I recently had to break co-management of SCCM & Intune Co-Management Hybrid and migrate to Intune for mobile devices that were managed by SCCM\Intune.

I followed Gerry Hampson’s blog POST on how to do this. Gerry is a Microsoft MVP in Enterprise Client Management.

I faced a problem. How do I translate an SCCM device collection that has no information on users, to a security group that I can assign an Intune Application Protection Policy to. In my particular instance there was only two policies required.

1. Intune_Exec_AppProtection_Policy
2. All users except the Exec users

Azure Active Directory has the ability to create complex dynamic user or device security groups. So in my instance I created two Intune Application Protection Policies that are listed above.

I created one on-premise synced AD Security group that contained the Exec users, this group would be assigned to Intune Application Protection Policy 1. I then wanted to create a security group that I could assign to all non exec users and any new users. So I created an Azure dynamic user security group that queried Azure AD for any user that has an Intune license. The query for the Azure dynamic security group is listed below.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -eq “Enabled”)

This type of dynamic security group can be applied to any Microsoft cloud service. The list of all Microsoft servicePlanId’s is available HERE