specific users or devices.
Assign applications to groups
You assign applications to groups through the Microsoft Intune admin center. First, you add the app to Intune, then configure its assignments. You can assign apps to user groups or device groups, depending on your delivery needs.
For user groups, the app follows the user across their devices. If a user has multiple devices, they can install the app on any enrolled device. Device groups target specific devices, so the app installs directly on those devices regardless of who uses them.
Key components of group-based app delivery
User groups vs. device groups
User groups focus on people, while device groups focus on devices. Choose user groups when you want users to have consistent app access across their devices. Use device groups for shared devices or when you need to ensure specific apps are on particular hardware.
Assignment intents
Intune supports several assignment intents for apps:
- Available: It lets users install the app themselves. For most app types and platforms, this assignment is intended for user groups rather than device groups, although there are some platform-specific exceptions. One important exception is Win32 apps, which can be assigned to either user groups or device groups.
- Required: Intune automatically installs the app on targeted devices. Use this for essential apps that all users in a group must have.
- Uninstall: Intune removes the app from targeted devices. This helps clean up apps no longer needed.
Note
The Available for enrolled devices deployment intent is supported for user groups and device groups. This applies when targeting Android Enterprise fully managed devices (COBO) and Android Enterprise corporate-owned personally enabled (COPE) devices.
You can combine intents by assigning the same app to multiple groups with different intents. Intune resolves any conflicts according to predefined rules, prioritizing required installations over available ones.
To learn more about conflict resolution go to: How conflicts between app intents are resolved
Best practices for managing groups and app delivery
Follow these guidelines to optimize your group-based app delivery:
- Use nested groups to create hierarchical structures that match your organizational chart.
- Regularly review group memberships to ensure apps reach the right people.
- Test app assignments in small groups before rolling out to larger ones.
- Use dynamic groups in Microsoft Entra ID to automatically manage memberships based on user attributes.
- Monitor app installation status through Intune reports to identify delivery issues.
Example scenario
Consider a healthcare organization that uses Intune to manage devices. They create a user group called "Clinical Staff" containing doctors and nurses. They assign a secure messaging app as required to this group, ensuring all clinical staff have it on their devices.
They also create a device group called "Exam Room Tablets" for shared tablets in exam rooms. They assign a patient check-in app as required to this device group, so the app is always available on those tablets regardless of who uses them.
This approach ensures the right apps are on the right devices without manual management for each user or device.