Intune Targeting Guide 2026: Assignment Filters, Device Categories and Dynamic Groups

Introduction

Most Intune tenants start with a simple model: one group for all Windows devices, one group for all iOS devices, assign everything to "All devices" and hope for the best. This works when you have fifty devices and three policies. It collapses when you have five thousand devices, forty configuration profiles, multiple ownership types and a mix of standard users, frontline workers and shared kiosks.

The problem is not Intune. The problem is that targeting was treated as a detail instead of a design decision. Groups were created reactively. Filters were never considered. Device categories were either unused or assigned randomly by end users. Dynamic groups were used for everything, including scenarios where static membership would have been faster and more predictable.

The goal is not to create a group for every scenario. The goal is to design a targeting model that is scalable, predictable and easy to troubleshoot.

Intune provides four primary targeting mechanisms: Entra ID groups (static and dynamic), assignment filters, device categories and Autopilot group tags. Each mechanism has specific strengths, specific limitations and specific failure modes. The right model uses the right mechanism for the right purpose. Groups define broad scope. Filters refine assignments without multiplying groups. Categories classify devices for reporting and targeting. Dynamic groups automate membership when the source attribute is reliable and the latency is acceptable.

This guide walks through all four mechanisms, explains how they interact, and provides an interactive builder to help you design a targeting model that fits your tenant size, maturity and operational capacity.

Important Intune targeting disclaimer

Key points to keep in mind:

• Intune targeting capabilities depend on licensing (Microsoft Intune Plan 1, Plan 2, Intune Suite, Entra ID P1/P2). Validate your licence assignments before building targeting models.
• Microsoft updates Intune features regularly. Assignment filter capabilities, device category behaviour and dynamic group syntax may change. Verify current behaviour in the Intune admin centre before deploying changes.
• Assignment filters are evaluated when a device enrols, checks in with the Intune service, or when a policy is evaluated. They refine policy applicability and do not change Entra ID group membership.
• Dynamic group membership in Entra ID has processing latency that varies from minutes to hours depending on tenant size and rule complexity. Do not rely on dynamic groups for time-sensitive targeting.
• Always test targeting changes with a pilot group before broad deployment. A misconfigured filter or group membership change can unassign policies from production devices immediately.

What this guide helps you decide

This guide helps you answer specific questions that arise when designing Intune targeting models:

• Should I use assignment filters or create separate groups for targeting refinement?
• When should I use dynamic groups and when should I prefer static group membership?
• How do device categories work, what are their limitations, and when do they add value?
• What naming convention should I use for groups, filters and categories so the model scales?
• How do I handle exclusions without creating policy conflicts or unexpected gaps?
• What is the evaluation order when a device matches both an include group and an exclude group with a filter?
• How do I troubleshoot targeting issues when a device is not receiving the expected policy?
• How does Intune targeting interact with Conditional Access and compliance policies?
• What targeting model is appropriate for my tenant size, platform mix and operational maturity?
• How do I migrate from a flat "All devices" model to a structured targeting architecture?

Before you start

Before redesigning your Intune targeting model, you need visibility into your current state. Most tenants discover targeting debt during this audit: groups that no longer match their intended purpose, filters that were never applied, or dynamic groups with rules that reference attributes nobody populates.

Pre-flight checklist

• Export all Entra ID groups used in Intune assignments and document their type (static, dynamic, synced from on-premises)
• List all assignment filters currently configured in the Intune admin centre and which policies use them
• Review device categories and check if users are selecting them accurately during enrolment
• Check Autopilot group tags and whether they are being used for targeting or only for deployment profiles
• Audit policies assigned to "All devices" or "All users" and confirm whether broad targeting is intentional
• Identify dynamic groups with complex rules and check their last membership processing time
• Document your current platform mix: Windows, macOS, iOS/iPadOS, Android, and device counts per platform
• Confirm whether devices are primarily corporate-owned, BYOD, or a mix of both ownership types
• Review your current naming convention (if any) for groups, filters and categories
• Identify who creates groups and filters today: is it centralised or distributed across teams?
• Check for orphaned groups that are no longer used in any Intune assignment
• Document any regulatory or security requirements that mandate specific device targeting (for example, ring-based patching for NIST compliance)

Licensing and prerequisites

Intune targeting capabilities are spread across multiple licences. The core mechanisms are included in Intune Plan 1, but some features require additional licensing or Entra ID premium plans.

