Entra ID (Azure AD) Dynamic Device Groups for Intune

Introduction

As I’m always looking up expressions for Entra ID (Azure AD) Dymanic Device Groups for use within Intune, either from previous deployments for customers or from hunting around on the internet, I thought I’d pull together a post with the most common ones I tend to use for most Intune deployments.

These may not fully suit your needs, but they should be a good starter for 10 when deploying Microsoft Intune.

Windows

Windows AAD Joined

This will include any Windows devices which are joined to Entra ID (Azure AD).

(device.deviceOSType -eq "Windows") and (device.deviceTrustType -eq "AzureAD") and (device.accountEnabled -eq True)

Windows Hybrid AAD Joined

This will include any Windows devices which are hybrid joined to the Entra ID (Azure AD), i.e. they are also joined to on premises Active Directory.

(device.deviceOSType -eq "Windows") and (device.deviceTrustType -eq "ServerAD") and (device.accountEnabled -eq True)

Windows AAD Registered

This will include any Windows devices which are only registered to Entra ID (Azure AD).

(device.deviceOSType -eq "Windows") and (device.deviceTrustType -eq "Workplace") and (device.accountEnabled -eq True)

Windows Personal (BYOD)

This will include any Windows devices which are personally owned, i.e. BYOD.

(device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Personal") and (device.accountEnabled -eq True)

Windows Autopilot (Any Device)

This will include any Windows Autopilot devices, regardless of a Group Tag.

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")

Windows Autopilot (With Group Tag)

This will include any Windows Autopilot devices that have a certain Group Tag set.

(device.devicePhysicalIds -any (_ -eq "[OrderID]:GROUPTAG"))

Windows Autopilot (Without Goup Tag)

This will include any Windows Autopilot devices which dont have a Group Tag set.

(device.devicePhysicalIDs -any _ -contains "[ZTDId]") and (device.devicePhysicalIds -all _ -notContains "[OrderID]:")

Android

Personal devices with work profile (BYOD)

This will include any personally owned Android device which has been enrolled with a work profile.

(device.deviceOSType -eq "AndroidForWork") and (device.managementType -eq "MDM")

Corporate-owned Dedicated Devices (COSU)

This will include any Android devices which are enrolled via the Corporate-owed Dedicated Devices profile.

(device.enrollmentProfileName -eq "COSU_PROFILENAME")

Corporate-owned Fully Managed (COBO)

This will include any Android devices which are enrolled via the Corporate-owned Fully Managed profile.

If you are still using your original tenant QR code from before the March 2023 updates to Intune, there was no enrollment profile. So you can use the following.

(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null)

The March 2023 updates to Intune introduced enrollement profiles for Fully Managed devices. To identify these devices now we can either be specific on which profile was used, which is useful if you want to identify a certain type of device enrolled using a specific QR code, or to include any device regardless of profile, you need to look for not null.

(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq "COBO_PROFILENAME")
(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -ne null)

Corporate-owned Devices with Work Profile (COPE)

This will include any Android devices which are enrolled via the Corportate-owned Devices with Profile profile.

(device.enrollmentProfileName -eq "COPE_PROFILENAME")

iOS/iPadOS

Automated Device Enrollment (ADE)

This will include any iOS/iPadOS devices enrolled via Apple Business Manager and Apples Automated Device Enrollement (ADE) method.

(device.deviceOSType -contains "iPhone") and (device.enrollmentProfileName -contains "ADE_PROFILENAME")
(device.deviceOSType -contains "iPad") and (device.enrollmentProfileName -contains "ADE_PROFILENAME")

Personal (BYOD)

This will include any iOS/iPadOS devices enrolled by the user. These will by default come in to Intune as Personal ownership, unless a Corporate Identifier is pre populated into Intune.

(device.deviceOSType -contains "iPhone") and (device.managementType -contains "MDM") and (device.enrollmentProfileName -eq null)
(device.deviceOSType -contains "iPad") and (device.managementType -contains "MDM") and (device.enrollmentProfileName -eq null)

Devices by default will come in to Intune as Personal ownership, unless a Corporate Identifier is pre populated into Intune. If you want to identify Personal vs Corporate owned devices you can use the following.

(device.deviceOSType -contains "iPhone") and (device.managementType -contains "MDM") and (device.deviceOwnership -eq "Personal") and (device.enrollmentProfileName -eq null)
(device.deviceOSType -contains "iPad") and (device.managementType -contains "MDM") and (device.deviceOwnership -eq "Company") and (device.enrollmentProfileName -eq null)

Summary

Hopefully you have found this blog post useful in your Intune adventures. Remember you can always use filters to further include/exclude devices if these are not specific enough for your needs. See https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters for more information on filters.

Got any useful expressions you use in your Intune deployments, let me know in the comments.

 

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *