Dynamic Groups are great! They can be used for maintaining device and user groups based on parameters available in Azure AD. Strict management of Azure AD parameters is required here! Dynamic groups are filled by available information and thus you should manage this information carefully.
Today someone asked for Dynamic Group examples and where to use them for. Sharing my often used Dynamic Groups and probably useful for everyone can probably help someone. Here are some examples I use often.
- Group name: MDM-All-iOS-Devices
- Group type: Dynamic device
- Rule syntax: (device.deviceOSType -eq “iPad”) or (device.deviceOSType -eq “iOS”) or (device.deviceOSType -eq “iPhone”)
Above group can be used for deploying settings/apps/scripts to all iOS devices. In this case i use iPad and iPhone in the same group. I could use this group to deploy mandatory applications for example.
- Group name: MDM-All-Android-Devices
- Group type: Dynamic device
- Rule syntax: (device.deviceOSType -eq “Android”)
Above group can be used for deploying settings/apps/scripts to all Android devices. I could use this group to deploy mandatory applications for all Android devices for example.
- Group name: Windows 10 Devices
- Group type: Dynamic device
- Rule syntax: (device.deviceOSVersion -startsWith “10.0.1”) -and (device.DeviceOSType -startsWith “Windows”) -and (device.managementType -eq “MDM”)
Above group contains all Windows 10 devices which are managed by MDM. Can be used for settings/apps which are required for all Windows 10 devices within the tenant.
- Group name: Windows 11 Devices
- Group type: Dynamic device
- Rule syntax: (device.deviceOSVersion -startsWith “10.0.2”) -and (device.DeviceOSType -startsWith “Windows”) -and (device.managementType -eq “MDM”)
Above group contains all Windows 11 devices which are managed by MDM. Can be used for settings/apps which are required for all Windows 11 devices within the tenant.
- Group name: Company_UK
- Group type: Dynamic user
- Rule syntax: (user.companyName -contains “Liverpool”) or (user.companyName -contains “London”)
Above group contains all the users where the company field contains the word “Liverpool” or “London”. This can be used if (for example) the city name is mentioned in the company name field. E.g. Contoso London, Contoso Liverpool. You can use this group (for example) to deploy regional settings and/or apps.
- Group name: Company_SP
- Group type: Dynamic user
- Rule syntax: (user.companyName -contains “Barcelona”) or (user.companyName -contains “Madrid”)
Above group contains all the users where the company field contains the word “Barcelona” or “Madrid”. This can be used if (for example) the city name is mentioned in the company name field. E.g. Contoso Barcelona, Contoso Madrid.
- Group name: Company_Barcelona
- Group type: Dynamic user
- Rule syntax: (user.city -contains “Barcelona”)
Above group contains all the users where the city field contains the word “Barcelona”. This can be used if the city name is mentioned in the city field. E.g. Contoso Barcelona. You can use this group to deploy all Barcelona office printers for example.
- Group name: Department_Sales
- Group type: Dynamic user
- Rule syntax: (user.department -contains “Sales”)
Above group contains all the users where the department field contains the word “Sales”. This can be used if the department field contains the word Sales. You can use this group (for example) to deploy Sales applications and/or use it for SharePoint site access.
- Group name: Company_Managers
- Group type: Dynamic user
- Rule syntax: (user.jobTitle -contains “Manager”)
Above group contains all the users where the job title field contains the word “Manager”. This can be used for management access to specific apps, settings or whatever other things u need to manage.
See Microsoft’s full documentation on Dynamic Groups here.
Validate Dynamic Groups
Before creating a group u can validate if specific users/devices will be added to these groups by using the validate feature. In the example below I’ll check if my selected user would be added to the group I am creating here. In this case the user his Job Title field does not contain the word IT and therefor the validation gives a Not in group result.
Regarding iOS devices, you should also include “iPhone” aswell:
(device.deviceOSType -eq “iPad”) or (device.deviceOSType -eq “iOS”) or (device.deviceOSType -eq “iPhone”)
I have all 3 different types when managing iPhones and iPads.
Hi Bo,
Agree! Will add these to the post. Thanks!
You’d better use this query: (device.deviceOSType -in [“Ipad”,”iphone”,”ios”])
This is better readable and saves you 2 places for other conditions.
The GUI only allows 5 conditions. Using the -in method only takes 1 place, while “x or y or z” takes 3.
Credits to https://itexperience.net/top-guide-for-dynamic-groups-in-intune/#using-the-in-operator btw. Not