Creating a dynamic Azure AD Group for Corporate owned devices

One of the most common requests I get when deploying Intune is that they want to deploy for instance a Certificate, VPN, WiFi or a specific app only to corporate owned devices and not personal(BYOD) devices. We have Dynamic groups in AzureAD that can solve this for us, however when I looked at the documentation on Microsoft docs it was not correct. So  here we go:

To create a Dynamic Azure AD group for Corporate owned devices here is how we can do it:

  1. We create a Dynamic Device group
  2. Add a simple rule shown below that uses deviceOwnership and includes all devices marked as Corporate, If want one for Personal devices we can create a new one and change it to Personal instead.

We can also create a Dynamic Group for all Corporate Owned iOS devices. Instead of using a Simple rule we create and Advanced rule as shown below.

Then we can deploy the Certificate, VPN app or whatever we want to a these groups instead.

Dynamic groups are awesome!



Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.