Forum Discussion

MCT

Jul 15, 2019

Solved

dynamic group based on domain join type

Hi, is there a simple solution to this: - I would like to have a dynamic group for all devices 1. which are Azure AD joined & 2. All devices which are hybrid azure ad joined. Is there an att...

dynamic groups

groups

Anoop C Nair
Jun 13, 2022
PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etc

Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.

dgr4it

Iron Contributor

Jan 23, 2021

PatrickF11 I have the exact same issue all the time, and like you, I'm looking for a "dynamic rule", not something I need to manually set up anywhere.

It seems that this is simply not possible right now with Intune/Azure, but it'd be certainly be a welcome addition. They could also extend it to simply add a field with the domain to which the device is joined.

That way you could target not only AAD (as both of us seem to need), but also multiple domains (which still happens in some large organizations).

Btw, the scenario I have is the same as you, needed it when migrating to AAD.
By now, however, I've almost finished that migration, so I may not need it again.

I did miss the capability to make such a dynamic group throughout the whole process though.

In my case, I only had one AD (hybrid) and one AAD, so I kept manually maintaining the smallest one, using include/exclude rules to figure out the other automatically.

Steve Whitcher

Bronze Contributor

Apr 07, 2021

I'd also love to find a solution for this. I'm just starting to test computers that are AAD Joined rather than Hybrid AAD Joined, and want to target configuration profiles at the AAD Joined computers only. For example, I have a PFX certificate profile to issue a certificate to the machine, which is unnecessary for Hybrid AADJ computers since they auto-enroll a computer certificate when they join the domain. It probably wouldn't hurt to have them also get a certificate from the intune profile, but it would be one more certificate in the store and there is a non-zero chance that will cause issues with certificate matching somewhere down the line.