Forum Discussion
PatrickF11
Jul 15, 2019Steel Contributor
dynamic group based on domain join type
Hi,
is there a simple solution to this:
- I would like to have a dynamic group for all devices 1. which are Azure AD joined & 2. All devices which are hybrid azure ad joined.
Is there an attribute which i can address?
Thank you in advance for any advice.
PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etcCreate AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.
PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etcCreate AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.
- PatrickF11Steel Contributor
Hey Anoop C Nair,
thank you very much for sharing this (and the link to the twitter post in your article).
It's really great to year that Microsoft has reworked on this one. 🙂
I've tested the dynamic query which was mentioned in your articles comments. (including enabled = true, etc..)
- Michael_LongCopper Contributor
Here is the rule I use and it seems to work. Haven't tested it for a long time yet.
(device.enrollmentProfileName -match ".*") and (device.accountEnabled -eq True) and (device.managementType -eq "MDM")Edit: This is for Azure AD Joined. I'm trying to get rid of any last vestige of Hybrid so don't really care about them. Cheers.
Edit 2: I only have a couple of Hybrid Enrollment Profiles and they have the word Hybrid in them. I am pretty sure this works for those but currently don't have any devices in those profiles. We have a few laptops that might go in them for RADIUS unless our engineers get around to converting our RADIUS server from OU / Cert auth to just device certs or windows auth.
(device.enrollmentProfileName -match ".*") and (device.enrollmentProfileName -notContains "Hybrid") and (device.accountEnabled -eq True) and (device.managementType -eq "MDM") - Roger_TrussBrass ContributorI cannot believe how Microsoft has dropped the ball on this one simple item. You can see in the ui if its hybrid or not AND what MDM solution is in play but you simply cannot create a group using them. You can use managementtype but it seems to ONLY equal MDM no matter what. I need to id my hybrid devices and my plain AAD devices as we managethem differently and not having basic function ality got dynamic group membership, bad form.
- dgr4itIron Contributor
PatrickF11 I have the exact same issue all the time, and like you, I'm looking for a "dynamic rule", not something I need to manually set up anywhere.
It seems that this is simply not possible right now with Intune/Azure, but it'd be certainly be a welcome addition. They could also extend it to simply add a field with the domain to which the device is joined.
That way you could target not only AAD (as both of us seem to need), but also multiple domains (which still happens in some large organizations).
Btw, the scenario I have is the same as you, needed it when migrating to AAD.
By now, however, I've almost finished that migration, so I may not need it again.I did miss the capability to make such a dynamic group throughout the whole process though.
In my case, I only had one AD (hybrid) and one AAD, so I kept manually maintaining the smallest one, using include/exclude rules to figure out the other automatically.
- Steve WhitcherBronze ContributorI'd also love to find a solution for this. I'm just starting to test computers that are AAD Joined rather than Hybrid AAD Joined, and want to target configuration profiles at the AAD Joined computers only. For example, I have a PFX certificate profile to issue a certificate to the machine, which is unnecessary for Hybrid AADJ computers since they auto-enroll a computer certificate when they join the domain. It probably wouldn't hurt to have them also get a certificate from the intune profile, but it would be one more certificate in the store and there is a non-zero chance that will cause issues with certificate matching somewhere down the line.
- PatrickF11Steel ContributorHi Steve,
at this moment i'm using a dynamic group while querying for the Autopilot Deployment Profile.
One example (in this case for Android):
(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq "DevEnroll_Android_Name123")
- msegerCopper Contributor
Go to: (Intune\Devices\Device Categories)
(https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/deviceCategories)
Create a category named "AAD Joined Devices"
Go to: (Intune\Groups)(https://endpoint.microsoft.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups)
Create a DYNAMIC group called "AAD Joined Devices" and add an expression where "Device Category" equals a value of "AAD Joined Devices"
Devices will need to have their Device Category changed to "AAD Joined Devices" manually.
Hope this helps!
- PatrickF11Steel Contributor
Thank you for your response in this topic. Just a few questions:
1. Since when do AAD joined devices automatically set their device category?
2. When using a category all my BYOD mobile devices are going to be aksed to choose a category. Thats why i don't like them that much. (e.g. ios enrollment with company portal app)
- msegerCopper Contributor
Hey there Patrick,
I see the confusion, I fixed my earlier post so others don't get confused. I posted that when I was in the middle of testing everything and forgot to go back and change my post with the correct information I found after I was finished testing.
Sorry about that!
1. They don't. I manually change the AAD Joined devices "Device Category". Annoying for sure but it's the only way I've found to get all the AAD Joined devices into a group so I can apply policies only to those devices.
2. Correct, they will be asked to choose a category. I created a "more obvious" category called "Phones and Tablets" for them to choose so those BYOD devices (hopefully) don't end up in the "AAD Joined Devices" category. Not the most elegant solution but so far it's working. If a user chooses the wrong category I'll find it eventually when looking at the "AAD Joined Devices" group and can correct it then. My custom policies are only for Windows 10 so the phones and tablets, even if in the wrong group, won't apply those policies anyway.
Give me a shout if you have any more questions!Have a great day!
Matt
- tweetiepie1983Brass Contributor
Are these devices of the same OS?
We have a dynamic group that targets all Windows 10 devices..
You could also do this by Model number, but this would need updating every time a new model is introduced into the work place.
- PatrickF11Steel Contributor
tweetiepie1983 No, nearly all of our devices are Win10 based devices.
Most of them are hybrid joined, but in near future more and more will do a an azure only join. (No matter which model)
That's why i think, i need a solution based on the join type.
The list of properties you can use for Devices is here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices
If nothing else, you can use the enrollmentProfileName or custom values such as deviceCategory.