Dynamic Azure AD groups for Microsoft Endpoint Manager administrators is an important part of
managing devices and users in your or customer enviroment but it’s not always that easy to get the queries right and also find out what to query at times (speaking from my own experience).
With that I wanted to create an overview of queries I often use when working with customers and hopefully there are more people who could find this useful. I will continuesly update this list with my own queries and from others in the community who would like to share them.
Microsoft provides a lot of good examples and explenations on how the query format should look like. Dynamic queries use the Microsoft Graph but not everthing is exposed even tho you can find in it Graph. This can cause some confusion and I won’t go in to details in this post instead I just want to post “working” queries you can just copy and paste.
Microsofts documenation on dynamic groups: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
Device queries
| Description | Query | Comment |
|---|---|---|
| All Company owned devices | (device.deviceOwnership -eq “Company”) | |
| All personally owned devices | (device.deviceOwnership -eq “Personal”) | |
| All devices not managed by a MDM | (device.managementType -ne “MDM”) | |
| All devices managed by a MDM | (device.managementType -eq “MDM”) | |
| All devices managed by SCCM | (device.deviceManagementAppId -eq “54b943f8-d761-4f8d-951e-9cea1846db5a”) | |
| All devices managed by Intune | (device.deviceManagementAppId -eq “0000000a-0000-0000-c000-000000000000”) | |
| All devices from AD | device.deviceTrustType -eq “ServerAd” | |
| All devices from Azure AD | (device.deviceTrustType -eq “AzureAd”) | |
| All devices not joined to AAD or AD | (device.deviceTrustType -eq “Workplace”) | |
| Windows | ||
| All Windows Devices | (device.deviceOSType -match “Windows”) | |
| All company owned Windows devices | (device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Company”) | |
| All personally owned Windows devices | (device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Personal”) | |
| All Windows virtual machines | (device.deviceModel -eq “Virtual Machine”) | |
| Android | ||
| All Android devices | (device.deviceOSType -match “Android”) | |
| All company owned Android devices | (device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Company”) | |
| All personally owned Android devices | (device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Personal”) | |
| All Android Enterprise devices | (device.deviceOSType -match “AndroidEnterprise”) | |
| All company owned Android Enterprise devices | (device.deviceOSType -eq “AndroidEnterprise”) -and (device.deviceOwnership -eq “Company”) | |
| All Android devices enrolled with a specific profile name | (device.enrollmentProfileName -contains “Dedicated”) | Update the rule with the same name you gave your enrollment profile |
| iOS | ||
| All iPads devices | (device.deviceOSType -eq “iPad”) | |
| All personally owned iPad devices | (device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Personal”) | |
| All Company owned iPad devices | (device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Company”) | |
| All iPhones devices | (device.deviceOSType -eq “IPhone”) | |
| All personally owned iPhone devices | (device.deviceOSType -eq “IPhone”) -and (device.deviceOwnership -eq “Personal”) | |
| All Company owned iPhone devices | (device.deviceOSType -eq “IPhone”) -and (device.deviceOwnership -eq “Company”) | |
| macOS | ||
| All Mac devices | (device.deviceOSType -eq “MacMDM”) | |
| All Company owned Mac devices | (device.deviceOSType -eq “MacMDM”) -and (device.deviceOwnership -eq “Company”) |
Device Queries for Autopilot
| Description | Query | Comment |
|---|---|---|
| All Autopilot registered devices | (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) | |
| A specific device thats autopilot registered | (device.devicePhysicalIDs -contains “[ZTDId]:6598-3522-5834-2658-4381-8581-32”) | If you want to create a dynamic group only containing one specific device you can specify the ZTDid for that device. |
| Autopilot devices with a specific OrderID (Group Tag) | (device.devicePhysicalIds -any _ -eq “[OrderID]:SelfDeploying”) | |
| Autopilot devices that have been enrolled using a specific enrollment profile | (device.enrollmentProfileName -eq “APHybridJoin”) | Name of the Autopilot enrollment profile. |
User queries
| Description | Query | Comment |
|---|---|---|
| All Users with EMS assigned and enabled | user.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”) | |
| All users with an AAD enabled account | (user.accountEnabled -eq True) | |
| All users with an email that contains .com | (user.mail -contains “.com”) | |
| All Users with a Intune license thats not disabled. | USER.ASSIGNEDPLANS -ANY (ASSIGNEDPLAN.SERVICEPLANID -EQ “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -ne “Disabled”) | |
| All users with Yammer Enterprise license assigned and enabled. | user.assignedPlans -any (assignedPlan.service -eq “YammerEnterprise” -and assignedPlan.capabilityStatus -eq “Enabled”) | |
| All users with MicrosoftPrint license assigned and enabled. | user.assignedPlans -any (assignedPlan.service -eq “MicrosoftPrint” -and assignedPlan.capabilityStatus -eq “Enabled”) | |
| All guest users in AAD | (user.userType -eq “Guest”) | Users created in AAD or AD are “Members” and all users you invited in to your tenant are labeled as “Guest” |
I also want to recommend watchning Steve and Adams overview of dynamic groups
If you have any queries you use and think that others would benefit from, feel free to post them in the comment section and I will add them to the list.
Don’t forget to follow me on twitter @timmyitddotcom
Hello I’m looking to create a dynamic group to group the Corporate-owned devices with work profile (preview). Is there a query for that?
I tried using the query for all Corporate owned devices, but its not working for our Macs.
They are enrolled into Intune and show as corporate under ownership but when validating the dynamic rule none of them are validated.
It doesnt even seem like the device.deviceownership status is being pulled through into the AAD object from Intune
I’d like to create a dynamic group that identifies all users that have a Company owned Windows device, and another for Mac devices. Haven’t figured out how to do it. I’m guessing I’d need to create a dynamic device group and a dynamic user group. Not sure how to do it.
I’m looking to create a dynamic group on Servers vs. Workstation OS. The OS version won’t work as some server version have the same build number as a Workstation OS. Any assistance would be VERY helpful!
It looks like DeviceOSType will work for this.
This does not work, The DeviceOSType is “Windows”, as shown in the properties of the Azure object.
Trying to create a query, to get all the Smartphones of a specific group of Users.
So for example the User group “SG-TestUsers” does contain 100 users. I want to get all the Smartphones which are linked to the users within this group. Most likely those would be 100 Smartphones, since every user has one but I need the specific ones without looking into every user manually.
Anny suggestions?
Thanks & Kind regards