How Intune is using set theory (Filters!)

How Intune is using set theory (Filters!)

 , , ,

You have probably seen a Venn diagram in your life. So have most students in their lives, but as with most things we don’t use over time, we tend to forget. I know this is going to be an unorthodox piece, but I have been wanting to write this for quite some time. This article will cover some of the basics of set theory and how it applies to Intune, Entra groups and especially why you want to use filters. I promise I will leave out the “horseshoe” math.

A refresher on set theory

All Users and All Devices Venn Diagram

The easiest way to display a “set” of things is by using a circle~ish figure. It can really be anything, but in terms of an Entra Group think of devices, users, service principals and other groups1. To keep it simple we’ll stick with the “All Users2” and “All Devices3” set mostly.

Now, if you need a subset of these there is ways to cut your sets in Entra. You can either hand-pick objects from one or both of the sets (aka “assigned”) or you can let them be automatically picked by a certain ruleset (hah!) aka dynamic groups. These images on the right are also called “Euler diagram”.

Venn Diagramm with subsets

Skilling snack 1: You cannot mix devices and users in dynamic groups4. This should also never be necessary and will lead to confusion very fast as most products are not build around this idea.

Filter example from all devices

Now we’ll focus on one of the sets and see how we can create useful subsets. There are two ways to do this and one of them is Intune specific and cannot be used in any other Azure product.

  1. Dynamic Groups use rules and operators5 (in this case a -ne) are evaluated regularly and depending on the tenant size may take “up to 24 hours” to do so. In most environments 30 minutes is more realistic though.
  2. Filters also use rules and operators, albeit from a different source: Intune. Some properties may overlap, but the source is not Entra. Filters however are not evaluated regularly but rather apply instantly. This makes them very attractive if you don’t want to rely on the uncertainty of group evaluation.

Skilling snack 2: All Users and All Devices are already baked into Intune (not Entra!). While you can create these yourself (see footnote 2 and 3), but you really shouldn’t. If you can’t use All Users/All Devices somewhere, its because Microsoft doesn’t want you to shoot yourself.

How Intune resolves conflicts

We now have a very basic set of rules. What can we do with them? Well, Microsoft uses the following examples to explain how groups and filters work together. In their example6, they added a conflict on purpose. To make this easier to understand, we can use a Venn diagram to better visualize the problem.

Assignment conflict part 1
Assignment conflict part 1
Assignment conflict part 2
Assignment conflict part 2
MS example visualization

Looking at this, we can now start to visualize the different include/exclude examples from the table above. Let us start with the first example (top left “include include”). Since G1 and G2 are not mutually exclusive, a device can be in both groups. If it is, only one filter can apply for inclusion at a time. If both apply, the device is excluded. For the second example (top middle) F2 will be the only relevant factor is it has precedence over includes. The following gallery shows a few examples from the table.

Skilling snack 3: Filters may not work as expected! Sometimes a double negative is exactly the opposite of what you would expect. You may need to use some brainpower for different situations.

We will look at these two examples
MS example top middle visualization
MS example top middle visualization
MS example top middle visualization
MS example top middle visualization

What else?

That’s it for the main course! Now have some more skilling snacks before you leave.

Skilling snack 4: Overlaps should be avoided, because they might have unintended consequences (see above!). You can use my method, or anything that helps you make that tidbit stick while creating groups and filters!

Skilling snack 5: You can create up to 200 filters in each tenant and up to 3,072 characters per filter are allowed. Limits may be extended within reason and it better be a good reason. I have a customer that has to cover 50 different hardware models alone.

Skilling snack 6: Microsoft has a great library of examples and sometimes possible values for filters – it is some what hidden here Supported filter device and app properties & operators in Microsoft Intune | Microsoft Learn

Skilling snack 7: If you need performance you should read the recommendations carefully. Performance recommendations for Grouping, Targeting and Filtering in Microsoft Intune | Microsoft Learn

Skilling snack 8: Intune evaluates all possible permutations of group membership for any given machine before the machine does a check-in. If you belong to a large to very large environment (100k+) you should definitely understand how this works and take great care to optimize according to skilling snack 7.

That’s it for today – I hope you learned something! If there is more interest in these kind of blogs that look at problems in a different way let me know on Twitter X, LinkedIn or in the WinAdmins community.

  1. Learn about groups and group membership – Microsoft Entra | Microsoft Learn ↩︎
  2. All users rule Rules for dynamically populated groups membership – Microsoft Entra ID | Microsoft Learn ↩︎
  3. All devices rule Rules for dynamically populated groups membership – Microsoft Entra ID | Microsoft Learn ↩︎
  4. Rules for devices Rules for dynamically populated groups membership – Microsoft Entra ID | Microsoft Learn ↩︎
  5. Operators for dynamic groups Rules for dynamically populated groups membership – Microsoft Entra ID | Microsoft Learn ↩︎
  6. Filter reports and troubleshooting in Microsoft Intune | Microsoft Learn ↩︎