How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune? In the previous post here, you might have seen the basic process to create Azure AD dynamic user and device groups along with the explanations about the syntax of the queries/rules.
I have a feeling that we will also get some performance issues with Azure AD dynamic groups when we don’t design our queries properly. This is similar to performance issues with dynamic collections with bad WQL queries and SCCM admins are very familiar with this kind of performance issue.
In this post, we will see how can we create dynamic device groups for Windows devices with the “Device Ownership” attribute in the Azure AD. This attribute is populated only when the devices are enrolled through MDM and if I understand correctly “Device Ownership” attribute is populated by Intune in this case.
So if this attribute is not getting populated then you need to make sure that the device is correctly enrolled to Intune or not. Because some of these types of attributes are available only when the Intune portal is migrated to Azure. If you are still using Intune Silverlight portal, you may need to wait for your Intune migration to complete.
Following are the Advanced membership rules which you can use to create Azure AD, and dynamic Device groups, to segregate BYOD and CYOD devices!All Windows CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “company”) -and (device.deviceOSType -contains “Windows”)
All Windows BYOD Devices Query for Azure Active Directory
(device.deviceOwnership -contains “Personal”) -and (device.deviceOSType -contains “Windows”)
All BYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Personal”) All CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Company”)
Auditing of Azure Active Directory Dynamic groups is very important from ops teams’ perspective. These auditing options are available in the new Azure portal and it’s very useful to track the changes of a particular Azure AD dynamic group. As you can see in the below table ACTOR is the one who performed the activity on that group. For example, when I created this group “Microsoft Approval Management” (probably an AAD automated process in the background) added 2 devices to the device group.
| Date | Actor | Activity | Target(s) |
|---|
| 3/2/2017, 1:42:18 PM | Microsoft Approval Management | Add member to group | Device : DESKTOP-FOSD7L3, Group : All Windows CYOD Devices |
| 3/2/2017, 1:42:18 PM | Microsoft Approval Management | Add member to group | Device : DESKTOP-IIRCSUV, Group : All Windows CYOD Devices |
| 3/2/2017, 1:31:42 PM | [email protected] | Add owner to group | User : , Group : All Windows CYOD Devices |
| 3/2/2017, 1:31:42 PM | [email protected] | Add group | Group : All Windows CYOD Devices |
So, it’s recommended to look at the best practices when we create dynamic device or user groups in Azure Active Directory. You may not see the performance issues with AAD dynamic groups at the time of testing or POC but when you migrate all the users into Azure AD then this could surely impact.
Personally, I always try to use -eq rather than using -contains in the AAD dynamic rules but it’s not always possible to use -eq! How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune?
Reference:-
Using attributes to create advanced rules for group membership in Azure AD – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Hi Anoop,
Is there a way to create a dynamic group for newly enrolled devices alone?
I think you can do with managementType attribute as I mentioned in the last section of following post https://www.anoopcnair.com/windows-autopilot-profile-aad-dynamic-device-groups/
Hi Anoop,
I am from an Airwatch background, but want to do below in Intune.
A. I want to enable device ownership or category to appear when user enrolls into intune.
B. Depending on what he chooses, (Personal or corporate), i want different policies to get applied
A. Ownership is based on the Enrollment. When you use Azure AD join or Autopilot and MDM Enrollment for Windows 10, it will be treated as CYOD. Otherwise it will be treated as BYOD.
This is same for iOS and Android. If you use DEP to enroll then the device will be CYOD device otherwise BYOD
Hi Anoop
I am not sure if you are monitoring the replies to this blog still but I hope so 🙂
I am being told by Microsoft and other experts that we cannot offer a BOYD solution on the legacy Android device Administrator platform. See the below reply I received when I queried this.
My question then is similar to the one from ram. Is it possible to set it up in a way that when the user enrolls the device they get the option to choose corporate or personal and then different policies are applied based on which option they choose? According to Microsoft it is not.
There is no BYOD support for Android Device Admin. With Intune you can use MAM-only (without device enrollment), otherwise you need to use Work Profile (Android Enterprise)
Thank you for the reply Dan !! Yes work profile is also treated as BYO scenario isn’t it ?