Learn two things from this post. How to Create Azure AD Dynamic Groups for Managing Devices using Intune? and How to Pause AAD Dynamic Group Update?
This post will see how to create Dynamic device groups and User Groups in Azure Active Directory. Azure AD groups are similar to collections (in the SCCM world) for Intune device management solutions.
These AAD groups can be used to target different policies for a specific group of devices. Latest post – Validate Azure AD Dynamic Group Rules | Intune.
So this is very important in the world of modern management of devices using Microsoft Intune. If you are an SCCM admin, the AAD dynamic group is similar to creating a dynamic collection using WQL query rules. AAD groups don’t have that granularity in creating dynamic query rules if you compare them with WQL query rules.
However, the new Azure portal has many options to create dynamic query rules. The video tutorial will help you get more inside AAD Dynamic groups.
Updated Post -> How To Create Nested Azure AD Dynamic Groups.
Create Azure AD Dynamic Groups
AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression in the AAD dynamic membership rule query must have 3 parts Left parameter, the Binary operator, and the Right constant.
A left parameter in the query rule is one of the attributes of the AAD object (either user or device). If you want to query users in a particular department, then the user is the object, and the department is the attribute (user.department).
A binary operator is nothing other than a conditional operator like “-ne,-eq, -contains -match.” The right constant is a constant value specific to your requirement; for example, if you want to create a group for all IT users, it is “IT.”
(user.department -startsWith "IT") (user.department -match "IT") (user.department -eq "IT")
Let’s take an example of creating an Azure AD dynamic group for Windows devices. The following are the steps to create the AAD dynamic Device group. You must have appropriate permissions to create Azure AD groups. Follow the steps to create the Device group for 22H2.
- Login to Endpoint Manager Portal (endpoint.microsoft.com)
- Navigate to the Groups node.
- Click on “+ New Group. “
- Select Security – Group Type from the drop-down option.
- Enter Group Name “HTMD Windows 11 22H2 Device Group” (any name is fine).
- Enter Group Description “HTMD Windows 11 22H2 Device Group” (any description is fine).
- Select Dynamic Device as the Membership type.
- Click on Add Dynamic Query under Dynamic Device Members.
You need to hover over the properties column to get an option to select Azure AD dynamic device groups based on Windows on the Dynamic membership rules page.
You can create or edit rules directly by editing the syntax in the box below. Or you can use the Azure AD portal UI as shown below to create a dynamic group query rule. There are some scenarios where the device properties (e.g. nesting) are not published in the UI property list.
(device.deviceOSVersion -startsWith "10.0.22621")
- Click on the SAVE button to save the query rule.
- You also have the option to validate the Azure AD query from Validate Rules tab, as shown in the picture. More details are explained in the below section.
You can now click on the CREATE button to complete the process of creating a Windows devices Azure AD dynamic group. You can also change the version numbers to get different results.
- Validate Azure AD Dynamic Group Rules (howtomanagedevices.com)
- Windows 11 Versions Numbers Build Numbers
How to Pause Azure AD Dynamic Group Update
Microsoft recently added an option to Pause Azure AD Dynamic Group Update. You can perform the PAUSE action from the Azure AD portal itself. You don’t have to do this using Microsoft Graph or any other crazy method.
There is an accidental deployment that happened to the Azure AD dynamic group and you must reduce the impact. What would be your first step? I think the update pause might help to pause the deployment with immediate effect at least for new devices.
You can navigate to the Azure AD dynamic group that you want to pause. From the Overview tab, you can enable the Pause Processing option for Azure AD Dynamic groups.
- When the setting is set to YES, the processing of this dynamic group will pause.
- When set to NO, processing will continue.
The Dynamic Rule Processing Status = Updates Paused once you enable the Pause Processing option from Azure AD dynamic group. The Dynamic Rule Processing Status shows whether or not this group is processing changes to the dynamic group rules. This is only applicable when a group is newly created or the rule was recently edited or the Pause Processing setting is changed.
Maximum supported words/characters
I did a test to understand what is the maximum supported words/characters in Azure AD dynamic advanced membership rule, and I found that we could save a query with a maximum of 311 words and 3045 characters.
When I increased the numbers to 315 words and 3085 characters, it started giving an error “Failed to create Group_Maxi. Undefined,” where MAXI is the group name.
Now back to Intune and device management. I will create 3 basic groups for device management. These AAD dynamic device groups (All Windows Devices, All iOS Devices, and All Android Devices) will be used to deploy different configuration policies.
First, I wanted to group all windows devices in my Intune environment. There are two ways to create an AAD group with dynamic membership query rules 1. Simple rule and 2. Advanced Rule. To group windows devices based on the operating system, it’s better to use simple queries via Azure portal GUI.
In case you want to use advance membership, then the following is the query “(device.deviceOSType -contains “Windows”).” When you create an Azure AD dynamic device group, it will take 1 or 2 minutes (depending upon the complexity of the query and the size of the database) to populate the devices into the group.
It’s time to find iOS devices (iPhone or iPad) in my environment via AAD Dynamic query and group them into an AAD dynamic group. Unlike the Windows device group, the iOS device AAD dynamic Device group can’t be created using a simple membership rule; rather, we should use the Advanced membership rule.
We need to have two constant values like iPhone and iPad. Following is the query which I used to fetch iOS devices (device.deviceOSType -contains “iPhone”) -or (device.deviceOSType -contains “iPad”).
OK, here we go with a grouping of Android devices. I want to create an AAD dynamic device group using a simple membership rule in this scenario.
Because I don’t have more than one constant value in the AAD group binary expression. Following is the dynamic query for the Android device group “(device.deviceOSType -contains “Android”).”
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…