Zehadi Alam
Within a dynamic Azure security group, membership is governed by rules that automatically add or remove members based on specific attributes of the users or devices. This is determined by the dynamic query that is specified. When constructing a dynamic membership rule, it is essential to develop an expression that accurately and uniquely identifies the devices belonging to your unit. The following section provides guidance on how to accomplish this.
Use the displayName Property
If your unit employs a naming convention for the devices under your management, an effective rule creation method is to incorporate aspects from the device hostname into the membership rule. Select displayName for property and a relevant operator (e.g. Starts With, Contains, Match, etc.). The match operator is used for matching regular expressions.
Use the devicePhysicalIds Property
If your unit manages Autopilot devices, you can populate a group with the Autopilot devices under your management by using the following syntax: (device.devicePhysicalIds -any _ -eq "[OrderID]:GroupTag"). Replace "GroupTag" with the appropriate value that corresponds to your unit. Leveraging the advanced rule builder and pasting the syntax into the provided text field will facilitate a smoother process.
Use the memberOf Property
To establish a dynamic group that includes members from multiple existing groups, you can utilize the memberOf property with the following syntax: (device.memberof -any (group.objectId -in ['groupId', 'groupId'])). This rule populates the dynamic group with members who belong to any group listed within the specified array of group IDs. Obtaining the group ID is can be achieved by navigating to the respective groups and selecting Properties. The Object ID of the group is its group ID. For more information about the memberOf property, see the following Microsoft document: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of
Use the deviceManagementAppId Property
Given that members of dynamic security groups are Azure AD objects, there is a possibility that certain devices within dynamic security groups are not managed by Intune, including stale objects. To ensure that the group exclusively consists of devices actively managed by Intune, it is recommended to add the following rule as a conjunctive clause to every dynamic group: (device.deviceManagementAppId -eq "0000000a-0000-0000-c000-000000000000"). 0000000a-0000-0000-c000-000000000000 is the MDM App ID for Intune.
Please consult the following Microsoft documentation for more additional information on leveraging and customizing the specifics of dynamic queries for your needs: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership