Azure ad dynamic queries for Intune / MEM administrators

Dynamic Azure AD groups for Microsoft Endpoint Manager administrators is an important part of
managing devices and users in your or customer enviroment but it’s not always that easy to get the queries right and also find out what to query at times (speaking from my own experience).

With that I wanted to create an overview of queries I often use when working with customers and hopefully there are more people who could find this useful. I will continuesly update this list with my own queries and from others in the community who would like to share them.

Microsoft provides a lot of good examples and explenations on how the query format should look like. Dynamic queries use the Microsoft Graph but not everthing is exposed even tho you can find in it Graph. This can cause some confusion and I won’t go in to details in this post instead I just want to post “working” queries you can just copy and paste.

Microsofts documenation on dynamic groups: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

Device queries

DescriptionQueryComment
All Company owned devices(device.deviceOwnership -eq “Company”)
All personally owned devices(device.deviceOwnership -eq “Personal”)
All devices not managed by a MDM(device.managementType -ne “MDM”)
All devices managed by a MDM(device.managementType -eq “MDM”)
Windows
All Windows Devices(device.deviceOSType -match “Windows”)
All company owned Windows devices(device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Company”)
All personally owned Windows devices(device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Personal”)
All Windows virtual machines(device.deviceModel -eq “Virtual Machine”)
Android
All Android devices(device.deviceOSType -match “Android”)
All company owned Android devices(device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Company”)
All personally owned Android devices(device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Personal”)
All Android Enterprise devices(device.deviceOSType -match “AndroidEnterprise”)
All company owned Android Enterprise devices(device.deviceOSType -eq “AndroidEnterprise”) -and (device.deviceOwnership -eq “Company”)
iOS
All iPads devices(device.deviceOSType -eq “iPad”)
All personally owned iPad devices(device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Personal”)
All Company owned iPad devices(device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Company”)
All iPhones devices(device.deviceOSType -eq “IPhone”)
All personally owned iPhone devices(device.deviceOSType -eq “IPhone”) -and (device.deviceOwnership -eq “Personal”)
All Company owned iPhone devices(device.deviceOSType -eq “IPhone”) -and (device.deviceOwnership -eq “Company”)
macOS
All Mac devices(device.deviceOSType -eq “MacMDM”)
All Company owned Mac devices(device.deviceOSType -eq “MacMDM”) -and (device.deviceOwnership -eq “Company”)

Device Queries for Autopilot

DescriptionQueryComment
All Autopilot registered devices(device.devicePhysicalIDs -any _ -contains “[ZTDId]”)
A specific device thats autopilot registered(device.devicePhysicalIDs -contains “[ZTDId]:6598-3522-5834-2658-4381-8581-32”)If you want to create a dynamic group only containing one specific device you can specify the ZTDid for that device.
Autopilot devices with a specific OrderID(device.devicePhysicalIds -any _ -eq “[OrderID]:SelfDeploying”)
Autopilot devices that have been enrolled using a specific enrollment profile(device.enrollmentProfileName -eq “APHybridJoin”)Name of the Autopilot enrollment profile.

User queries

DescriptionQueryComment
All Users with EMS assigned and enableduser.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”)
All users with an AAD enabled account(user.accountEnabled -eq True)
All users with an email that contains .com(user.mail -contains “.com”)
All Users with a Intune license thats not disabled. USER.ASSIGNEDPLANS -ANY (ASSIGNEDPLAN.SERVICEPLANID -EQ “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -ne “Disabled”)
All users with Yammer Enterprise license assigned and enabled. user.assignedPlans -any (assignedPlan.service -eq “YammerEnterprise” -and assignedPlan.capabilityStatus -eq “Enabled”)
All users with MicrosoftPrint license assigned and enabled. user.assignedPlans -any (assignedPlan.service -eq “MicrosoftPrint” -and assignedPlan.capabilityStatus -eq “Enabled”)
All guest users in AAD(user.userType -eq “Guest”)Users created in AAD or AD are “Members” and all users you invited in to your tenant are labeled as “Guest”

I also want to recommend watchning Steve and Adams overview of dynamic groups

If you have any queries you use and think that others would benefit from, feel free to post them in the comment section and I will add them to the list.

Don’t forget to follow me on twitter @timmyitddotcom

Leave a Reply