How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups? We discussed creating Azure AD Dynamic Device or User groups in my previous post, “How to Create Azure AD Dynamic Groups for Managing Devices via Intune“.
Another question I usually get is “How to remove or Exclude a device from Azure Active Directory Dynamic Device Group”.
I expect this could be one of the scenarios which will be used in the deployment of security/configuration policies via Intune. This is a very valid scenario, and you can’t avoid this kind of scenario in the device management world. No explanation is needed if you are an experienced SCCM Admin.
Exclude a Device from Azure AD Dynamic Device Group
It’s impossible to remove a single device directly from the AAD Dynamic device group. Yes, there is a remove button available, but when you select a device and click on that remove button, it will give a confirmation popup with a YES button.
If you click on the YES button, it will give an error stating you can’t remove the device from the Azure AD dynamic device group. “Failed to remove member LENexus 5 from group _Android Devices”. However, this can be achieved by adding some conditions to the advance membership rule query in AAD dynamic groups.
AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression is separated by a conditional operator, either ‘and” or “or“. You can play around with this conditional operator to remove the devices from the AAD dynamic device or user groups.
Following is the advanced membership rule query I used in the AAD dynamic device group to remove a device. In this query, you can see the conditional operator between 2 binary expressions is -and.
(device.deviceOSType -contains "Android") -and (device.displayName -notcontains "LGENexus 5")
I don’t know the result and whether this will work effectively when we deploy a configuration policy via Intune to this AAD device group. I assume that this will work because I can see a difference in the device icon for the device called “LGENexus 5”. And that is the device that I tried to exclude using the above query.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…