In this post I will cover the topic on how to create Dynamic group in Azure AD. Dynamic group which can be either Dynamic User od Dynamic Device, gives the benefit of dynamically creating a group based upon a query, hence the group membership will keep on changing based upon the criteria it is going to meet.

What is Dynamic Group

If you wanted to create a group based upon a complex user / device attribute, then Dynamic group is an option. If you create a static group and few systems, it is not going to update automatically and you will keep on adding / removing the devices / users based upon your requirement.

With Dynamic Group, when properly configured, it will dynamically updated the membership rules based upon the query we have provided.

Dynamic group is a feature included in Azure AD Premium P1 license or Intune for Education for each unique user which is member of one or more dynamic groups.

Create Dynamic Group

Let’s pick an example to create Dynamic Group of all Windows 10 devices in Azure.

Dynamic Group can be created either through Azure AD Portal or MEM Admin Center. Let’s login to Azure Portal and navigate to Azure Active Directory > Groups. Click on New group.

New group Azure
New group Azure

This will open New Group blade, select Group type as “Security”, provide Group Name “Windows 10 Devices”.

Under Membership type, we have 3 options:

  • Assigned
  • Dynamic User
  • Dynamic Device

Select “Dynamic Device”.

Under Dynamic device members, click Add dynamic query.

Create Dynamic Device Group
Create Dynamic Device Group

This will open Dynamic membership rules blade.

Under Configure Rules, Choose a Property, Operator and Value. We have multiple attributes available for Property:

Dynamic membership rules deviceOSType
Dynamic membership rules deviceOSType
  • accountEnabled
  • objectId
  • displayName
  • isRooted
  • deviceOSType
  • deviceOSVersion
  • deviceCAtegory
  • deviceManufacturer
  • deviceModel
  • deviceOwnership
  • enrollmentProfileName
  • managementType
  • organizationalUnit
  • deviceId
  • devicePhysicalIds
  • systemLabels

Let’s select deviceOSType Equals “Windows”, select deviceOSVersion Contains “10.0.1”.

Dynamic membership rules deviceOSVersion
Dynamic membership rules deviceOSVersion

You will notice the Rule syntax will auto populate the query, in this case:

(device.deviceOSType -eq “Windows”) and (device.deviceOSVersion -contains “10.0.1”)

Validate Rules which is still in Preview, gives us flexibility to check and verify what results we are getting when we select few devices. For this click on Validate Rules (Preview).

Click on Add devices, and select few of the devices which you wanted to verify to evaluate for Windows 10. You will see the status with Green or Red mark.

Dynamic membership rules Rule syntax
Dynamic membership rules Rule syntax

Click on View details to get more idea to see why it is showing red and did not add the system to the dynamic membership rule.

While checking the Verification details, I see that OSType as “Windows” was evaluated to be true, but deviceOSVersion was showing false as the version we go was “10.0.22000.132” and we were expecting 10.0.1

Dynamic group Verification details
Dynamic group Verification details

Windows 10 devices OSVersion will always start with 10.0.1, following are the few examples of Windows 10 version:

Windows 10 1903: 10.0.18362
Windows 10 1909: 10.0.18363
Windows 10 2004: 10.0.19041
Windows 10 20H1: 10.0.19042
Windows 10 21H1: 10.0.19043
Windows 10 21H2: 10.0.19044

The build number or build version consists of Major.Minor.Buildversion.Hotfixversion. I am not focusing on hotfix version which is security patch version which gets updated every month.

For Windows 11, 1 example is:

Windows 11 21H2: 10.0.22000

Click on Save and Create to proceed with creation of New group.

Under all All groups, search for the newly created group “Windows 10 Devices” and click on Members.

Dynamic group members
Dynamic group members

All Direct members will be listed here based upon the query we have specified.

You may click on Dynamic membership rules to again come to Configure Rules to check and modify if required.

Dynamic membership rules
Dynamic membership rules

If you wanted to explore which attributes / properties we can use and what should be the value, you may run following query to get the information of a specific device to explore the values.

Open PowerShell command and run following commands:

Install-Module MSOnline
Get-MSOLDevice -Name “Win10-1909”
CreateDynamicGroup 10

Running Connect-MSOLService will ask you to provide the credentials to connect with Azure AD.

Note: last command I can for a specific device to get the info of all objects stored for the device.

This helps us checking the fields populated for the device.

Let’s see few more examples.

Create Windows 10 1909 dynamic group

Rule syntax for Windows 10 1909 dynamic group will be:

(device.deviceOSVersion -contains "10.0.18363")
CreateDynamicGroup 11

Create Windows 10 20H2 dynamic group

Rule syntax for Windows 10 20H2 dynamic group will be:

(device.deviceOSVersion -contains "10.0.19042")
CreateDynamicGroup 12

Create Windows 11 dynamic group

Windows 11 OS Build version starts with 10.0.2. Windows 11 21H2 version is 10.0.22000. But if we wanted to create for all Windows 11 devices, lets use:

(device.deviceOSType -eq "Windows") and (device.deviceOSVersion -contains "10.0.2")
CreateDynamicGroup 13

Dynamic group rules – can be used with Conditional Access Filter for devices

The rules we just learned, can be used for Conditional Access policies for filtering out the devices. As we know that, once we enable policy for Conditional Access, it applies everywhere. For more granular level of filtering, we can define the settings under Conditions.

Navigate to Conditional Access policy, under Conditions > Filter for devices, select Configure as Yes. Under Property, we see slightly different name but meaning is same. We can select OperatingSystem, OperatingSystemVersion etc

Conditional Access Filter for devices
Conditional Access Filter for devices

Rule syntax used is:

device.operatingSystemVersion -contains "10.0.19043"

This will prevent conditional access policy to apply only for Windows 10 21H1 OS version while Include filtered devices in policy is selected. To exclude, select the 2nd option ie. “Exclude filtered devices from policy”

Important Links

Create or edit a dynamic group and get status – Azure AD | Microsoft Docs