Targeting decision framework

This table is the core reference for choosing the right targeting mechanism. Each method has a specific purpose. Using the wrong method for the wrong scenario is the single most common source of targeting complexity in Intune tenants.

Interactive Intune Targeting Model Builder

Select your scenario parameters below. The builder will generate a targeting model recommendation based on your policy type, platform, ownership model, device persona, rollout stage, scale, attribute source, exclusion needs, troubleshooting maturity and tenant maturity. The scoring engine evaluates six pillars, capped at 100 points total.

Recommended baseline targeting models

These baseline models represent proven patterns from production tenants. Use them as starting points and adjust based on your builder results and specific requirements.

Assignment filters deep dive

Assignment filters are the most powerful and most misunderstood targeting mechanism in Intune. A filter does not create a group. It refines an existing group assignment. Assignment filters are evaluated when the device enrols, checks in with the Intune service, or when a policy is evaluated. In practice, this means filters refine applicability during policy evaluation, not during Entra ID group membership calculation. When Intune evaluates a policy assignment, it first checks group membership, then applies the filter to decide whether the specific device or user within that group should actually receive the policy.

How filters work

When you assign a policy to a group and attach a filter, Intune follows this sequence:

1. Evaluate group membership: Is this device (or its user) a member of the assigned group?
2. If yes, evaluate the filter expression against the device properties.
3. If the filter mode is "Include" and the device matches the expression, deliver the policy.
4. If the filter mode is "Exclude" and the device matches the expression, skip the policy.
5. If the device does not match an Include filter, the policy is not delivered even though the device is in the group.

Filter syntax and operators

Assignment filters use a property-based expression language. The syntax follows this pattern: (device.property -operator "value")

Commonly used filter properties

Practical filter examples

Example 1: Target corporate devices only

Use a Windows-specific policy assignment and refine it with an ownership filter: (device.deviceOwnership -eq "Corporate"). For platform-based targeting, use the supported platform selection in the Intune admin centre rather than a filter property. Validate supported filter properties before production use.

Example 2: Exclude Surface Hub from standard Windows profile

Assign the policy to "All Windows devices" group, attach exclude filter: (device.model -contains "Surface Hub")

Example 3: Target specific manufacturer for firmware policy

Assign to "All Windows Corporate" group, attach include filter: (device.manufacturer -eq "Dell Inc.")

Device categories

Device categories are labels that you define in the Intune admin centre and assign to devices. They serve as a classification attribute that can be used in dynamic group rules and assignment filter expressions. Categories are useful when no existing device attribute captures the business purpose of the device.

How device categories are assigned

• User selection during enrolment: When enabled, users are prompted to select a device category during the Company Portal enrolment flow. This is the default mechanism but it depends on users selecting the correct value.
• Admin assignment via Intune portal: Admins can change the device category at any time through the device properties page in the Intune admin centre.
• Graph API / PowerShell: Categories can be set programmatically using the Microsoft Graph API, enabling bulk assignment or automated categorisation based on other data sources.
• Autopilot group tag mapping: While not a direct mapping, you can use a Logic App or Power Automate flow to read the Autopilot group tag after enrolment and set the device category accordingly.

Limitations of device categories

• A device can have only one category at a time. You cannot tag a device as both "Kiosk" and "Shared".
• User-selected categories are unreliable. Users often select the first option or the wrong option, especially if category names are not clear and descriptive.
• Changing a device category does not trigger immediate re-evaluation of dynamic group membership. There is processing latency.
• Device categories are not available during the Autopilot pre-provisioning phase. They are assigned after enrolment completes.
• Categories cannot be set through Autopilot deployment profiles directly. You need a separate automation if you want automated category assignment.
• The category list is tenant-wide. You cannot restrict which categories are visible to specific users or groups during enrolment.

Recommended device categories

Dynamic groups

Dynamic groups in Entra ID automatically calculate membership based on rules that evaluate device or user attributes. They are powerful but they come with processing latency, rule complexity limits and failure modes that you need to understand before building your targeting model around them.

How dynamic group processing works

When a device enrols in Intune or a device attribute changes, Entra ID adds the change to a processing queue. The dynamic membership rule engine evaluates all dynamic group rules against the changed object. Membership changes are written and synced to Intune. This process is not instant.

• Typical processing time: Often minutes to a few hours, depending on tenant size, group size, rule complexity and service load.
• Worst case: Microsoft documents that processing can take more than 24 hours depending on tenant size, number of changes, rule complexity and operators used.
• Rule complexity impact: Rules with multiple -or and -and conditions, nested expressions, or the -match operator take longer to evaluate per object.
• Tenant size impact: Tenants with more than 50,000 directory objects experience longer queue times because more objects need evaluation.

When to use dynamic groups

• The source attribute is reliably populated before the device needs to receive policies (for example, operatingSystem is always set at enrolment time).
• The attribute does not change frequently. Platform, ownership, and enrolment profile rarely change. Department changes are less frequent than daily.
• Processing latency is acceptable for the targeting scenario, and the policy does not need to apply immediately during enrolment.
• The rule is simple: one or two conditions with reliable attributes.

When NOT to use dynamic groups

• Time-sensitive rollouts: If a device needs a policy within minutes of enrolment, dynamic group latency may cause the device to sit unconfigured during the onboarding experience.
• User-set attributes: Device categories selected by users are unreliable. Building a dynamic group on device.deviceCategory where users set the value means the group membership is only as good as user behaviour.
• Complex compound rules: Rules with more than three conditions, especially those mixing -and and -or operators, are harder to troubleshoot and slower to process.
• Attributes populated late in the enrolment flow: Some attributes (like compliance state or certain extension attributes) are populated after the device has already been enrolled. Dynamic groups based on these attributes will not include the device during initial policy delivery.
• Frequent membership churn: If devices move in and out of the group multiple times per day due to attribute changes, the processing overhead and Intune sync delay make the group unreliable for targeting.

Example dynamic group rules

All corporate Windows devices:
(device.deviceOSType -eq "Windows") -and (device.deviceOwnership -eq "Company")

All Autopilot devices with specific group tag:
(device.devicePhysicalIds -any (_ -contains "[OrderID]:Standard"))

All iOS devices enrolled with specific profile:
(device.enrollmentProfileName -eq "iOS Corporate DEP")

Static groups and when they win

Static groups (assigned membership) require manual management but they provide something dynamic groups cannot: predictability and immediate effect. When you add a device to a static group, it is a member immediately. There is no processing queue, no evaluation latency and no dependency on attribute population.

When static groups are the right choice

• Pilot and testing groups: You want explicit control over which devices are in the pilot. You add devices deliberately, test, validate, and only then expand.
• Ring-based deployments: Update rings, feature rollout rings and policy rollout rings benefit from manual membership because you control the pace of rollout.
• Exception groups: Devices that need to be excluded from a policy temporarily. You add the device, verify the exclusion works, and remove it when the exception is resolved.
• Break-glass and VIP devices: Executive devices, security team devices and break-glass accounts should be in groups where membership changes are deliberate and auditable.
• Small-scale deployments: For tenants with fewer than 100 devices, the overhead of dynamic group rules and maintenance exceeds the benefit of automation.
• Devices with unreliable attributes: If the attribute you would use for a dynamic group rule is not consistently populated, a static group with manual oversight is more reliable.

Static group management patterns

• Assign an owner to every static group. The owner is responsible for adding and removing members.
• Review static group membership quarterly. Stale members create targeting drift.
• Document the purpose of each static group. Without documentation, nobody knows why a group exists six months later.
• Use access reviews in Entra ID Governance to automate periodic membership validation for critical static groups.

Naming conventions

A naming convention is not cosmetic. It is operational. When an admin sees a group name in the Intune assignment panel, they need to understand its purpose, type and scope immediately. Without a naming convention, your group list becomes a collection of guesses.

Recommended naming model

Exclusions and override patterns

Exclusions are necessary but dangerous. Every exclusion creates a gap in your targeting model that must be documented, reviewed and eventually resolved. The most common targeting troubleshooting issues in production tenants involve forgotten exclusions.

Intune exclusion evaluation order

Understanding how Intune processes exclusions is critical for predictable targeting:

1. Group-based exclusion wins over group-based inclusion. If a device is in both an included group and an excluded group, the exclusion wins. The policy is not delivered.
2. Filter-based exclusion is evaluated after group membership. The device must first be in the included group, then the exclude filter removes it from receiving the policy.
3. Multiple assignments to the same policy: If a policy is assigned to Group A (include) and Group B (exclude), and a device is in both groups, the device does not receive the policy.
4. Conflict resolution for multiple policies: When multiple policies of the same type target the same device, Intune applies conflict resolution rules (most restrictive wins for compliance, last write wins for some configuration settings).

Exclusion patterns

Troubleshooting targeting issues

When a device is not receiving a policy it should, or is receiving a policy it should not, the troubleshooting process follows a specific order. Most targeting issues are group membership problems, not Intune bugs.

Troubleshooting decision tree

Common targeting issues and resolution

Diagnostic tools

• Intune Troubleshooting + Support: Shows all policies assigned to a specific user or device, including assignment status and any errors.
• Entra ID group processing log: Shows the last time dynamic group membership was evaluated and whether there were processing errors.
• Assignment filter preview: In the Intune admin centre, you can preview which devices would match a filter expression before applying it to a policy.
• Microsoft Graph API: Query /deviceManagement/managedDevices with filters to validate device properties match your expected filter expressions.
• Intune device configuration report: Shows all configuration profiles assigned to a device, their status, and any conflicts between settings.

Integration with Conditional Access and compliance

Intune targeting and Conditional Access targeting operate in different systems but they must work together. Conditional Access policies in Entra ID evaluate at sign-in time. Intune policies evaluate at device check-in time. Compliance state is the bridge between them.

How targeting connects across systems

• Compliance policy targeting: Intune compliance policies are assigned to devices using groups and filters. The compliance evaluation result (compliant or not compliant) is written to the device object in Entra ID.
• Conditional Access reads compliance state: A Conditional Access policy can require a device to be marked as compliant. It reads the compliance state from Entra ID, which was set by the Intune compliance policy.
• Gap risk: If a device is not targeted by any compliance policy, its compliance state is "Not evaluated." Conditional Access policies that require compliance will block these devices because they are not compliant.
• Targeting alignment: Every managed device should be targeted by at least one compliance policy. If your compliance policies use narrow group targeting, you may have devices that fall through the gaps.

Targeting alignment checklist

• Every enrolled device platform has at least one compliance policy assigned to it
• Compliance policy groups cover all managed devices (use "All devices" with platform filters if needed)
• Conditional Access policies that require compliance are scoped to the same user population as Intune enrolment
• Devices excluded from compliance policies are documented with a business justification
• Configuration profiles and compliance policies target the same device populations (no mismatches)
• App protection policies (MAM) target user groups, not device groups (different targeting model)

Rollout order

Redesigning your targeting model should follow a phased approach. Changing group assignments and filters in production affects live devices. The rollout order below prioritises safety and reversibility.

1. Phase 1: Audit and document current state Export all group assignments, filters and device categories. Document every policy assignment in a spreadsheet. Identify gaps, overlaps and orphaned groups. Duration: 1 week.
2. Phase 2: Design naming convention and group taxonomy Define your naming convention, group types (static vs dynamic), filter strategy and category list. Get stakeholder agreement on the model before creating any objects. Duration: 1 week.
3. Phase 3: Create new groups and filters (do not assign yet) Build the new groups and filters in Entra ID and Intune. Verify dynamic group membership is populating correctly. Test filter expressions using the preview tool. Duration: 1 week.
4. Phase 4: Pilot validation Assign one non-critical policy (such as a device restriction profile) to the new targeting model for a pilot group of 10 to 20 devices. Validate that the correct devices receive the policy and no unexpected devices are affected. Duration: 1 to 2 weeks.
5. Phase 5: Migrate compliance policies Move compliance policies to the new targeting model first. Compliance policies are the most critical because they gate Conditional Access. Test thoroughly before proceeding. Duration: 1 to 2 weeks.
6. Phase 6: Migrate configuration profiles Move configuration profiles to the new targeting model. Start with profiles that have the least impact if misconfigured (display settings, branding) and progress to more critical profiles (VPN, WiFi, certificates). Duration: 2 to 3 weeks.
7. Phase 7: Migrate app assignments and security baselines Move app deployments and security baselines to the new targeting model. App assignments are more visible to users so validate with a broader pilot before full migration. Duration: 2 weeks.
8. Phase 8: Migrate update rings and scripts Move update rings and custom scripts to the new targeting model. Update rings control patching and have direct security impact. Validate ring membership carefully. Duration: 1 to 2 weeks.
9. Phase 9: Clean up old groups and document final state Remove old groups that are no longer used in any assignment. Update documentation with the final targeting model. Train the operations team on the new naming convention and maintenance procedures. Duration: 1 week.
10. Phase 10: Ongoing maintenance and review Establish a quarterly review cycle for group membership, filter accuracy and category usage. Monitor for group sprawl and naming convention drift. Automate stale group detection. Duration: Ongoing.

