dynamic group based on domain join type

PatrickF11 · ‎Jul 15 2019

Hi,

is there a simple solution to this:

- I would like to have a dynamic group for all devices 1. which are Azure AD joined & 2. All devices which are hybrid azure ad joined.

Is there an attribute which i can address?

Thank you in advance for any advice.

tweetiepie1983 · ‎Jul 15 2019

@PatrickF11

Are these devices of the same OS?

We have a dynamic group that targets all Windows 10 devices..

You could also do this by Model number, but this would need updating every time a new model is introduced into the work place.

PatrickF11 · ‎Jul 15 2019

@tweetiepie1983 No, nearly all of our devices are Win10 based devices.

Most of them are hybrid joined, but in near future more and more will do a an azure only join. (No matter which model)

That's why i think, i need a solution based on the join type.

Vasil Michev · ‎Jul 15 2019

The list of properties you can use for Devices is here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership...

If nothing else, you can use the enrollmentProfileName or custom values such as deviceCategory.

thompm28 · ‎Jan 29 2020

@Vasil Michev

Hey Guys did you ever get this figured out. I am trying to do the same thing however I want the Hybrid joind machines to autoenroll into InTune without opening InTune Enrollment to everyone. I want the auto enroll security group to be device based instead of user based.

mseger · ‎Aug 14 2020

@PatrickF11

Go to: (Intune\Devices\Device Categories)

(https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/deviceCategories)

Create a category named "AAD Joined Devices"

Go to: (Intune\Groups)

(https://endpoint.microsoft.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups)

Create a DYNAMIC group called "AAD Joined Devices" and add an expression where "Device Category" equals a value of "AAD Joined Devices"

Devices will need to have their Device Category changed to "AAD Joined Devices" manually.

Hope this helps!

PatrickF11 · ‎Aug 30 2020

@mseger

Thank you for your response in this topic. Just a few questions:

1. Since when do AAD joined devices automatically set their device category?

2. When using a category all my BYOD mobile devices are going to be aksed to choose a category. Thats why i don't like them that much. (e.g. ios enrollment with company portal app)

mseger · ‎Aug 31 2020

@PatrickF11

Hey there Patrick,

I see the confusion, I fixed my earlier post so others don't get confused. I posted that when I was in the middle of testing everything and forgot to go back and change my post with the correct information I found after I was finished testing.

Sorry about that!

1. They don't. I manually change the AAD Joined devices "Device Category". Annoying for sure but it's the only way I've found to get all the AAD Joined devices into a group so I can apply policies only to those devices.

2. Correct, they will be asked to choose a category. I created a "more obvious" category called "Phones and Tablets" for them to choose so those BYOD devices (hopefully) don't end up in the "AAD Joined Devices" category. Not the most elegant solution but so far it's working. If a user chooses the wrong category I'll find it eventually when looking at the "AAD Joined Devices" group and can correct it then. My custom policies are only for Windows 10 so the phones and tablets, even if in the wrong group, won't apply those policies anyway.

Give me a shout if you have any more questions!

Have a great day!

Matt

dgr4it · ‎Jan 23 2021

@PatrickF11 I have the exact same issue all the time, and like you, I'm looking for a "dynamic rule", not something I need to manually set up anywhere.

It seems that this is simply not possible right now with Intune/Azure, but it'd be certainly be a welcome addition. They could also extend it to simply add a field with the domain to which the device is joined.

That way you could target not only AAD (as both of us seem to need), but also multiple domains (which still happens in some large organizations).

Btw, the scenario I have is the same as you, needed it when migrating to AAD.
By now, however, I've almost finished that migration, so I may not need it again.

I did miss the capability to make such a dynamic group throughout the whole process though.

In my case, I only had one AD (hybrid) and one AAD, so I kept manually maintaining the smallest one, using include/exclude rules to figure out the other automatically.

Steve Whitcher · ‎Apr 07 2021

I'd also love to find a solution for this. I'm just starting to test computers that are AAD Joined rather than Hybrid AAD Joined, and want to target configuration profiles at the AAD Joined computers only. For example, I have a PFX certificate profile to issue a certificate to the machine, which is unnecessary for Hybrid AADJ computers since they auto-enroll a computer certificate when they join the domain. It probably wouldn't hurt to have them also get a certificate from the intune profile, but it would be one more certificate in the store and there is a non-zero chance that will cause issues with certificate matching somewhere down the line.

PatrickF11 · ‎Apr 07 2021

Hi Steve,

at this moment i'm using a dynamic group while querying for the Autopilot Deployment Profile.
One example (in this case for Android):
(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq "DevEnroll_Android_Name123")

PDostiyar · ‎Apr 26 2021

The Easy way I always do this staff is as follows;

Go to Devices > All Devices > check the Join Type in the Columns section so you have it on your view > click export > check only includes selected Columns in the exported file

once you files download open excel and filter the Join type column and guess what you know the number of Joined devices, Registered and Hybrid devices.

Maybe some thinks this is manual well there is no other way unless you use profile type but what if someone has not setup the devices profile type or categories.

TijsBouwmans1460 · ‎Nov 29 2021

+1 We need this too.

We don't want to set a manual device category, because of the additional management.

Currently no way to do so except a global filter which contains all Windows devices.

Roger Truss · ‎Feb 01 2022

I cannot believe how Microsoft has dropped the ball on this one simple item. You can see in the ui if its hybrid or not AND what MDM solution is in play but you simply cannot create a group using them. You can use managementtype but it seems to ONLY equal MDM no matter what. I need to id my hybrid devices and my plain AAD devices as we managethem differently and not having basic function ality got dynamic group membership, bad form.

SpitFire-666 · ‎Feb 17 2022

Problem with this is that you need to remember to add new devices each time.

Michael_Long · ‎Apr 21 2022

Here is the rule I use and it seems to work. Haven't tested it for a long time yet.
(device.enrollmentProfileName -match ".*") and (device.accountEnabled -eq True) and (device.managementType -eq "MDM")

Edit: This is for Azure AD Joined. I'm trying to get rid of any last vestige of Hybrid so don't really care about them. Cheers.

Edit 2: I only have a couple of Hybrid Enrollment Profiles and they have the word Hybrid in them. I am pretty sure this works for those but currently don't have any devices in those profiles. We have a few laptops that might go in them for RADIUS unless our engineers get around to converting our RADIUS server from OU / Cert auth to just device certs or windows auth.
(device.enrollmentProfileName -match ".*") and (device.enrollmentProfileName -notContains "Hybrid") and (device.accountEnabled -eq True) and (device.managementType -eq "MDM")

PatrickF11 · ‎Jun 13 2022

@PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etc

Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.

PatrickF11 · ‎Jun 28 2022

Hey @Anoop C Nair,

thank you very much for sharing this (and the link to the twitter post in your article).

It's really great to year that Microsoft has reworked on this one. :)

I've tested the dynamic query which was mentioned in your articles comments. (including enabled = true, etc..)

PatrickF11 · ‎Jun 13 2022

@PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etc

Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.

View solution in original post

dynamic group based on domain join type

dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Re: dynamic group based on domain join type

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

dynamic group based on domain join type