When building device management strategy with Intune and Entra, a good naming convention is crucial building block when managing Intune and Entra related objects. Entra is used for assignment groups, Intune has policies, profiles, connectors, applications for different device platforms. Both of those do require a proper naming convetion that is simple to understand, easy to manage and very searchable.
Building Entra group naming convention is not new and I’ve read multiple blogs about this and tested different name elements with my test tenant to figure out best naming convention. There’s really complex, and on the other hand, a very simple way of naming groups. You should plan naming convention for other Microsoft services that use Entra groups as same way as Intune.
This post focuses only on Entra and Intune related naming convention, keep an eye for Part 2!
Entra groups for Intune
Intune uses Entra groups to assign different policies and apps. It’s good practise to plan and build groups with proper names. For me, finding correct groups within Entra is crucial. Entra or Intune doesn’t have a simple way to display which groups are used where on Intune. Good naming convention can really help!
I’ve seen many Entra tenants that don’t have a proper group names that would tell that “Hey this group is used with Intune, and only with Intune!” Remember, Entra connects to different services, both Microsoft and third-party, complicating group naming.
Main elements for group naming
This model is based on real world experience with Entra and Intune and it’s designed to be used on a medium to large organizations that has multiple locations and different requirements for Intune related configurations. This model can be scaled down to be used on smaller organizations.
- Prefix: Start with group naming that starts with “Intune”. Simple, effective and easy to understand that this group is used with Intune and nothing else!
- Group Membership Type: Dynamic or Assigned (referred to as static). For devices, use “dd” or “sd”. For users, use “du” or “su”. Easy! Just remember NOT to mix devices and users in the same group. For Active Directory synced groups, I recommend nesting synced groups into a cloud group (su or sd) for clarity. Often Active Directory groups have own naming convention or is based on IDM solution.
- Intune configuration scope: Scopes for “configuration”, “compliance”, “apps”, “scripts” and so on. Really easy to identify that this group is used for example deploying apps. This is optional, but in some cases very good practice to implement.
- Descriptive name: Although there’s a description column, you cannot search from it using Entra! Describe why and what these members are.
Some examples that I’ve used
- intune-dd-All Windows 11
- All Windows 11 devices
- Description can be more specific, like “managed”, “co-managed”, “personal” etc.
- intune-dd-All Lenovo
- All devices that has Lenovo as a manufacturer
- intune-su-Developers
- All users that are developers
- Could be dynamic, if user object have a attribute to identify developer.
- intune-du-All Finland
- All users from Finland
- intune-du-All Externals
- All external users
You can keep it this simple or add more details, keeping in mind the character limit of 63.
What about Entra search?
You can search for EVERY Intune-related group by searching at Entra and using “Intune” as a search term. Add more details like “-dd” or “-su”. You can also search with “intune lenovo” to get a list of all groups that have Intune and Lenovo in the name, like in the sample. This is a very simple and effective way to find groups used only in Intune.
Conclusion
I’ve used this naming convention on multiple tenants with great success. I’ve also modified it for different use cases or if a slightly different naming conventions already in use. Just note that there’s always some old naming convention in use, and it might take a lot of time and effort to ensure that groups are used only in Intune and to rename those groups. Also, if Intune has multiple admins, it’s not easy for them to learn a new way. Still, I recommend planning and implementing a good naming convention for Entra groups.
Keep an eye for My take on Intune Naming convention – Part 2 – Intune
I completely agree with the conclusion. Implementing a well-thought-out naming convention for Entra groups can indeed streamline management processes. Once this model is properly and widely adopted, it significantly reduces confusion and enhances efficiency. Although it may take some time and effort to transition from old naming conventions , the long-term benefits are well worth it. Planning and implementing a good naming convention is a crucial step towards better management.