Common mistakes

These mistakes appear in real tenants. Each one creates targeting debt that compounds over time.

1. Assigning everything to "All devices" without filters. Every policy targets every device. No refinement, no rollout control, no ability to exclude. This works for compliance baselines but fails for everything else.
2. Creating a new group for every policy assignment. A 40-policy tenant ends up with 120 groups. Nobody knows which groups are used where. Group sprawl makes troubleshooting impossible.
3. Using dynamic groups for time-sensitive targeting. A device enrols and needs its compliance policy immediately, but the dynamic group takes 25 minutes to process. The device sits non-compliant and Conditional Access blocks the user.
4. Relying on user-selected device categories for security targeting. Users select "Standard" for every device because it is the first option. Your Kiosk category has zero members. Your security policy for kiosks targets nothing.
5. Confusing scope tags with assignment filters. An admin sets a scope tag on a policy thinking it controls which devices receive the policy. Scope tags control admin visibility, not policy delivery.
6. Building dynamic groups on attributes that are not populated at enrolment time. The dynamic group rule references an extension attribute that is set by a script that runs 30 minutes after enrolment. The device misses initial policies.
7. Forgetting to check exclude groups when troubleshooting. A device is in the include group but also in an exclude group that was added months ago. The admin spends hours investigating before checking exclusions.
8. Using -contains when -eq is needed. A filter for (device.model -contains "Surface") matches "Surface Pro 9", "Surface Laptop 5" and "Surface Hub 2S". The admin only wanted Surface Pro devices.
9. No naming convention. Groups are named "Test Group", "New Policy Group", "IT Devices 2" and "Windows Compliance v3 FINAL". Six months later nobody knows what anything is.
10. Mixing user-targeted and device-targeted assignments on the same policy. Some policies support both, but the behaviour is different. User-targeted compliance policies create a compliance state per user, not per device.
11. Not testing filter expressions before applying to production policies. The filter preview tool exists. Use it. A filter with a syntax error excludes all devices instead of the intended subset.
12. Creating dynamic groups with -match (regex) operator for simple string comparisons. The -match operator is slower to process and harder to maintain. Use -eq, -startsWith or -contains for simple matching.
13. Assigning conflicting policies to overlapping groups. Two WiFi profiles with different SSIDs target the same device through different groups. The device gets a conflict error and neither profile applies.
14. Excluding devices from compliance policies without understanding the Conditional Access impact. An excluded device has no compliance state. Conditional Access blocks it because "require compliant device" cannot be satisfied.
15. Never reviewing group membership after initial setup. Devices are decommissioned but never removed from static groups. Dynamic group rules reference attributes that have changed meaning. The targeting model drifts from its intended design.
16. Using "All users" for device configuration policies. Device configuration policies should target device groups. Targeting "All users" means the policy applies to every device every user signs into, which may not be the intent.

Field notes

What to fix first

If you are inheriting a tenant with targeting debt or starting a clean-up project, prioritise these items in order.

Recommended first 3 actions

These three actions can be completed in the first week and provide immediate value.

What good looks like

Use this checklist to assess whether your Intune targeting model is well-designed and maintainable.

• Every enrolled device is targeted by at least one compliance policy for its platform
• No more than 5 to 8 core groups handle 80% of policy assignments
• Assignment filters are used for ownership, platform and model refinement instead of creating separate groups
• Dynamic groups use simple rules with one or two conditions based on reliable attributes
• Static groups are used for pilot rings, exception devices and controlled rollout stages
• A documented naming convention is followed for all groups, filters and categories
• Every exclusion group has a documented justification and a review date
• Device categories are admin-assigned or automated, not reliant on user selection for security targeting
• No policy has more than two exclusion groups or one exclusion filter
• Group membership is reviewed quarterly and stale members are removed
• The targeting model is documented in a diagram or spreadsheet that is accessible to the operations team
• New team members can understand the targeting model within 30 minutes of reading the documentation

Save as PDF

Microsoft references

Related content