Jul 15 2019 01:57 AM
Hi,
is there a simple solution to this:
- I would like to have a dynamic group for all devices 1. which are Azure AD joined & 2. All devices which are hybrid azure ad joined.
Is there an attribute which i can address?
Thank you in advance for any advice.
Jul 15 2019 02:24 AM
Are these devices of the same OS?
We have a dynamic group that targets all Windows 10 devices..
You could also do this by Model number, but this would need updating every time a new model is introduced into the work place.
Jul 15 2019 04:38 AM
@tweetiepie1983 No, nearly all of our devices are Win10 based devices.
Most of them are hybrid joined, but in near future more and more will do a an azure only join. (No matter which model)
That's why i think, i need a solution based on the join type.
Jul 15 2019 10:34 AM
The list of properties you can use for Devices is here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership...
If nothing else, you can use the enrollmentProfileName or custom values such as deviceCategory.
Jan 29 2020 09:10 AM
Hey Guys did you ever get this figured out. I am trying to do the same thing however I want the Hybrid joind machines to autoenroll into InTune without opening InTune Enrollment to everyone. I want the auto enroll security group to be device based instead of user based.
Aug 14 2020 02:05 PM - edited Aug 31 2020 06:09 AM
Go to: (Intune\Devices\Device Categories)
(https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/deviceCategories)
Create a category named "AAD Joined Devices"
Go to: (Intune\Groups)
(https://endpoint.microsoft.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups)
Create a DYNAMIC group called "AAD Joined Devices" and add an expression where "Device Category" equals a value of "AAD Joined Devices"
Devices will need to have their Device Category changed to "AAD Joined Devices" manually.
Hope this helps!
Aug 30 2020 11:09 PM
Thank you for your response in this topic. Just a few questions:
1. Since when do AAD joined devices automatically set their device category?
2. When using a category all my BYOD mobile devices are going to be aksed to choose a category. Thats why i don't like them that much. (e.g. ios enrollment with company portal app)
Aug 31 2020 06:06 AM - edited Aug 31 2020 06:17 AM
Hey there Patrick,
I see the confusion, I fixed my earlier post so others don't get confused. I posted that when I was in the middle of testing everything and forgot to go back and change my post with the correct information I found after I was finished testing.
Sorry about that!
1. They don't. I manually change the AAD Joined devices "Device Category". Annoying for sure but it's the only way I've found to get all the AAD Joined devices into a group so I can apply policies only to those devices.
2. Correct, they will be asked to choose a category. I created a "more obvious" category called "Phones and Tablets" for them to choose so those BYOD devices (hopefully) don't end up in the "AAD Joined Devices" category. Not the most elegant solution but so far it's working. If a user chooses the wrong category I'll find it eventually when looking at the "AAD Joined Devices" group and can correct it then. My custom policies are only for Windows 10 so the phones and tablets, even if in the wrong group, won't apply those policies anyway.
Give me a shout if you have any more questions!
Have a great day!
Matt
Jan 23 2021 06:26 PM - edited Jan 23 2021 06:29 PM
@PatrickF11 I have the exact same issue all the time, and like you, I'm looking for a "dynamic rule", not something I need to manually set up anywhere.
It seems that this is simply not possible right now with Intune/Azure, but it'd be certainly be a welcome addition. They could also extend it to simply add a field with the domain to which the device is joined.
That way you could target not only AAD (as both of us seem to need), but also multiple domains (which still happens in some large organizations).
Btw, the scenario I have is the same as you, needed it when migrating to AAD.
By now, however, I've almost finished that migration, so I may not need it again.
I did miss the capability to make such a dynamic group throughout the whole process though.
In my case, I only had one AD (hybrid) and one AAD, so I kept manually maintaining the smallest one, using include/exclude rules to figure out the other automatically.
Apr 07 2021 06:04 AM
Apr 07 2021 06:25 AM
Apr 26 2021 03:12 PM
Nov 29 2021 10:48 AM
+1 We need this too.
We don't want to set a manual device category, because of the additional management.
Currently no way to do so except a global filter which contains all Windows devices.
Feb 01 2022 10:48 AM
Feb 17 2022 07:15 PM
Apr 21 2022 12:12 PM - edited Apr 21 2022 02:01 PM
Here is the rule I use and it seems to work. Haven't tested it for a long time yet.
(device.enrollmentProfileName -match ".*") and (device.accountEnabled -eq True) and (device.managementType -eq "MDM")
Edit: This is for Azure AD Joined. I'm trying to get rid of any last vestige of Hybrid so don't really care about them. Cheers.
Edit 2: I only have a couple of Hybrid Enrollment Profiles and they have the word Hybrid in them. I am pretty sure this works for those but currently don't have any devices in those profiles. We have a few laptops that might go in them for RADIUS unless our engineers get around to converting our RADIUS server from OU / Cert auth to just device certs or windows auth.
(device.enrollmentProfileName -match ".*") and (device.enrollmentProfileName -notContains "Hybrid") and (device.accountEnabled -eq True) and (device.managementType -eq "MDM")
Jun 13 2022 11:15 AM
Solution@PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etc
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.
Jun 28 2022 07:33 AM
Hey @Anoop C Nair,
thank you very much for sharing this (and the link to the twitter post in your article).
It's really great to year that Microsoft has reworked on this one. :)
I've tested the dynamic query which was mentioned in your articles comments. (including enabled = true, etc..)
Jun 13 2022 11:15 AM
Solution@PatrickF11 Well, this is supported and available!
You can create Azure AD dynamic device groups based on Hybrid Azure AD Join and Azure AD Join. This is using the DeviceTrustType attribute. I have put across some more points and validation details etc
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD.