Back to Basics – Use Dynamic Groups Wherever Possible

This is a short holiday week for me, so this post is quick and basic. It’s surprising to me how many tenants I encounter that have no dynamic groups configured. Many IT teams are still manually adding/removing devices or users from assigned groups. For anyone not using dynamic groups, you need to start using them. It significantly reduces administrative overhead and makes you much more efficient at your job. Plus, they are very easy to configure. You should only use assigned groups for special situations where a dynamic group can’t be used or if you’re doing some testing on a small subset of devices.  

Some examples of dynamic groups I create for almost every tenant I work in: 

  • All Intune licensed users 
  • All Intune-managed Windows devices 
  • All iOS/Android corporate Intune-managed devices 
  • All Autopilot devices 
  • Autopilot devices with a specified grouptag (if needed) 

For more on dynamic group syntax and which properties are supported in a dynamic group query, see this link from Microsoft: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership 

Creating a dynamic group is a simple process. From Intune or Azure AD, select groups, and create a new group. Select security for the group type and for the membership type, select dynamic user or device. Click Add dynamic query to edit the dynamic group query rule.  

Most dynamic groups can be easily created using the GUI Rule Builder. Add your desired expressions. In this example, we are creating a dynamic group for all Intune-enrolled Windows devices. The query came out blurry in the picture so I added it below, also. When you finish adding your rules, click the Validate Rules tab to test your query.   

(device.deviceOSType -contains "Windows") and (device.deviceManagementAppId -eq "0000000a-0000-0000-c000-000000000000")

Click Add devices (or users if you’re dynamic group targets users) and add some devices to test your rule. Here we have two devices, one that is Intune enrolled, and another that is not. We can see the top device passes the membership query to be added to the group, but the bottom device doesn’t. Clicking on view details will show you which part of the query did not match.  

In this case, the device runs Windows, but it’s not Intune enrolled.  

After creating a dynamic group, the dynamic group rule will process shortly after. In my experience, the group is populated within 30 minutes of creation. Often much sooner. A common question is if we can force update a dynamic group. I was not able to test if the new ability to pause/unpause processing in the GUI would trigger the rule to process. My guess, though, is that it won’t. When I’ve needed to reprocess a dynamic group in short order – change the query, save the group, then change the query back, and save again. This should trigger the rules to reprocess and add/remove members. However, Microsoft does state that depending on a few variables, rules may take up to 24 hours to process…. You can look at the last time membership changed with the last membership change field for the group.  

Hopefully this helped some people start using dynamic groups. Wherever possible, work smart and let automation make your job easier.  

4 thoughts on “Back to Basics – Use Dynamic Groups Wherever Possible”

  1. Hi,
    Nice post. I’m looking for a dyn query to sort out desktops from laptops. With a wmi-query you can do that easily but in intune I can’t find a wayvto figure that out. Any ideas?

    1. Intune won’t recognize a device as a desktop or laptop, but it will identify devices by model. One workaround could be to make a dynamic group for all the desktop models in your org and another for all the laptop models in your org. However, you’d need to update those groups as new models are added.

  2. Hi
    This is Amazing,
    Could you also please help me to prepare a dynamic group based on device encryption? I am looking if we can prepare a dynamic group for non-encrypted devices so that I identify the devices & force an encryption policy.

Comments are closed.