Let’s learn how you can filter Intune app policy assignments by Azure AD domain join type. By utilizing the filtering assignments based on whether the device is joined to a Hybrid domain, or Azure AD. IT admins can ensure that the appropriate policies and security measures are being applied to the required devices.
Starting with Intune Service release 2301, Microsoft added an exciting new feature, for filter app and policy assignments by the device Azure AD Join type in Microsoft Intune.
It’s important to have a clear understanding of the different types of device join types that are being used within the organization. A new device filter property
deviceTrustType is available for Windows 10 and later devices. With this property, you can filter app and policy assignments depending on the Azure AD Join type.
The DeviceTrustType attribute in the Azure AD device property allows the creation of a filter rule based on the device’s Azure AD Join type. Choose between Azure AD Join, Hybrid Azure AD, and Azure AD registered. Here you can check how to create AAD Dynamic groups based on the domain join type.
The feature adds greater flexibility for assigning apps and policies to groups of users or devices. As Intune Admin, when you create a policy, you can use filters to assign a policy based on your creation rules.
- Intune Filters For Assigning Apps Policies And Profiles In Intune Portal
- Create AAD Dynamic Groups based on MDM (Intune & SCCM Management)
Create Filter for Azure AD Domain Join Type
To create a filter rule in Intune portal, you need to follow a similar process as with other workflows in Intune. The key difference is in constructing the logic depending on the Azure AD Join type.
- Sign in to the Microsoft Intune admin center.
- Select Tenant administration > Filters. Click on + Create button to start the process.
In Create filter window, Enter the Name of the filter, For example, HTMD Hybrid Azure AD Device Group, and Enter the description of the filter policy as an optional setting.
In the platform, Select Windows 10 and later from the drop-down list. Click on the Next button to continue.
There are two options to build the Azure AD dynamic group query. You can use the rule builder or rule syntax text box to create or edit an AAD device group dynamic membership rule.
- Rule Builder – Graphical interface, Easy to create the dynamic query.
- Rule Syntax – Advanced technical users for complex queries.
You need to follow the steps mentioned below to use Rule Builder to create a filter for Hybrid Azure AD joined devices.
- Under Rules -> Choose Property drop-down list. Select deviceTrustType as the property from the drop-down list.
- Choose an operator now for the devicetrustType policy. I have selected Equals from the operator drop-down menu.
- Let’s look at the property deviceTrustType, with values of Azure AD Joined, Azure AD registered, Hybrid Azure AD Joined, or Unknown.
You must select the following property and value to create a filter rule for the Azure AD Device group based on Hybrid Azure AD joined using Intune. The value you want to look for is Hybrid AAD joined devices.
- Property – deviceTrustType
- Operator – Equals
- Value – Hybrid Azure AD Joined
Here how you can choose between Azure AD Join, Hybrid Azure AD, Azure AD registered or unknown values (with -eq, -ne, -in, -notIn operators). For Example (device.deviceTrustType -eq "Hybrid Azure AD joined")
(device.deviceTrustType -ne "Azure AD registered")
(device.deviceTrustType -in ["Hybrid Azure AD joined","Azure AD joined"])
You have the Preview Devices option to check whether the Intune filter rules are correctly configured or not.
Preview devices– You can see a sample set of devices that match the filter rules. The above example shows the Devices based on Hybrid Azure AD Joined type. You will need to click on the Preview devices link.
On the next page, Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.
In Review + create, review your settings. When you select Create, your changes are saved.
A notification will appear automatically in the top right-hand corner with a message. You can see that the HTMD Hybrid AAD Device Group filter has been created successfully. The filter is created, and ready to be used. The filter is also shown in the filters list.
Use Device Azure AD Domain Join Type Filter
Once the filter is created, it’s ready to use when assigning your apps or policies. Here’s how you can assign the filters while creating new apps or policies or for the existing ones.
- In the Intune Admin Center, Navigate to your apps, compliance policies, or configuration profiles.
- Select an existing policy, or create a new policy. For example, select Apps > Windows and select an existing app Amazon Corretto. Select Properties > Assignments > Edit.
To assign your policy to a user group or a devices group. Select Edit filter. You can choose to include filtered devices or exclude filtered devices. A list of filters that match the policy platform is shown.
Select your filter from the available option and click Select. For example, here, I selected Include filtered devices in assignment, and selected the Hybrid domain join type filter.
Once you have selected the filter, It will be shown Filter mode and Filter as below.
When the device checks in with the Intune service, the properties defined in the filter are evaluated, and determine if the app or policy should be applied.
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.