Forum Discussion
dynamic group based on domain join type
PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etcCreate AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.
Here is the rule I use and it seems to work. Haven't tested it for a long time yet.
(device.enrollmentProfileName -match ".*") and (device.accountEnabled -eq True) and (device.managementType -eq "MDM")
Edit: This is for Azure AD Joined. I'm trying to get rid of any last vestige of Hybrid so don't really care about them. Cheers.
Edit 2: I only have a couple of Hybrid Enrollment Profiles and they have the word Hybrid in them. I am pretty sure this works for those but currently don't have any devices in those profiles. We have a few laptops that might go in them for RADIUS unless our engineers get around to converting our RADIUS server from OU / Cert auth to just device certs or windows auth.
(device.enrollmentProfileName -match ".*") and (device.enrollmentProfileName -notContains "Hybrid") and (device.accountEnabled -eq True) and (device.managementType -eq "MDM")