In this post I will show you how to create the dynamic group using regex in Microsoft Entra ID. Dynamic group feature supports regex (also known as Regular Expression) which allows the usage of match pattern in a text. Using Regex you can create various kind of combinations to be used for the purpose of dynamic groups. We will see the benefits of using it along with the use case for it.
What are Dynamic groups?
The Dynamic groups created in Microsoft Entra ID using Dynamic membership rules allows us to create Rule syntax based upon attributes. Dynamic groups are supported for both Device and user. Various properties are supported to create dynamic group membership, few of them are DeviceOSType, deviceOSVersion, deviceModel, deviceOwnership and others. For list of all device based attributes (or properties) check Properties of dynamic group.
Dynamic group membership doesn’t allow to add or remove the member, rather it relies upon the rule syntax. For example, we you are looking for a group for all windows device, you can use the following query in Rule syntax for device based dynamic rule:
(device.deviceOSType -eq “Windows”)
Similarly, you can use following 2 queries for Windows 10 and Windows 11 respectively:
Windows 10: (device.deviceOSType -eq "Windows") and (device.deviceOSVersion -contains "10.0.1")Windows 11: (device.deviceOSType -eq "Windows") and (device.deviceOSVersion -contains "10.0.2")
Need of Regular expression (REGEX)
What if you wanted to have something complex. For example, you wanted to have specific characters resent in device name to create the dynamic group. Surely you can do it if initial characters start with something “AU” or “SG” to denote Australia or Singapore devices. But what about anything in between? What about all devices in specific region you want to divide into multiple groups? Let’s say you have devices in Australia starting with AU, but you have 10,000+ devices. You want to have to 4 or 5 different groups created, but all of them starts with AU? How can you distinguish or divide into a combination of multiple groups? Certainly, creating the manual groups can be option, but that is a pain. You always have to keep on adding the new devices to one of the groups.
Use case: One of the use case could be, you wanted to have 4 update rings targeted to 4 different dynamic groups. These dynamic groups should be capable enough to cover all the devices in your organization. You want to have these dynamic groups created in such a way that it is full proof plan to cover all devices built in future. This is where regular expressions can help.
What is Regex?
Regular Expressions (or Regex) are the answer for above query. Regex is the powerful way of searching the string based upon the characters we use to match the pattern. You may need to learn the regex if you are not familiar with that. However, there are lots of tutorials available for you on web to learn it faster.
There are certain regex viewer also available which can be quickly used to check the expressions and result you are looking for.
Benefit of using Regex in Dynamic groups
Utilizing Regex with dynamic groups allows us to use few combination to divide the existing list of devices into multiple groups. For example (10,000 Devices), it will be hard to create the dynamic groups based upon system starting with AULT which requires too much effort. But using few patterns we can simplify this. To understand few of the patterns, I am going to use https://regexr.com which is a wonderful site to test your expressions.
Launch the https://regexr.com and paste all your devices (device name). I have a combination of devices few of them starting with AU while others are starting with VM and few more.
I want to get list of all devices starting with AU and VM, hence I can use a simple Expression as (AU|VM). You will be able to see characters highlighted along with the matches shown.
While create dynamic group, we can use it operator match along with REGEX
(device.displayName -match "(AU|VM) ")
The line between AU and VM is called Alternation which is equivalent to OR. Hence, you can extend it with more characters.
You might be thinking that, this can be achieved easily via using a different query which is more easy to understand, such as:
(device.displayName -startsWith "AU") or (device.displayName -startsWith "VM")
At this moment, it might not make too much importance for usage of AU|VM. But let’s make things bit complicated.
Create Dynamic group using Regex
We will be now creating the Dynamic group using Regular Expression (Regex). For that look for the problem statement and solution which is bit complex then using the displayName property using operator -startswith as VM.
To create the dynamic group, we can navigate to Azure portal and navigate to Microsoft Entra ID > Groups > Create new group, Group type as Security and select Membership type as Dynamic Device and click on Add dynamic query
The group can be created via Intune admin center as well.
