How to Create Azure AD Dynamic Groups for Managing Devices via Intune

Azure Active Directory dynamic groups are very useful in modern device management and it's very important to understand the basics of this.


In this post, we will see how to create Dynamic device groups and User Groups in Azure Active Directory. Azure AD groups are similar to collections (in SCCM world) for Intune device management solution. These AAD groups can be intern used to target different policies to specific group of devices. So this is very important in the world of modern management of devices using Microsoft Intune. If you are a SCCM admin, AAD dynamic group are similar to creating dynamic collection using WQL query rules. AAD groups don’t have that granularity in creating dynamic query rules if you compare it with WQL query rules. However, new Azure portal has loads of options to create dynamic query rules. The video tutorial will help you get more insides of AAD Dynamic groups.

AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression in AAD dynamic membership rule query must have 3 parts Left parameter, Binary operator and Right constant. Left parameter in query rule is one of the attribute of AAD object (either user or device). In case, you want to query users in a particular department then user is object and department is attribute (user.department). Binary operator is nothing other than conditional operator like “-ne,-eq, -contains -match”. Right constant is constant value specific to your requirement for example if you want to create a group for all IT users, then right constant value is “IT”.

(user.department -startsWith "IT")
(user.department -match "IT")
(user.department -eq "IT")

I did a test to understand what is the maximum supported words/characters in Azure AD dynamic advanced membership rule and I found that we could save a query with maximum of 311 words and 3045 characters. When I increased the numbers to 315 words and 3085 characters, it started giving an error “Failed to create Group_Maxi. Undefined” where MAXI is the group name.

Now back to Intune and device management. I will create 3 basic groups for device management and these AAD dynamic device groups (All Windows Devices, All iOS Device and All Android Devices) will be used to deploy different configuration policies.

First I wanted to group for all windows devices in my Intune environment.  There are two ways to create AAD group with dynamic membership query rules 1. Simple rule and 2. Advanced Rule. To group windows devices based on operating system it’s better to use simple query via Azure portal GUI. In case you want to use advance membership, then following is the query “(device.deviceOSType -contains “Windows”)“. When you create a Azure AD dynamic device group, it’s going to take time 1 or 2 minutes (depending upon the complexity of the query and the size of the database) to populate the devices into the group.

It’s time to find out iOS devices (iPhone or iPad) in my environment via AAD Dynamic query and group those devices into a AAD dynamic group. Unlike Windows device group, iOS device AAD dynamic Device group can’t be created using simple membership rule rather we should use Advanced membership rule. This is because we need to have two constant values like iPhone and iPad.  Following is the query which I used to fetch iOS devices (device.deviceOSType -contains “iPhone”) -or (device.deviceOSType -contains “iPad”).

OK, here we go with grouping of Android devices. In this scenario, I want to create AAD dynamic device group using simple membership rule. Because I don’t have more than one constant value in AAD group binary expression. Following is the dynamic query for Android device group “(device.deviceOSType -contains “Android”)“.

Reference TechNet document about Azure AD dynamic group here

New Azure portal – This will directly take you to all Groups blade


Please enter your comment!
Please enter your name here