Forum Discussion

MCT

Jul 15, 2019

Solved

dynamic group based on domain join type

Hi, is there a simple solution to this: - I would like to have a dynamic group for all devices 1. which are Azure AD joined & 2. All devices which are hybrid azure ad joined. Is there an att...

dynamic groups

groups

Anoop C Nair
Jun 13, 2022
PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etc

Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.

dgr4it

Iron Contributor

Jan 24, 2021

PatrickF11 I have the exact same issue all the time, and like you, I'm looking for a "dynamic rule", not something I need to manually set up anywhere.

It seems that this is simply not possible right now with Intune/Azure, but it'd be certainly be a welcome addition. They could also extend it to simply add a field with the domain to which the device is joined.

That way you could target not only AAD (as both of us seem to need), but also multiple domains (which still happens in some large organizations).

Btw, the scenario I have is the same as you, needed it when migrating to AAD.
By now, however, I've almost finished that migration, so I may not need it again.

I did miss the capability to make such a dynamic group throughout the whole process though.

In my case, I only had one AD (hybrid) and one AAD, so I kept manually maintaining the smallest one, using include/exclude rules to figure out the other automatically.

Steve Whitcher

Bronze Contributor

Apr 07, 2021

I'd also love to find a solution for this. I'm just starting to test computers that are AAD Joined rather than Hybrid AAD Joined, and want to target configuration profiles at the AAD Joined computers only. For example, I have a PFX certificate profile to issue a certificate to the machine, which is unnecessary for Hybrid AADJ computers since they auto-enroll a computer certificate when they join the domain. It probably wouldn't hurt to have them also get a certificate from the intune profile, but it would be one more certificate in the store and there is a non-zero chance that will cause issues with certificate matching somewhere down the line.

PatrickF11
MCT
Apr 07, 2021
Hi Steve,

at this moment i'm using a dynamic group while querying for the Autopilot Deployment Profile.
One example (in this case for Android):
(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq "DevEnroll_Android_Name123")
- PDostiyar
  Bronze Contributor
  Apr 26, 2021
  The Easy way I always do this staff is as follows;
  
  Go to Devices > All Devices > check the Join Type in the Columns section so you have it on your view > click export > check only includes selected Columns in the exported file
  
  once you files download open excel and filter the Join type column and guess what you know the number of Joined devices, Registered and Hybrid devices.
  
  Maybe some thinks this is manual well there is no other way unless you use profile type but what if someone has not setup the devices profile type or categories.
  - DB9000
    Copper Contributor
    Oct 14, 2024
    Thank you for the tip! This helped me make a dynamic group with what I was targeting!