Problem statement 1
I have devices in my environment starting with VM+ MacAddress. To be more precise, I see few Devices in my Microsoft Entra ID. The initial 12 characters remains the same such as VM00155D007 while last 2 characters are 37,51,37,0E,4B,38,1F etc. I need 3 groups so that I can target Update rings to 3 different groups. I also wanted to make sure, in future I don’t have to manually add the devices manually to any group. My all devices will always start with VM00155D007 but next 2 characters can be anything which I am not aware of.
I would like to have 3 dynamic groups which should cover all combination of device starting with VM00155D007 + grouping of other characters such 0 to 4, 5-9 and A-Z.
To make it simple to understand, 3 dynamic groups required:
Dynamic group number 1: Device starting with VM00155D007 + next character can be between 0-4 (any)
Dynamic group number 2: Device starting with VM00155D007 + next character can be between 5-9 (any)
Dynamic group number 3: Device starting with VM00155D007 + next character can be between A-Z (any)
The above combination will be a one time job with future proof plan, incase more devices are added to Microsoft Entra ID, they will eventually become part of one of the dynamic groups.
Solution 1
Dynamic group number 1: To satisfy the option of first group which requires VM00155D007 and next character to be between 0 to 4, I can use following Rule syntax:
(device.displayName -match "(VM00155D007F)[0-4]")
Or
(device.displayName -match "(VM00155D007F)[01234]")
Both the above mention queries will bring the same result. Let’s break down to understand it:
(VM00155D007F) means: Anything starting with VM00155D007F
[0-4] means: Next character can be in the range of 0 to 4 (covering 0,1,2,3,4)
Or
[01234] means: Next character can be 0,1,2,3 or 4
Dynamic group number 2: Following query can be used which will start with VM00155D007 and next character can be between 5 to 9:
(device.displayName -match "(VM00155D007F)[5-9]")
Or
(device.displayName -match "(VM00155D007F)[56789]")
Dynamic group number 3: Following query can be used which will start with VM00155D007 and next can be between A to Z:
(device.displayName -match "(VM00155D007F)[A-Z]")
Note: If A to Z group adds large number of amount in future, you can further break it down according to your own convenience such as:
(device.displayName -match "(VM00155D007F)[A-L]") and
(device.displayName -match "(VM00155D007F)[M-Z]")
I Hope above mentioned queries are self-explanatory.
The best way to see and verify if your query is bring the correct result is to use https:/regexr.com. Provide the expression,such as (VM00155D007F)[0-4], it will show select the highlighted rows with match record shown, which will be an indication of how many rows and which values of device name is selected.
Problem statement 2
For demonstration purpose, let’s take another example. I have devices which starts with AULT and rest all other characters can be a combination of anything A to Z / 0 -9. Divide the all the devices in 4 to 5 groups so as they have approx. similar amount of devices in each group which can be targeted to separate update group. As WufB (Windows Update for Business policy) will be having the different deferral day, devices will be patched on different days to divide the workload.
Solution 2
The solution could be pretty similar to the previous one, we can create 4 dynamic groups like this:
Dynamic group 1 with device name starting with AULT + 0 to 9 (next character):
(device.displayName -match "(AULT)[0-9]")
Dynamic group 2 with device name starting with AULT + A to J (next character):
(device.displayName -match "(AULT)[A-J]")
Dynamic group 3 with device name starting with AULT + K to P (next character):
(device.displayName -match "(AULT)[K-P]")
Dynamic group 4 with device name starting with AULT + Q to Z (next character):
(device.displayName -match "(AULT)[Q-Z]")
Query for Intune enrolled devices
If you wanted to get the list of devices with just Intune enrolled devices, modify above mentioned query and append it with and device.managementType -eq “MDM”.
One of the example is:
(device.displayName -match "(AULT)[0-9]") and (device.managementType -eq “MDM”)
Conclusion
Regex is a powerful way to match the pattern to create dynamic group queries. This post is just one example of showing and achieving the results, you can have more complex and granular level of queries to create the groups.
Important links:
Discover more from SCCM | Intune | Device Management| Enterprise Mobility & Security
Subscribe to get the latest posts sent to your email.
