Title says it all, and at first sight, simply to achieve, right?
Let me tell you: In my opinion, it is not quite as easy as it should be.
Lets start by creating a new group within Azure AD, to do this, navigate to your Azure AD and open the Groups blade, where you can start the process by a click on “New Group”:
Within the opened group creation wizard, select Security as group type, give a proper name and select “Dynamic Device” as membership type for the group:
Now click on “Add dynamic Query” at the bottom of the creation wizard to open the query rule:
You can open the Dropbox at “Add devices where” to see all available “Attributes” of the device which can be used for the query:
We may be able to guess what these attributes contains, but which operators can used and so on is unclear. The following article of Microsoft tries to help how to use the device attributes:
Dynamic membership rules for groups in Azure Active Directory
But it is still unclear, from where those attributes are coming. If I’m using Get-MSOLDevice or Get-AzureADDevice to check if the attributes are comparable, I have to consider that not even the attribute names corresponds to each other:
So unfortunately I was required to check which query will bring the result I was looking for: An Azure AD Device group with dynamic membership for Windows 10 Clients filtered on Azure AD joined and Intune managed. My solution is this “Advanced rule”:
(device.deviceOSVersion -startsWith "10.0") -and (device.DeviceOSType -startsWith "Windows") -and (device.managementType -eq "MDM")
Now add this rule to the editor, and a click on “Add Query” will add the rule to the group:
After a click on “Create”, the group gets created, and a membership evaluation will start immediately. This will take some minutes, and afterwards you should be able to check, that the correct members are added to this group:
I really hope that Microsoft improves it’s documentation about the device attributes, or make it better to find the more detailed docs, if they already exists. And I’m aware of the option create an own solution with a PowerShell script executed locally or in Azure. But the dynamic membership feature is part of Azure AD Premium P1, and many customer will probably use it.
Hope this helps someone to find quickly the required query.
blog.hosebei.ch 
Hi Martin,
thank you for your post. I’ve just found a problem with that:
This dynamic query lists Windows Phone devices as well.
For me the best solution was this one:
(device.DeviceOSType -in [“Windows”,”Windows 10 Pro”,”Windows 10 Enterprise”]) -and (device.deviceOSVersion -startsWith “10.0”) -and (device.managementType -eq “MDM”)
This one lists devices where the OSType is Windows OR Windows 10 Pro OR Windows 10 Enterprise (and the other two conditions.
Best regards
Patrick 🙂
i have exactly the same problem but get an error, invalid characters.
Patrick’s example above contains curly quotes, which are invalid. Replace them with straight quotes and it works.
That‘s strange, I’ve copied it right out of my dynamic query rule.
Sorry for the inconvenience.
I think it is beacuase of WordPress. it happened to me as well. sorry for that
This also adds Hybrid devices though. Is there an option for just Azure AD?
MDM does work. It simply checks if the MDM field in Azure AD is filled. If it is, it will add Azure AD Joined AND Hybrid Joined Devices to the group, if the Hybrid Joined Devices are managed with ConfigMgr for example, as this is recognized as MDM.
@Fred: If you use Autopilot for joining the devices to AzureAD then you could use the enrollment profile as a query:(device.enrollmentProfileName -eq “Insert_Profile_Name_Here”)
@Tom, not @Fred 😉