Sep 20 2020
- last edited on
Sep 23 2020
Sep 24 2020 08:43 AM
@Pallavi_Joshi I want to give admins that are scoped to certain devices the right to delete those devices.
Although when I apply Manged devices-->delete yes, this give that role the option to delete devices, but it also gives access to "set device clean up rules" for the whole tenant. Can the "device clean-up rules" be denied in some way??
Sep 24 2020 12:03 PM
@Pallavi_Joshi What is the best way to dynamically add computers to Azure Device Groups that can be assigned to a scope tag. At our University we have two Configuration Manager Sites that will joined to one tenant and are currently unsure if we can dynamically assign one Configuration Manager Site systems two one dynamic group and the other Configuration Manager Site systems to another dynamic group assigned to their own scope tags for RBAC permissions.
Sep 24 2020 12:12 PM
@Tim_Wolf you have you tried making a dynamic group with organizational unit? or you could try display name if you have a naming convention for both sites.
(device.displayName -contains "Site1-computer1") or (device.organizationalUnit -contains "OU=1stfloor")
Sep 24 2020 12:43 PM
@hotdogh2o thanks. we can use the second query. Does that show up once a system is co-managed?
Sep 28 2020 06:54 AM
@hotdogh2o Thanks for going through the video and posting the query. As you mentioned, the configuring of device cleanup rules should be allowed only to specific admins given their tenant-wide impact. Let me check if there are specific permissions for allowing/blocking its configuration.
Oct 06 2020 07:21 AM
@Pallavi_Joshi where you able to reproduce the same results in a test tenant when giving a user delete permissions on devices?
Oct 06 2020 01:38 PM
@Tim_Wolf - If you enable tenant attach in the ConfigMgr site, you can enable cloud sync for a collection. This will allow you to sync all hybrid-aad joined devices in that collection into an AAD security group. You can then assign an Intune scope tag to that security group.
Feb 08 2021 02:24 AM
@Pallavi_Joshi : Hello,
thank for the video. Is there also a video available, how to create the mentioned dynamic device groups?
I don't know how to create a device group that show e.g. all german iOS devices or all device of finance. This is not described in your video. I can just filter in dynamic USER groups for regional settings as e.g. Germany. I need a group that includes all devices of users that are located in a specific location e.g. Berlin. How can I make that?
The filter with the organizational units isn't working either for me, because in Azure there is just a flat structure available without OUs. So how do I find out in which OUs are e.g. iOS devices?
Feb 09 2021 02:56 AM
@Martin_Reisinger There are various ways to create device groups to identify a user's device:
Feb 11 2021 06:28 AM
thank you very much for your fast reply.
Unfortunately that helps not much. We have appr. 500 locations. It isn't practical to create 500 categories to assign them to scope tags. Furthermore it is not user-friendly if a user have to scroll through a list of 500 entries while the enrollment. Users are making mistakes. We cannot ensure that the user will choose the correct location.
Due to the script you mentioned: We are a global player with over 200.000 user objects and appr. 40.000 devices. How long will the script take to go through all user accounts and devices to collect them in a device group? Furthermore in the Azure there are also many ghost device entries, that we don't want to be a member in those device groups.
1. The information of the location is available in the Active Directory. Why is it not possible to grap such information from it?
2. Could you please describe how did you create all german devices in your example? As I know the filter "usageLocation" is only available for user objects.
Thanks in advance
Feb 15 2021 03:08 AM
@Martin_Reisinger Hi, you can do a full run of the script once a day/week and then have a separate version that runs more frequently based on the enrolment date being between now and the last time the script ran to optimize the script.
Please feel free to suggest your ideas around usageLocation querying on user voice - Azure Active Directory: Groups/Dynamic groups (109 ideas) – Customer Feedback for ACE Community Tool...