"Special" dynamic device group

Brass Contributor



I need in Intune a dynamic device group for testing.

So let me explain what I tried:

All our devices are in our onPrem AD, and for my test we have a group inside the computer group.

First I tried a dynamic device group with OU but I saw that this isn't supported anymore.

Then I tried to filter the devices with our internal IP (maybe I had the wrong filter for this). This didn't work too, so I gave one device an extensionAttribute and tried to create the dynamic device group with the extensionAttribute, but nothing happened.

My question is: isn't it possible to create a dynamic device group with a query from the AD?

Or can it be possible that the AD Connector is stuck?


Kind regards

9 Replies

@Parmaster what I've done is create special groups on-premise using a powershell scheduled task.


What will the dynamic group contain?
It's a device group (on AD) for our intern test.
Using dynamic group for Intune assignments is not a good idea unless you are using an Autopilot dynamic group. For everything else, try to use device filters as much as possible. That is why I asked about the intended membership of the group. Are the intern devices based on OU or something else? Is there any other common identifier that you can use like naming convention?
That's what I asked for.
Yes , they have another OU, but device. organizationalUnit doesn't work anymore, and device.extensionAttribute1 doesn't give any device back (although it's present with PowerShell).

So my question is: can a dynamice device group read from AD or not?
Yes and no. AAD can sync but only ones it supports. As I see Extension attribute is your best option here. https://learn.microsoft.com/en-us/graph/api/device-update?view=graph-rest-1.0&tabs=http#example-2--w...
I have set the extension attribute on the device but in AD. But the group with the dynamic device rule with device.extensionAttribute is empty in Entra.
My question is still: Is it possible to read the extension attribute from AD or not?
Nope. You will have to configure for the registered object that is in AAD.
Ok thank you!
Then I know what to do.