Section 2 of 7
In Progress

Leveraging Azure AD dynamic device security groups

12th December 2022

Aim: To understand that devices can be grouped dynamically in Azure AD based on rules that check for matching device attribute values stored in the directory. 

In Azure Active Directory (AAD) you can use rules based on user and device attributes to dynamically determine group membership. 

Note: using dynamic groups requires Azure AD Premium licenses or Intune for Education licenses on the tenant. 

In Intune, you can deploy settings and apps to both AAD Dynamic Device and Dynamic User security groups. 

  • For example: You may wish to deploy Windows Updates at a higher velocity to a subset of devices running a Windows version (device.deviceOSVersion) that is due to be phased out. 
  • For Windows 10, the deviceOSVersion attribute is interpreted as a string of characters and correct format of as follows: (device.deviceOSVersion -startsWith “10.0.1”) 

Other examples: 

  • Create an “All devices” rule: 

(device.objectId -ne null) 

  • Create a rule based on device names: 

(device.displayName -startsWith “SCH-S-1-“) 

  • Create a rule that only includes devices that were enrolled using Windows Autopilot: 

(device.devicePhysicalIDs -any (_ -contains “[ZTDID]”)) 


How to create a rule 

Supported properties and syntax