Learn two things from this post. How to Create Azure AD Dynamic Groups for Managing Devices using Intune? and How to Pause AAD Dynamic Group Update?
This post will see how to create Dynamic device groups and User Groups in Azure Active Directory. Azure AD groups are similar to collections (in the SCCM world) for Intune device management solutions.
These AAD groups can be used to target different policies for a specific group of devices. Latest post – Validate Azure AD Dynamic Group Rules | Intune.
So this is very important in the world of modern management of devices using Microsoft Intune. If you are an SCCM admin, the AAD dynamic group is similar to creating a dynamic collection using WQL query rules. AAD groups don’t have that granularity in creating dynamic query rules if you compare them with WQL query rules.
However, the new Azure portal has many options to create dynamic query rules. The video tutorial will help you get more inside AAD Dynamic groups.
Updated Post -> How To Create Nested Azure AD Dynamic Groups.
- Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD
- Create AAD Dynamic Groups based on MDM (Intune & SCCM Management)
Table of Contents
Create Azure AD Dynamic Groups
Advanced rules for AAD Dynamic membership are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression in the AAD dynamic membership rule query must have 3 parts: the left parameter, the binary operator, and the right constant.
A left parameter in the query rule is one of the attributes of the AAD object (either user or device). If you want to query users in a particular department, then the user is the object, and the department is the attribute (user. department).
A binary operator is only a conditional operator like “-ne,-eq, -contains -match.” The right constant is a constant value specific to your requirement; for example, if you want to create a group for all IT users, it is “IT.”
(user.department -startsWith "IT")
(user.department -match "IT")
(user.department -eq "IT")
Let’s take an example of creating an Azure AD dynamic group for Windows devices. The following are the steps to create the AAD dynamic Device group. You must have appropriate permissions to create Azure AD groups. Follow the steps to create the Device group for 22H2.
- Login to Endpoint Manager Portal (endpoint.microsoft.com)
- Navigate to the Groups node.
- Click on “+ New Group. “
- Select Security – Group Type from the drop-down option.
- Enter Group Name “HTMD Windows 11 22H2 Device Group” (any name is fine).
- Enter Group Description “HTMD Windows 11 22H2 Device Group” (any description is fine).
- Select Dynamic Device as the Membership type.
- Click on Add Dynamic Query under Dynamic Device Members.
You need to hover over the properties column to get an option to select Azure AD dynamic device groups based on Windows on the Dynamic membership rules page.
You can create or edit rules directly by editing the syntax in the box below. Or you can use the Azure AD portal UI as shown below to create a dynamic group query rule. There are some scenarios where the device properties (e.g. nesting) are not published in the UI property list.
(device.deviceOSVersion -startsWith "10.0.22621")
- Click on the SAVE button to save the query rule.
- You also have the option to validate the Azure AD query from the Validate Rules tab, as shown in the picture. The section below explains more details.
Dynamic Membership Rules | Details |
---|---|
Property | deviceOSVersion |
Operator | Starts With |
Value | 10.0.22621 |
You can now click on the CREATE button to complete the process of creating a Windows devices Azure AD dynamic group. You can also change the version numbers to get different results.
- Validate Azure AD Dynamic Group Rules (howtomanagedevices.com)
- Windows 11 Versions Numbers Build Numbers
How to Pause Azure AD Dynamic Group Update
Microsoft recently added an option to Pause Azure AD Dynamic Group Update. You can perform the PAUSE action from the Azure AD portal itself. You don’t have to do this using Microsoft Graph or any other crazy method.
An accidental deployment happened to the Azure AD dynamic group, and you must reduce the impact. What would be your first step? I think the update pause might help to pause the deployment with immediate effect at least for new devices.
You can navigate to the Azure AD dynamic group that you want to pause. You can enable the Pause Processing option for Azure AD Dynamic groups from the Overview tab.
- When the setting is set to YES, the processing of this dynamic group will pause.
- When set to NO, processing will continue.
The Dynamic Rule Processing Status = Updates Paused once you enable the Pause Processing option from Azure AD dynamic group. The Dynamic Rule Processing Status shows whether or not this group is processing changes to the dynamic group rules.
This is only applicable when a group is newly created or the rule was recently edited or the Pause Processing setting is changed.
Maximum Supported Words/Characters
I did a test to understand the maximum supported words/characters in Azure AD dynamic, advanced membership rule, and I found that we could save a query with a maximum of 311 words and 3045 characters.
When I increased the numbers to 315 words and 3085 characters, it gave an error “Failed to create Group_Maxi. Undefined,” where MAXI is the group name.
Now back to Intune and device management. I will create 3 basic groups for device management. These AAD dynamic device groups (All Windows Devices, All iOS Devices, and All Android Devices) will be used to deploy different configuration policies.
Dynamic Query
First, I wanted to group all Windows devices in my Intune environment. There are two ways to create an AAD group with dynamic membership query rules 1. Simple rule, and 2. Advanced Rule. It’s better to use simple queries via Azure portal GUI to group Windows devices based on the operating system.
If you want to use advanced membership, then the following is the query “(device.deviceOSType -contains “Windows”).” When you create an Azure AD dynamic device group, it will take 1 or 2 minutes (depending upon the query’s complexity and the database’s size) to populate the devices into the group.
It’s time to find iOS devices (iPhone or iPad) in my environment via AAD Dynamic query and group them into an AAD dynamic group. Unlike the Windows device group, the iOS device AAD dynamic Device group can’t be created using a simple membership rule; rather, we should use the Advanced membership rule.
We need to have two constant values like iPhone and iPad. Following is the query that I used to fetch iOS devices (device.deviceOSType -contains “iPhone”) -or (device.deviceOSType -contains “iPad”).
OK, here we go with a grouping of Android devices. In this scenario, I want to create an AAD dynamic device group using a simple membership rule.
Because I don’t have more than one constant value in the AAD group binary expression. Following is the dynamic query for the Android device group “(device.deviceOSType -contains “Android”).”
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Anoop -this post is really helpful, thanks very much for taking the time to write it up.
I wondered however if you could let me know how you found that you should use ‘deviceOSType’ – when I created dynamic groups for users it it is easy to get a list of attributes…not sure how to do the same for devices.
Many thanks!
Carl
Carl – Good question and answer to that is in the following post https://www.anoopcnair.com/fetch-azure-ad-details-microsoft-graph-api-via-web-browsers/
Awesome thanks – I managed to create a dynamic group that contained devices whilst waiting for your update, from this group I could get an object in this group and | fl to get full details. I will read your post now also as Graph is another area of interest to me.
Thanks again
Also MS updated their Dynamic Groups page to include devices:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal
I tired this for iOS devices. Initially, the device show up in the group, but then disappear. Any ideas?
Is there a way to create dynamic group base on AutoPilot?
Yes, I think there is an option to create AAD dynamic group for each Auto Pilot Profiles
How?
When you add devices, you need to add them to an Autopilot deployment group. Use these groups to apply Autopilot deployment profiles to a group of devices. The first time you add devices to a group, you’ll need to create an Autopilot deployment group. https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices#device-information-file-format
Not sure if this is helpful, but I created a dynamic device security group for AutoPilot with the advanced rule below:
(device.devicePhysicalIDs -any _ -contains “[ZTDId]”)
This will automatically add any device you enroll into AutoPilot this dynamic group.
Hi Anoop,
Any way we can create AAD Device groups based on AD OU, Programs Installed, basically like more granular queries like we can with SCCM collections?
Thanks
Is there any option to create a user Group based on the Device Type they are using? For e.g. create a user group for all MacOS users.
I think you are trying to replicate the sccm collection logic to azure ad dynamic groups. If so, I don’t think that is possible …. you might need to use requirements rules or custom script for that … I suppose
Would you know of a way to create a dynamic device group based on the primary user for the device? I’m trying to create one that includes devices with a specific group tag and primary users whose userprincipalname doesn’t include a certain string.
I’m not sure whether we can mix device properties with user properties in Azure AD.
Is there any option to create a dynamic user Group based on the OS Version they are using? For e.g. create a dynamic user group for all Win 11 devices.