How can you create a device group, based on membership in a user group in Azure/Intune/MS Endpoint Manager?
Ideally, there should be a means of using a dynamic group query in Azure/Intune/MS Endpoint Manager to populate a device group based on a user group. Unfortunately, the fields needed to do this do not appear to be exposed to the group dynamic membership query environment/engine. I've submitted the feature request to MS, but in the interim was looking for another pathway to solve this need.
Unfortunately, this functionality does not exist as of yet. I've submitted the feature request to MS, but in the interim developed a Powershell Script to solve this need, and wanted to share it as I found no posting of such a script anywhere I searched. It could be tailored for other uses, and could have other functionality added, but for now it's a good start for someone needing a base for this type of need (IE the folks in accounting need App XYZ available on their device with this specific configuration).
I hope this helps others, and feel free to post updated versions with expanded capabilities that you extend from what I'm posting. Below is also a link to the feature request that I've submitted for this to be available within the dynamic membership query functionality within Azure AD/MS Endpoint Manager/Intune, as upvoting there would be very helpful to get this ultimately solved the right way, natively within Azure/MSEM/Intune.
https://feedbackportal.microsoft.com/feedback/idea/75f632df-92b7-ed11-a81b-002248519701
#This could be run via automation to update the group membership at an interval to maintain groups
#Connect to mggraph beta environment with priviledges. This may work with read access for User and Directory.
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "DeviceManagementManagedDevices.PrivilegedOperations.All"
Select-MgProfile -Name "beta"
#Get the User members of this group
#Replace the user group id below with your user group id
$grpMembers = Get-MgGroupMember -GroupId "12345ab1-a1ab-123a-a123-123a4567b890" -All | Where {$_}
$grpUsers = ($grpMembers.AdditionalProperties).userPrincipalName
#Get list of devices for users in group
$uDevices = $grpUsers | ForEach-Object {Get-MgUserRegisteredDevice -UserId $_}
#Get list of personal devices from the full list of devices for the users in group
$pDevices = $uDevices.AdditionalProperties | Where {$_.deviceOwnership -eq "Personal"}
#There is a bug in what ID is returned or used with different mggraph commands so we need to translate
#the ID returned above to the ID needed for adding device group membership.
#Fixing this is a breaking change, so will not be fixed until a major version update of MgGraph environment
#At that time, this step of translating the ID returned will/can be removed
#Translate DeviceId returned from Get-MgUserRegisteredDevice to the DeviceID needed to add devices to device group
$gDevices = $pDevices.deviceId | ForEach-Object {get-mgdevice -Filter "DeviceId eq '$($_)'"}
#Get current device group membership
#Replace the group ID below with your device group ID.
$eDevices = Get-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -All
If($eDevices -ne $null){ #If the group isn't empty...
#Compare devices from the existing devices in the group with the current devices that should be in the group
$cDevices = Compare-Object -ReferenceObject $eDevices.Id -DifferenceObject $gDevices.Id -IncludeEqual
#Based on comparison flag of results for each object in existing or current devices lists, do nothing, add new devices, or remove non-current devices
$cDevices | ForEach-Object {If ($($_.SideIndicator) -eq "==") {Write-Host "No change for $($_.InputObject)"}}
#Replace the group ID below with your device group ID.
$cDevices | ForEach-Object {If ($($_.SideIndicator) -eq "=>") { New-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($_.InputObject); Write-Host "Added $($_.InputObject)"}}
#Replace the group ID below with your device group ID.
$cDevices | ForEach-Object {If ($($_.SideIndicator) -eq "<=") { Remove-MgGroupMemberByRef -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($_.InputObject); Write-Host "Removed $($_.InputObject)"}}
} Else {
#Add all devices for users to the empty group
#Replace the group ID below with your device group ID.
$gDevices | ForEach-Object {New-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($_.Id); Write-Host "Added $($_.Id)"}
}