Creating dynamic (or assigned) groups with the Graph PowerShell module is a very efficient way to make multiple groups in just a few seconds. This can be particularly useful if you work at an MSP where you work with new Intune clients frequently, and have group templates you use for all your tenants. The Graph PowerShell module is easy to use and can accomplish many of the tasks we traditionally use the GUI for in far less time. This is especially true for repetitive tasks. In this post I’ll create five dynamic groups with one script, and show you how to edit the script to fit your needs. There’s a small amount of work up front to create the script, but when finished, you can deploy to any tenant in a matter or seconds. Here are the five groups my script creates in this example:
- All enabled Intune licensed users
- All Corporate Windows devices
- All Android Devices
- All iOS devices
- Autopilot Grouptag (group for any device assigned the “autopilot” grouptag)
First, we need to install the PowerShell graph module:
Install-Module Microsoft.Graph Now that we have the module installed, we can connect to Graph by using the below cmdlet:
Connect-MgGraph This connects us to graph after authenticating, but we will have limited permissions. One of the best parts of this module is we can determine which permissions are needed to perform certain tasks. Since I need to use the cmdlet “New-MgGroup” to create groups, I use the below syntax to find which permission I need:
Find-MgGraphCommand -command New-MgGroup | Select -First 1 -ExpandProperty Permissions You can see from the output below that we need Directory.ReadWrite.All and Group.ReadWrite.All permissions to use this cmdlet:
Next, lets create a variable with the necessary permissions, and reconnect to Graph using the -Scopes parameter, like below:
$scopes = "User.Read.All","Group.ReadWrite.All"
Connect-MgGraph -scopes $scopes You’ll be promoted to give admin consent after authenticating. Give consent and continue. Now we can create our groups. Below is the portion of the script that creates the Intune licensed users group. The other groups have their necessary properties adjusted. The full script on Github here . The group properties are stored in a variable, which is called when we run the New-MgGroup cmdlet. Edit the variable name, Group Name, description, membership rules, etc. for any additional groups you want to create. A complete listing of parameters can be found here.
#=================================================================#
#All Intune Licensed Users
$IntuneLicensedUsers = @{
DisplayName = "Intune Licensed Users"
Description = "All enabled users licensed for Intune"
mailNickname = "IntuneLicensedUsers"
MailEnabled = $false
SecurityEnabled = $true
GroupTypes = @(
"DynamicMembership"
)
MembershipRule = 'user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled")'
MembershipRuleProcessingState = "On"
}
New-MgGroup -BodyParameter $IntuneLicensedUsers
#=================================================================# Running that portion of the script will result in PowerShell output like this:
If we open AzureAD, we can see the group was created and the Dynamic Membership rule processing completed and added six members:
If we run the whole script, you’ll receive output for each group you create like below, and your groups will complete their dynamic rule processing soon after:
