How to Create Azure AD Dynamic Groups for Managing Devices using Intune? This post will see how to create Dynamic device groups and User Groups in Azure Active Directory. Azure AD groups are similar to collections (in the SCCM world) for Intune device management solutions.
These AAD groups can be used to target different policies to a specific group of devices. Latest post – Validate Azure AD Dynamic Group Rules | Intune.
So this is very important in the world of modern management of devices using Microsoft Intune. If you are an SCCM admin, the AAD dynamic group is similar to creating a dynamic collection using WQL query rules. AAD groups don’t have that granularity in creating dynamic query rules if you compare them with WQL query rules.
However, the new Azure portal has many options to create dynamic query rules. The video tutorial will help you get more inside of AAD Dynamic groups.
Updated Post -> How To Create Nested Azure AD Dynamic Groups.
Create Azure AD Dynamic Groups
AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression in the AAD dynamic membership rule query must have 3 parts Left parameter, the Binary operator, and the Right constant.
A left parameter in the query rule is one of the attributes of the AAD object (either user or device). If you want to query users in a particular department, then the user is the object, and the department is the attribute (user.department).
A binary operator is nothing other than a conditional operator like “-ne,-eq, -contains -match.” The right constant is a constant value specific to your requirement; for example, if you want to create a group for all IT users, it is “IT.”
(user.department -startsWith "IT") (user.department -match "IT") (user.department -eq "IT")
Maximum supported words/characters
I did a test to understand what is the maximum supported words/characters in Azure AD dynamic advanced membership rule, and I found that we could save a query with a maximum of 311 words and 3045 characters.
When I increased the numbers to 315 words and 3085 characters, it started giving an error “Failed to create Group_Maxi. Undefined,” where MAXI is the group name.
Now back to Intune and device management. I will create 3 basic groups for device management. These AAD dynamic device groups (All Windows Devices, All iOS Devices, and All Android Devices) will be used to deploy different configuration policies.
First, I wanted to group all windows devices in my Intune environment. There are two ways to create an AAD group with dynamic membership query rules 1. Simple rule and 2. Advanced Rule. To group windows devices based on the operating system, it’s better to use simple queries via Azure portal GUI.
In case you want to use advance membership, then the following is the query “(device.deviceOSType -contains “Windows”).” When you create an Azure AD dynamic device group, it will take 1 or 2 minutes (depending upon the complexity of the query and the size of the database) to populate the devices into the group.
It’s time to find iOS devices (iPhone or iPad) in my environment via AAD Dynamic query and group them into an AAD dynamic group. Unlike the Windows device group, the iOS device AAD dynamic Device group can’t be created using a simple membership rule; rather, we should use the Advanced membership rule.
We need to have two constant values like iPhone and iPad. Following is the query which I used to fetch iOS devices (device.deviceOSType -contains “iPhone”) -or (device.deviceOSType -contains “iPad”).
OK, here we go with a grouping of Android devices. I want to create an AAD dynamic device group using a simple membership rule in this scenario.
Because I don’t have more than one constant value in the AAD group binary expression. Following is the dynamic query for the Android device group “(device.deviceOSType -contains “Android”).”
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…