How to Create Azure AD Dynamic Device Groups for Windows BYOD and CYOD Devices

AAD Dynamic groups are essential part of device management. Intune Admins or Device Mangers should be aware the ways to create Azure Active Directory Dynamic Device Groups

0
Advertisement

In the previous post here, you might have seen the basic process to create Azure AD dynamic user and device groups along with the explanations about the syntax of the queries/rules. I have a feeling like we will also get some performance issues with Azure AD dynamic groups when we don’t design our queries properly. This is similar to performance issue with dynamic collections with bad WQL queries and SCCM admins are very familiar with this kind of performance issues.

In this post, we will see how can we create dynamic device groups for Windows devices with “Device Ownership” attribute in the Azure AD. This attribute is populated only when the devices are enrolled trough MDM and if I understand correctly “Device Ownership” attribute is populated by Intune in this case. So if this attribute is not getting populated then you need to make sure that device is correctly enrolled to Intune or not. Because some of these types of attributes are available only when the Intune portal is migrated to Azure. If you are still using Intune Silverlight portal, you may need to wait for your Intune migration to complete.

Following are the Advanced membership rules which you can use to create Azure AD dynamic Device groups to segregate BYOD and CYOD devices!

All Windows CYOD Devices Query for Azure Active Directory
(device.deviceOwnership -contains “company”) -and (device.deviceOSType -contains “Windows”)

All Windows BYOD Devices Query for Azure Active Directory

(device.deviceOwnership -contains “Personal”) -and (device.deviceOSType -contains “Windows”)

All BYOD Devices Query for Azure Active Directory
(device.deviceOwnership -contains “Personal”)
All CYOD Devices Query for Azure Active Directory
(device.deviceOwnership -contains “Company”)
Auditing of Azure Active Directory Dynamic groups are very important from ops teams perspective. These auditing options are available in the new Azure portal and it’s very useful track the changes of a particular Azure AD dynamic groups. As you can see in the below table ACTOR is the one who performed the activity on that group. For example, when I created this group “Microsoft Approval Management” (probably an AAD automated process in the background) added 2 devices to the device group.

Date

Actor

Activity

Target(s)
3/2/2017, 1:42:18 PM
Microsoft Approval Management
Add member to group
Device : DESKTOP-FOSD7L3, Group : All Windows CYOD Devices
3/2/2017, 1:42:18 PM
Microsoft Approval Management
Add member to group
Device : DESKTOP-IIRCSUV, Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PM
anoop@sSDS.onmicrosoft.com
Add owner to group
User : , Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PM
anoop@sSDS.onmicrosoft.com
Add group
Group : All Windows CYOD Devices
So, it’s recommend to look at the best practises when we create dynamic device or user groups in Azure Active Directory. You may not see the performance issues with AAD dynamic groups at the time testing or POC but when you migrate all the users into Azure AD then this could surely impact. Personally, I always try to use -eq rather than using -contains in the AAD dynamic rules but it’s not always possible to use -eq!

Reference :-
Using attributes to create advanced rules for group membership in Azure AD – here

LEAVE A REPLY

Please enter your comment!
Please enter your name here