Creating a dynamic Azure AD Group for Corporate owned devices

One of the most common requests I get when deploying Intune is that they want to deploy for instance a Certificate, VPN, WiFi or a specific app only to corporate owned devices and not personal(BYOD) devices. We have Dynamic groups in AzureAD that can solve this for us, however when I looked at the documentation on Microsoft docs it was not correct. So  here we go:

To create a Dynamic Azure AD group for Corporate owned devices here is how we can do it:

  1. We create a Dynamic Device group
  2. Add a simple rule shown below that uses deviceOwnership and includes all devices marked as Company, If want one for Personal devices we can create a new one and change it to Personal instead.

We can also create a Dynamic Group for all Corporate Owned iPhones. We do this by adding a second rule with and and condition

Then we can deploy the Certificate, VPN app and target only our company owned devices.

Dynamic groups are awesome!

5 Comments

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.