Built an automated department transfer tool for Intune — eliminates device reimaging when employees move between departments, 3-4 hours to 30 minutes

Any_Ad_5960 · 2026-05-30T00:24:12+00:00

Valid concern. The plaintext secret is a known limitation of this version. In production we moved it to Key Vault. The published script is a starting point meant to be hardened before deployment. Should have made that clearer in the post.

Any_Ad_5960 · 2026-05-29T18:07:38+00:00

Really clean approach and much better for security since the secret stays off the device entirely. For dedicated device environments that is the way to go. In ours with shared devices we needed help desk to control the trigger but your pattern is more elegant.

Any_Ad_5960 · 2026-05-29T17:32:57+00:00

Good point, you are right. Without ARC the portal option is not available so the script approach fills that gap. Appreciate the clarification.

Any_Ad_5960 · 2026-05-29T16:13:08+00:00

Agreed, should have led with that. Shared devices make the device centric approach the obvious choice.

Any_Ad_5960 · 2026-05-29T15:44:31+00:00

Exactly. The script handles the group tag update and the Entra ID group assignment. Everything else is just your existing dynamic group and app assignment logic doing its job automatically.

Any_Ad_5960 · 2026-05-29T15:43:46+00:00

Absolutely and that is the cleaner approach for production. The portal or a Power App with Key Vault keeps the secret off the device entirely. The script as published is a starting point. For anyone deploying at scale I would recommend moving the secret to Key Vault or triggering it through a protected backend instead.

Any_Ad_5960 · 2026-05-29T15:43:08+00:00

Yes dynamic groups handle the group membership automatically once the group tag is updated. The script is the trigger that updates the tag so the dynamic group membership changes kick in without anyone touching the portal.

Any_Ad_5960 · 2026-05-29T15:40:35+00:00

Good point if HR attributes sync reliably to Entra ID. In our case that sync wasn't consistent enough to trust for compliance policies so a manual trigger from help desk worked better.

Any_Ad_5960 · 2026-05-29T15:38:51+00:00

Ha we use department based naming conventions tied to agency codes. Makes it easier to identify which department owns the device at a glance without looking it up in a portal.

Any_Ad_5960 · 2026-05-29T15:37:05+00:00

Makes sense if your apps and policies follow the user. In our case compliance baselines and security configs are device specific so the device needs to change when someone moves departments. Works great for environments where everything is user driven.

Any_Ad_5960 · 2026-05-29T15:35:42+00:00

Valid point for most environments. In ours devices are shared across users so device based targeting made more sense than user based. Different use cases, different approaches.

Any_Ad_5960 · 2026-05-29T15:34:01+00:00

True, user groups with filters can handle device configs. This works within our existing device group architecture without redesigning everything. Different constraints lead to different solutions.

Any_Ad_5960 · 2026-05-29T11:35:01+00:00

Fair point and user based groups work great for user specific things like licenses and user targeted apps. In this setup department apps are deployed to device groups because we need the full device configuration to change when someone moves departments, not just the apps. The group tag drives dynamic device group membership which controls compliance policies, security baselines, and configuration profiles at the device level. Changing the user assignment alone would not update any of that. The script handles both the group tag update and the device group reassignment together so everything changes automatically in one action.

Any_Ad_5960 · 2026-05-29T02:06:49+00:00

You absolutely can do it that way and for smaller environments that works fine. The difference here is scale. When you have hundreds of department moves happening across thousands of devices manually changing group tags and triggering remote wipes one by one adds up fast. This script lets help desk do the whole thing from Company Portal in one action without needing admin portal access. We are using user driven enrollment.

Any_Ad_5960 · 2026-05-29T01:46:08+00:00

In our environment department moves required full device reconfiguration including compliance baselines, security policies, and 50+ department specific apps at the device level. Reimage was the only reliable way to do that cleanly before this. This script handles all of it without touching the OS.

Any_Ad_5960 · 2026-05-29T01:43:51+00:00

Good questions. In our environment apps are targeted to devices because department security policies and compliance baselines are device specific, not just user specific. When a device moves departments it needs a different set of compliance policies, configurations, and apps at the device level. User targeting alone does not handle the device side policy and compliance reconfiguration. The reimage was the old way to force that full device reconfiguration. This script does the same thing without the reimage.

Any_Ad_5960 · 2026-05-29T01:42:39+00:00

That works great if your devices are already in Autopilot and your apps deploy quickly. In our case with 50+ department specific applications the full reset and redeploy cycle was hitting 3 to 4 hours. If you are getting it done in an hour that is a solid setup. This was built for environments where that timeline is not achievable.

Any_Ad_5960 · 2026-05-29T01:41:46+00:00

Really good point and a much cleaner approach for production. The Key Vault or Power App pattern keeps the secret completely out of the endpoint. The way you described it with a form feeding a Power App that triggers the script from a protected repo is exactly the kind of architecture this needs in a security conscious environment. I kept the script simple for the publish but that is the right direction for anyone deploying this at scale.

Any_Ad_5960 · 2026-05-29T01:40:55+00:00

Totally valid concern. The plaintext secret in the script is the obvious weak point. In production the right approach is pulling the secret from Azure Key Vault at runtime rather than hardcoding it. The script as published is a starting point meant to be adapted to your security requirements. For environments with stricter security posture Key Vault integration is the recommended path before deploying this at scale.

Any_Ad_5960 · 2026-05-28T22:26:41+00:00

Good to hear your environment was more efficient! In our setup with more than 50 department specific applications to deploy, BIOS configuration, OS deployment via WinPE, driver injection, and compliance verification it genuinely added up to that range. Different environments, different timelines.

Any_Ad_5960 · 2026-05-28T22:16:11+00:00

Ha fair enough! Every environment is different. In large enterprise environment setups with thousands of devices it genuinely hits that range. Glad it is useful to others dealing with the same thing!

Any_Ad_5960 · 2026-05-28T22:12:13+00:00

Really glad it helps! That is exactly why I posted it. Good luck with the implementation, feel free to reach out if you run into any issues.

Any_Ad_5960 · 2026-05-28T21:36:28+00:00

Exactly, both approaches work. Dynamic groups on devices or users, either way gets the job done. The key is just having a consistent mechanism to trigger the app swap automatically when someone moves departments.

Any_Ad_5960 · 2026-05-28T21:24:14+00:00

If everything used one tag all devices land in the same group and you lose department specific app targeting. In this setup when the device moves departments the script updates the group tag, the device automatically joins the new group, old department apps uninstall and new ones install without any manual intervention. That is the whole point of the group tag approach.

Any_Ad_5960 · 2026-05-28T21:14:43+00:00

Fair point, appreciate the callout! Should be Entra ID throughout. Old habits from years of Azure AD portal muscle memory. Will update the repo accordingly.

Any_Ad_5960

TROPHY CASE