How does RGA work?

In Endpoint Admin you can create a ring group automation profile (RGAP), with the desired configuration. A RGAP consist of a desired number of rings, scope, exclude, detection interval and prefix.

• A ring consist of device-only security group in Microsoft Entra ID. It is only device-groups because of limitation in the Intune assignment engine as it does not support include/exclude of mixed user and device groups.
• Each Ring can be divided into a desired number of subgroups to support staged rollout and limit WAN utilization.
• You can add both user-based or device-based groups to a ring. When a user is added to a ring, it is the user’s primary devices from Microsoft Entra ID which are added to the ring.
• RGAP Scope: The scope can be global, meaning all devices in the Microsoft Entra ID. Or you can select a group. If you use a group as a scope, only devices which are a member of the scope will be affected by RGA.
• Exclude: Groups can be excluded from the RGA. All devices and user’s primary devices which a member of a group added to exclude, will not be affected by RGA.
• Device objects can only be a member of one ring.
• A user can use the Endpoint Admin shop, to move their devices into a different ring.
• RGA will automatically create a “Final ring”. All devices in the scope for the RGA will automatically be added to the final ring, if their are not a member of any other ring in the RGA.
• Detection interval is how often the RGAP should be executed and update ring membership.
• Prefix: Groups create by the RGAP will be prefixed with the given prefix.