AAD Groups based on Intune Device Categories

This week, let me explain how to create AAD Groups based on Intune Device Categories. Device categories are often used to manage groups of devices in Endpoint Manager Intune.

In addition, to make device management easier, Microsoft Intune Device Categories let you automatically add devices to groups based on the categories that the end user selects.

These Device categories have been part of Intune for quite some time but are hardly used (I think) by most people. You need to be careful with the Device Categories option discussed in this post.

One benefit of Device Categories is the ability to create Dynamic Azure AD Security Groups once a device falls under one of them. Using this security group, a device can be assigned appropriate policies and applications.

Patch My PC
[sibwp_form id=2]

The example of Device categories may be IT Team, HR Team, Sales Team, Marketing Team, etc.,

You are giving control to end-user and trusting them to select the correct Intune Device Category during the enrollment process.

Hence this method is not 100% error-free. I know system admins can provide documents to end users to help them to select the correct device categories.

What is Intune Device Category?

You can automatically use Intune device categories to automatically add devices to groups based on pre-defined categories. The Intune Device Category helps IT admins to provide access to company resources for the managed devices.

Adaptiva

NOTE! – The end-user can’t change the device category after settings this category without the admin’s help.

AAD Groups based on Intune Device Categories
AAD Groups based on Intune Device Categories

Create Intune Device Category

I will walk through the required steps to Create Device Catagories in Intune. Sign in to the Microsoft Endpoint Manager admin center.

  • From the left-hand menu, choose Devices.
  • Select Device categories.
  • On the Devices | Device categories page, choose to Create device category to start creating the device category.
How to use Device Categories in Microsoft Intune 1
AAD Groups based on Intune Device Categories 1

From the Create Device category page:

  • Enter the Name of the Device Category (under the Basic tab)
  • Enter the Description (optional) of the information and then click Next.
AAD Groups based on Intune Device Categories 2
AAD Groups based on Intune Device Categories 2

On the Scope tags, click the select scope tags you want to use, if any, and then click Next.

AAD Groups based on Intune Device Categories 3
AAD Groups based on Intune Device Categories 3

 After reviewing the Review + Create tab summary, you can click Create to finish creating the Intune Device Category.

AAD Groups based on Intune Device Categories 4
AAD Groups based on Intune Device Categories 4

The Device category is successfully created and appears on the Device categories page.

AAD Groups based on Intune Device Categories 5
AAD Groups based on Intune Device Categories 5

Create Azure AD Group based on Intune Device Category

You can now create a group in Azure AD with Dynamic Device. The devices will get automatically added to the AAD dynamic device group based on device categories. The reference articles to Azure AD dynamic groups are below.

Let’s go through the following steps to create the Azure AD dynamic groups.

  • Login to endpoint.microsoft.com
  • Navigate to the Groups node.
  • From the left-hand menu, choose Groups -> Select All groups.
  • On the Groups | All group page, choose New group to start creating the AAD group.
AAD Groups based on Intune Device Categories 5
AAD Groups based on Intune Device Categories 6

You need to select Membership type as Dynamic Devices from the drop-down menu (My choice for this testing was Dynamic Devices, but you may use any option based on your needs).

  • From the New Group page, follow the below steps,
  • Select the Group type as Security
  • Enter the Group name for the AAD group
  • The Group description field is an option, but I would recommend the type purpose of the group
AAD Groups based on Intune Device Categories 7
AAD Groups based on Intune Device Categories 7

Click the Add dynamic query to set the deviceCategory attribute

AAD Groups based on Intune Device Categories 8
AAD Groups based on Intune Device Categories 8

From the Dynamic membership page, follow the below steps:

  • On the Configure Rule tab,
  • Select Property as deviceCategory
  • Select Operator as Equals
  • Select Value as HTMD_Lab
  • Click Save the Rule syntax
device.deviceCategory -eq "the device category name you have created from the MEM admin portal"

The required information is updated for the AAD dynamic group. Select Create to initiate AAD group creation.

AAD Groups based on Intune Device Categories 9
AAD Groups based on Intune Device Categories 9

End-User Device Catalogs

The following section gives you the end-user enrollment experience for different platforms. Device Categories use the following workflow.

  1. During the enrollment process, allow users to select from available Device categories.
  2. Andriod and iOS device users must choose a Device category when enrolling a device.
  3. Users must use the Company Portal to assign categories to Windows 10/11 devices.
  4. Then, deploy policies and apps to these groups

Intune Device Category End-User Experience

It’s now time to look at the end-user experience after the configuration of the device categories is complete. I will share the Android and Windows 10/11 experience of selecting the category.

Andriod and iOS Device Enrollment

Users enrolling in an iOS or Android device will receive a message asking them to select a device category.

AAD Groups based on Intune Device Categories 10
AAD Groups based on Intune Device Categories 10

Windows 10 Device enrollment

Once the device is enrolled, let’s follow the steps mentioned below to assign a device category.

  • Open the Company Portal.
  • It will prompt you to choose the Device Categories.
  • Click Done and the device will be assigned to chosen Device category.

Note: Once a device is assigned to a specific Device category, the user cannot change the device category from the Company portal.

AAD Groups based on Intune Device Categories 11
AAD Groups based on Intune Device Categories 11

To verify the assigned Device Category of the Windows 10 device, you can follow the steps mentioned below.

  • Open the Company Portal and in Menu options.
  • Select the Devices.
  • Click This Device ( It will have the assigned computer name).
AAD Groups based on Intune Device Categories 11
AAD Groups based on Intune Device Categories 11

The device is assigned to the chosen Device category. In my test computer, I have chosen the HTMD_Lab device categories.

AAD Groups based on Intune Device Categories 12
AAD Groups based on Intune Device Categories 12

Azure AD Dynamic Group Results

You can check the AAD Groups based on Intune Device Categories results from MEM Admin Center (Intune Portal).

  • Navigate to Groups -> All Groups.
  • Search for HTMD_Lab group.
  • Click on the Members node from the AAD group.
AAD Groups based on Intune Device Categories 14
AAD Groups based on Intune Device Categories 14

Resource -> Categorize devices into groups in Intune

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.