How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune? In the previous post on how to Create Azure AD Dynamic Groups for Managing Devices using Intune, you might have seen the basic process for creating Azure AD dynamic user and device groups, along with explanations about the syntax of the queries/rules.

We will also experience performance issues with Azure AD dynamic groups when we don’t design our queries properly. This is similar to performance issues with dynamic collections with bad WQL queries, and SCCM admins are very familiar with this kind of performance issue.

This post will show how to create dynamic device groups for Windows devices with the “Device Ownership” attribute in Azure AD. This attribute is populated only when the devices are enrolled through MDM, and if I understand correctly, it is inhabited by Intune in this case.

If this attribute is not populated, you must ensure the device is correctly enrolled in Intune. Because some of these attributes are available only when the Intune portal is migrated to Azure, you may need to wait for your Intune migration to complete if you are still using the Intune Silverlight portal.

Patch My PC

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

Let’s discuss creating an Azure AD device group for Windows BYOD CYOD devices Microsoft Intune. Creating Azure AD device groups for Windows BYOD and CYOD devices with Microsoft Intune is easy. It is explained in detail below.

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.1
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.1

Following are the Advanced membership rules that you can use to create Azure AD and dynamic Device groups to segregate BYOD and CYOD devices! All Windows CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “company”) -and (device.deviceOSType -contains “Windows”).

Adaptiva
All Windows BYOD Devices Query for Azure Active Directory

(device.deviceOwnership -contains "Personal") -and (device.deviceOSType -contains “Windows”)

All BYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Personal”) All CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Company”).

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.2
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.2

Auditing Azure Active Directory Dynamic groups is very important from the ops teams’ perspective. These auditing options are available in the new Azure portal, and it’s beneficial to track the changes of a particular Azure AD dynamic group.

As you can see in the table below, the ACTOR performed the activity for that group. For example, when I created this group, “Microsoft Approval Management” (probably an AAD automated process in the background) added 2 devices to the device group.

DateActorActivityTarget
3/2/2017, 1:42:18 PMMicrosoft Approval ManagementAdd member to groupDevice : DESKTOP-FOSD7L3, Group : All Windows CYOD Devices
3/2/2017, 1:42:18 PMMicrosoft Approval ManagementAdd member to groupDevice : DESKTOP-IIRCSUV, Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PM[email protected]Add owner to groupUser : , Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PM[email protected]Add groupGroup : All Windows CYOD Devices
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Table 1
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.3
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.3

So, it’s recommended that we look at the best practices when we create dynamic devices or user groups in Azure Active Directory. You may not see performance issues with AAD dynamic groups during testing or POC, but when you migrate all the users into Azure AD, this could undoubtedly impact.

I always try to use -eq rather than -contains in the AAD dynamic rules, but it’s not always possible to use -eq! How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune.

Reference

 https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

6 thoughts on “How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune”

  1. Hi Anoop,
    I am from an Airwatch background, but want to do below in Intune.

    A. I want to enable device ownership or category to appear when user enrolls into intune.

    B. Depending on what he chooses, (Personal or corporate), i want different policies to get applied

    Reply
    • A. Ownership is based on the Enrollment. When you use Azure AD join or Autopilot and MDM Enrollment for Windows 10, it will be treated as CYOD. Otherwise it will be treated as BYOD.
      This is same for iOS and Android. If you use DEP to enroll then the device will be CYOD device otherwise BYOD

      Reply
  2. Hi Anoop
    I am not sure if you are monitoring the replies to this blog still but I hope so 🙂
    I am being told by Microsoft and other experts that we cannot offer a BOYD solution on the legacy Android device Administrator platform. See the below reply I received when I queried this.
    My question then is similar to the one from ram. Is it possible to set it up in a way that when the user enrolls the device they get the option to choose corporate or personal and then different policies are applied based on which option they choose? According to Microsoft it is not.

    There is no BYOD support for Android Device Admin. With Intune you can use MAM-only (without device enrollment), otherwise you need to use Work Profile (Android Enterprise)

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.