Title says it all, and at first sight, simply to achieve, right?
Let me tell you: In my opinion, it is not quite as easy as it should be.
Within the opened group creation wizard, select Security as group type, give a proper name and select “Dynamic Device” as membership type for the group:
Now click on “Add dynamic Query” at the bottom of the creation wizard to open the query rule:
You can open the Dropbox at “Add devices where” to see all available “Attributes” of the device which can be used for the query:
We may be able to guess what these attributes contains, but which operators can used and so on is unclear. The following article of Microsoft tries to help how to use the device attributes:
Dynamic membership rules for groups in Azure Active Directory
But it is still unclear, from where those attributes are coming. If I’m using Get-MSOLDevice or Get-AzureADDevice to check if the attributes are comparable, I have to consider that not even the attribute names corresponds to each other:
So unfortunately I was required to check which query will bring the result I was looking for: An Azure AD Device group with dynamic membership for Windows 10 Clients filtered on Azure AD joined and Intune managed. My solution is this “Advanced rule”:
(device.deviceOSVersion -startsWith "10.0") -and (device.DeviceOSType -startsWith "Windows") -and (device.managementType -eq "MDM")
Now add this rule to the editor, and a click on “Add Query” will add the rule to the group:
After a click on “Create”, the group gets created, and a membership evaluation will start immediately. This will take some minutes, and afterwards you should be able to check, that the correct members are added to this group:
I really hope that Microsoft improves it’s documentation about the device attributes, or make it better to find the more detailed docs, if they already exists. And I’m aware of the option create an own solution with a PowerShell script executed locally or in Azure. But the dynamic membership feature is part of Azure AD Premium P1, and many customer will probably use it.
Hope this helps someone to find quickly the required query.