This week, let me explain how to create AAD Groups based on Intune Device Categories. Device categories are often used to manage groups of devices in Endpoint Manager Intune.
In addition, to make device management easier, Microsoft Intune Device Categories let you automatically add devices to groups based on the categories that the end user selects.
These Device categories have been part of Intune for quite some time but are hardly used (I think) by most people. You need to be careful with the Device Categories option discussed in this post.
One benefit of Device Categories is the ability to create Dynamic Azure AD Security Groups once a device falls under one of them. Using this security group, a device can be assigned appropriate policies and applications.
The example of Device categories may be IT Team, HR Team, Sales Team, Marketing Team, etc.,
You are giving control to end-user and trusting them to select the correct Intune Device Category during the enrollment process.
Hence this method is not 100% error-free. I know system admins can provide documents to end users to help them to select the correct device categories.
What is Intune Device Category?
You can automatically use Intune device categories to automatically add devices to groups based on pre-defined categories. The Intune Device Category helps IT admins to provide access to company resources for the managed devices.
NOTE! – The end-user can’t change the device category after settings this category without the admin’s help.
Create Intune Device Category
I will walk through the required steps to Create Device Catagories in Intune. Sign in to the Microsoft Endpoint Manager admin center.
- From the left-hand menu, choose Devices.
- Select Device categories.
- On the Devices | Device categories page, choose to Create device category to start creating the device category.
From the Create Device category page:
- Enter the Name of the Device Category (under the Basic tab)
- Enter the Description (optional) of the information and then click Next.
On the Scope tags, click the select scope tags you want to use, if any, and then click Next.
After reviewing the Review + Create tab summary, you can click Create to finish creating the Intune Device Category.
The Device category is successfully created and appears on the Device categories page.
Create Azure AD Group based on Intune Device Category
You can now create a group in Azure AD with Dynamic Device. The devices will get automatically added to the AAD dynamic device group based on device categories. The reference articles to Azure AD dynamic groups are below.
- How to Create Azure AD Dynamic Groups for Managing Devices using Intune
- Windows AutoPilot Devices Azure AD Dynamic Groups Intune
- How to Exclude a Device from Azure AD Dynamic Device Group
Let’s go through the following steps to create the Azure AD dynamic groups.
- Login to endpoint.microsoft.com
- Navigate to the Groups node.
- From the left-hand menu, choose Groups -> Select All groups.
- On the Groups | All group page, choose New group to start creating the AAD group.
You need to select Membership type as Dynamic Devices from the drop-down menu (My choice for this testing was Dynamic Devices, but you may use any option based on your needs).
- From the New Group page, follow the below steps,
- Select the Group type as Security
- Enter the Group name for the AAD group
- The Group description field is an option, but I would recommend the type purpose of the group
Click the Add dynamic query to set the deviceCategory attribute
From the Dynamic membership page, follow the below steps:
- On the Configure Rule tab,
- Select Property as deviceCategory
- Select Operator as Equals
- Select Value as HTMD_Lab
- Click Save the Rule syntax
device.deviceCategory -eq "the device category name you have created from the MEM admin portal"
The required information is updated for the AAD dynamic group. Select Create to initiate AAD group creation.
End-User Device Catalogs
The following section gives you the end-user enrollment experience for different platforms. Device Categories use the following workflow.
- During the enrollment process, allow users to select from available Device categories.
- Andriod and iOS device users must choose a Device category when enrolling a device.
- Users must use the Company Portal to assign categories to Windows 10/11 devices.
- Then, deploy policies and apps to these groups
Intune Device Category End-User Experience
It’s now time to look at the end-user experience after the configuration of the device categories is complete. I will share the Android and Windows 10/11 experience of selecting the category.
Andriod and iOS Device Enrollment
Users enrolling in an iOS or Android device will receive a message asking them to select a device category.
Windows 10 Device enrollment
Once the device is enrolled, let’s follow the steps mentioned below to assign a device category.
- Open the Company Portal.
- It will prompt you to choose the Device Categories.
- Click Done and the device will be assigned to chosen Device category.
Note: Once a device is assigned to a specific Device category, the user cannot change the device category from the Company portal.
To verify the assigned Device Category of the Windows 10 device, you can follow the steps mentioned below.
- Open the Company Portal and in Menu options.
- Select the Devices.
- Click This Device ( It will have the assigned computer name).
The device is assigned to the chosen Device category. In my test computer, I have chosen the HTMD_Lab device categories.
Azure AD Dynamic Group Results
You can check the AAD Groups based on Intune Device Categories results from MEM Admin Center (Intune Portal).
- Navigate to Groups -> All Groups.
- Search for HTMD_Lab group.
- Click on the Members node from the AAD group.
Resource -> Categorize devices into groups in Intune