Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Windows 11
  • Intune
  • GitHub
  • About
CCMEXEC.COM – Enterprise Mobility

Creating a dynamic Azure AD Group for Corporate owned devices

Posted on November 10, 2017November 23, 2020 by Jörgen Nilsson

One of the most common requests I get when deploying Intune is that they want to deploy for instance a Certificate, VPN, WiFi or a specific app only to corporate owned devices and not personal(BYOD) devices. We have Dynamic groups in AzureAD that can solve this for us, however when I looked at the documentation on Microsoft docs it was not correct. So  here we go:

To create a Dynamic Azure AD group for Corporate owned devices here is how we can do it:

  1. We create a Dynamic Device group
  2. Add a simple rule shown below that uses deviceOwnership and includes all devices marked as Company, If want one for Personal devices we can create a new one and change it to Personal instead.

We can also create a Dynamic Group for all Corporate Owned iPhones. We do this by adding a second rule with and and condition

Then we can deploy the Certificate, VPN app and target only our company owned devices.

Dynamic groups are awesome!

5 thoughts on “Creating a dynamic Azure AD Group for Corporate owned devices”

  1. Mike says:
    January 2, 2019 at 11:42 pm

    Did this actually work? I’ve been trying to get this to work for iPhone/ipad and android and the ownership element doesn’t appear to work. Devices are found if I remove the ownership condition…

    Reply
    1. Jörgen Nilsson says:
      January 13, 2019 at 10:56 pm

      Hi,
      It was a while since I used it will test it out during the week to make sure it still works.
      /Jörgen

      Reply
  2. Shane says:
    March 20, 2019 at 11:13 pm

    They may have changed this. It should be deviceCategory Match Corporate.

    Reply
  3. Adam Weldon-Ming says:
    November 22, 2020 at 8:42 pm

    Hey – I have just noticed when I create this device rule – If I do “Corporate” device syntax after validation shows this fails. when I check why it fails, it shows that the device I referenced against says the (device.deviceOwnership -eq “Company”) and not (device.deviceOwnership -eq “Corporate”)

    Reply
    1. Jörgen Nilsson says:
      November 23, 2020 at 7:52 am

      Should have updated that a long time ago. Thanks for the heads up it is updated now.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Recent Posts

  • New settings in Intune Security Baseline Windows 11 24H2 -2504
  • Managing extensions in Visual Studio Code
  • Reinstall a required Win32app using remediation on demand
  • Administrator protection in Windows 11 – First look
  • Remediation on demand script – ResetWindowsUpdate
©2025 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT