Dynamic groups for devices

In this blog post, we’ll explore the steps to create dynamic device groups using PowerShell, they can bes used for targeting configuration and other polices iwhtin Intune.

Make sure you have an Azure subscription with administrative access and Azure AD PowerShell module installed on your local machine. It is also possible to use Azure Cloud Shell.

Let’s get into the process:

Connect to Azure AD: 

Connect-AzureAD

Follow the prompts to authenticate with your Azure AD credentials.

Create a Dynamic Device Group: To create a dynamic device group:

$rule = "(device.displayName -startsWith "US-WIN-") and (device.deviceOSType -eq "Windows")"
New-AzureADMSGroup -DisplayName "US Windows Devices" -Description "All US Windows devices" -MembershipRule $rule -MembershipRuleProcessingState "On"

This group will collect all windows devices that has a display name that starts with “US-WIN-“.

The -MembershipRuleProcessingState parameter determines if the membership rule should be processed immediately.

To confirm the successful creation of the dynamic device group:

Get-AzureADMSGroup -SearchString 'US Windows Devices'

If you need to modify the dynamic group membership criteria, update the membership rule:

$rule = "(device.displayName -startsWith "DE-WIN-") and (device.deviceOSVersion -startsWith "10.220")"
$group = Get-AzureADMSGroup -SearchString 'US Windows Devices'
Set-AzureADMSGroup -ObjectId $group.id -MembershipRule $rule

This will change the memberships to include devices with display name “DE-WIN-” and only Windows 11 devices.

With Azure AD dynamic device groups device management becomes streamlined and automated. By following the steps outlined in this blog post, you can create and manage dynamic device groups.

We still lack of the more flexibility with the groups. As an example I frequently is faced with the request to manage device groups based on a users attribute. At Exobe we have built a solution for this that collects users based on an attribute and their devices in groups. Its called Dynamic User and Device Enumeration (DUDE). My colleague has written a blog about it here.
Feel free to contact me if you got any questions or need help setting that up.

Leave a Reply

Your email address will not be published. Required fields are marked *