Azure AD – Create dynamic group containing all Windows 10 Azure AD joined devices managed by Intune

Title says it all, and at first sight, simply to achieve, right?
Let me tell you: In my opinion, it is not quite as easy as it should be.

Lets start by creating a new group within Azure AD, to do this, navigate to your Azure AD and open the Groups blade, where you can start the process by a click on “New Group”:

Within the opened group creation wizard, select Security as group type, give a proper name and select “Dynamic Device” as membership type for the group:

Now click on “Add dynamic Query” at the bottom of the creation wizard to open the query rule:

You can open the Dropbox at “Add devices where” to see all available “Attributes” of the device which can be used for the query:

We may be able to guess what these attributes contains, but which operators can used and so on is unclear. The following article of Microsoft tries to help how to use the device attributes:
Dynamic membership rules for groups in Azure Active Directory

But it is still unclear, from where those attributes are coming. If I’m using Get-MSOLDevice or Get-AzureADDevice to check if the attributes are comparable, I have to consider that not even the attribute names corresponds to each other:

So unfortunately I was required to check which query will bring the result I was looking for: An Azure AD Device group with dynamic membership for Windows 10 Clients filtered on Azure AD joined and Intune managed. My solution is this “Advanced rule”:
(device.deviceOSVersion -startsWith "10.0") -and (device.DeviceOSType -startsWith "Windows") -and (device.managementType -eq "MDM")
Now add this rule to the editor, and a click on “Add Query” will add the rule to the group:

After a click on “Create”, the group gets created, and a membership evaluation will start immediately. This will take some minutes, and afterwards you should be able to check, that the correct members are added to this group:

I really hope that Microsoft improves it’s documentation about the device attributes, or make it better to find the more detailed docs, if they already exists. And I’m aware of the option create an own solution with a PowerShell script executed locally or in Azure. But the dynamic membership feature is part of Azure AD Premium P1, and many customer will probably use it.

Hope this helps someone to find quickly the required query.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.