Sync ConfigMgr Collections to Intune

ConfigMgr collection sync is a feature that has been in ConfigMgr for a few versions. At a high level, it syncs the membership of a collection to a group in Entra ID that can then be used in Intune for assigning apps, configuration profiles, or really anything that is assignable within Intune.

This can be extremely helpful while you’re transitioning from ConfigMgr to Intune. It can keep the targeting for your on-prem management and cloud management in sync as you transition workloads to Intune.

This blog will explore the prerequisites and setup for cloud sync, when to use it and when to avoid it, and how the sync process works (incremental vs. full syncs).

Prerequisites and Setup

Enable cloud attach and co-management

to use collection sync, you must be cloud-attached and have co-management enabled, both of which are typically managed under a modern endpoint management service framework.

If you need help with this, see this Microsoft Learn article (or just ask Copilot): Enable cloud attach | Microsoft Learn. This process requires setting up an app registration in Entra ID and giving Graph API rights to manage groups within your environment.

plan a naming scheme for your Intune groups and specifically for groups which are synced from ConfigMgr. Once you enable syncing on a group, you should not manually try to manage the membership of that group in Entra ID. Having a naming scheme that denotes that a group is synced will help identify them. I would recommend something like Intune-*-Synced.

Naming scheme

plan a naming scheme for your Intune groups and specifically for groups which are synced from ConfigMgr. Once you enable syncing on a group, you should not manually try to manage the membership of that group in Entra ID.

Having a naming scheme that denotes that a group is synced will help identify them. I would recommend something like Intune-*-Synced.

When to Use Collection Sync and When Not

Workload transition

During this process, you may need to sync collection membership to new groups for application deployments, update rings, and other endpoint management service tasks that ensure consistent targeting across devices.

Advanced device targeting

good time to use collection sync is when you need advanced device targeting. When you create a collection in ConfigMgr, you have nearly all information ConfigMgr has about the device to base the membership of the collection. Intune has a limited pre-defined set of device attributes that can be used to create groups, so some advanced device targeting may have to be done with ConfigMgr and then synced to a group.

Highly dynamic or deep collection trees

bad time to use collection sync is when membership changes a lot on a frequent basis. If the system must process a lot of frequent changes, it could cause performance issues with ConfigMgr. Intune processing and deployment is also not architected to efficiently process a lot frequent changes.

Long-term use of collection sync should be avoided. Work to redesign your achitecture for a cloud world, using cloud-only technologies. The goal and vision should always be to move off ConfigMgr at some point – keep that in mind as you make decisions that require you to still be dependent on ConfigMgr; have an exit strategy for those decisions.

How Collection Sync Works

When you first enable a collection to sync to an Entra ID group, a full sync of the collection is done. After that first sync, a full sync is not done again. All subsequent syncs are incremental.

Over time, only performing incremental syncs can lead to a drift in membership between the collection and Entra ID group. You should run a full sync periodically to make sure that the membership is kept up to date.

This can be daily, weekly, monthly, prior to large deployments, or whatever makes sense to your organization. Just remember that every time you do a full sync, there will be a temporary performance hit on your ConfigMgr environment, and maybe Entra ID if there are a lot of changes.

A built-in, automated process for scheduling full syncs does not exist as of ConfigMgr 2503. To account for that, I run a simple PowerShell script that runs a full sync. I run this daily as a scheduled task on my primary site server. Here is the script that I use. There are also several other examples on the internet for doing this.

$site_code = “<site_code> “

# get collections that are configuration for AAD group sync
$colls = Get-CimInstance -Namespace “root\sms\site_$site_code” -ClassName SMS_CollectionAADGroupMapping

# loop through collections instructing them to do a full sync.
ForEach ($coll in $colls) {
$collID = $coll.CollectionSiteID

Invoke-CimMethod -Namespace “root\sms\site_$site_code” -ClassName sms_collectionaadgroupmapping -MethodName ConfigSyncSettings -Arguments @{CollectionSiteID = $collID} | out-null

$collID = “” }

Final Thoughts

Syncing ConfigMgr collections to Intune offers a practical bridge for organizations transitioning to cloud-based management. By leveraging collection sync, you can maintain consistent targeting across on-premises and cloud environments, especially during workload migration and when advanced device targeting is required.

However, it’s important to use this feature only when required while avoiding scenarios involving highly dynamic collections. You should also periodically run full syncs to prevent group membership drift. Ultimately, while collection sync is a valuable tool for hybrid environments, organizations should always aim to evolve their architecture toward cloud-native solutions and keep long-term goals in focus.

Start your hybrid management strategy

with a free consultation.

Talk to our experts

Share:

Facebook
Twitter
LinkedIn

Contact Us

Name
=
On Key

More Posts

Microsoft EndPoint Management

Sync ConfigMgr Collections to Intune

ConfigMgr collection sync is a feature that has been in ConfigMgr for a few versions. At a high level, it syncs the membership of a collection to a group in Entra ID that can then be

Read More »
WME Microsoft 365 Updates No. 025
Azure

WME Microsoft 365/Azure Updates 22 August 2025

1. Exchange Online: Temporary Mailbox Access Disruption via MAPI Overview Some Exchange Online users experienced mailbox access issues via the Messaging API (MAPI) on August 20, 2025. The disruption occurred after Microsoft reverted a recent service

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=