SOLVED

Create dynamic device group based off of which user enrolled the device

Copper Contributor

Is there a way to create a dynamic device group based off of which user enrolled the device? For example, I have an admin account that enrolled a bunch of kiosk machines, and I want the group to consist of all the devices that were enrolled by that account. (It might just be me being dense, but I can't for the life of me figure out how to do this based off Microsoft's documentation.)

13 Replies
You can fill a static group with help of an Azure Automation Runbook and a powershell script. I think for dynamic groups there is no attribute with which you can filter on the enrollment user.
best response confirmed by skythrock (Copper Contributor)
Solution

Hi @skythrock,

 

From my understanding, it wasn't possible to create a dynamic group based on which users enrolled the device into Azure AD. But I did some research via the Graph API and I have found a solution. And that the physicalIds field in Azure AD contains USER-GID information. So this means that you can build a dynamic query on that.

 
The only thing you need is the ID of your admin account. So go to Azure AD -> Users -> Admin account-> Copy userid from address bar

 

So, you have all the needed information and you use create a dynamic group with the following Dynamic query and you will get all Azure AD devices that have been enrolled with your admin account. 

device.devicePhysicalIDs -any _ -contains "[USER-HWID]: <ID of your Admin account> "

 

OR 

 

 

device.devicePhysicalIDs -any _ -contains "[USER-GID]:<ID of your Admin account>"

 

 

 

Mr_Helaas_0-1661025381466.png

Hopefully, this will help you.

 

Kind regards,

 

Rene

@Mr_Helaas This is exactly what I was looking for! Thanks for your response.

We are using different Scope Tag for Kiosk Machines

@Mr_Helaas From my findings this only shows the Windows enrolled devices, not the mobile 'iphone' or 'Android' devices. Is there something I am doing wrong?

Hi @adrian-erw, what dynamic query are you using?

@Mr_Helaas 

I have been looking at this post, I have about the same issue, but I would like to add devices into a group if user is member of another group. I have been trying to use this user.memberof -any (group.objectId -in ['groupId', 'groupId']) But not sure If I can mix a lookup of users into a dynamic device group

Hi @tmonse970 

 

unfortunately, that is not possible without automation, You can't get the devices of the users who are part of a group. I have done this before with a Logic app and the graph api. 

@Mr_Helaas Is there any chance that you could share how you approached that? Even just a basic framework and I can work out the finer details? 

 

I have a testing user group that I'd like to create a group that mirrors it but to contain those users primary devices. 

@Dannymac223 We are using Runbooks in Azure Automation account to resolve this issue

Hi @Dannymac223 

 

If you can give me some time, I will make a blog post of it.

 

Kind regards,

 

Rene

I can always give time for a cleaner solution. My current attempts are a butchered mix of powershell scripts to export a users devices in AAD(inaccurate), acquire the device ID for those devices, then bulk upload those device IDs to the device group.
1 best response

Accepted Solutions
best response confirmed by skythrock (Copper Contributor)
Solution

Hi @skythrock,

 

From my understanding, it wasn't possible to create a dynamic group based on which users enrolled the device into Azure AD. But I did some research via the Graph API and I have found a solution. And that the physicalIds field in Azure AD contains USER-GID information. So this means that you can build a dynamic query on that.

 
The only thing you need is the ID of your admin account. So go to Azure AD -> Users -> Admin account-> Copy userid from address bar

 

So, you have all the needed information and you use create a dynamic group with the following Dynamic query and you will get all Azure AD devices that have been enrolled with your admin account. 

device.devicePhysicalIDs -any _ -contains "[USER-HWID]: <ID of your Admin account> "

 

OR 

 

 

device.devicePhysicalIDs -any _ -contains "[USER-GID]:<ID of your Admin account>"

 

 

 

Mr_Helaas_0-1661025381466.png

Hopefully, this will help you.

 

Kind regards,

 

Rene

View solution in original post