In Azure Active Directory (Azure AD), you can create dynamic membership rules to automatically update groups. To quote Microsoft "Dynamic group membership reduces the administrative overhead of adding and removing users".. Or devices. This blog is to detail the properties and syntax needed to create dynamic membership rules for AutoPilot devices and assign deployment and ESP profiles.
I wanted to create a group of all AutoPilot registered devices that has a specific Group tag 'PAW'. The intention being to assign a specific AutoPilot deployment profile/ESP and a set of configuration but only to defined computers and not all AutoPilot registered devices.
Group tags will be created for different departments so they receive specific policy, apps, config per department i.e. Finance, HR, IT services etc.
Within my list of AutoPilot devices (see how to populate AutoPilot list) I clicked on a device and gave it the group tag 'PAW'.
Within Graph Explorer this Group Tag name can be found within the 'PhsicalIds' properties and will form the basis of our dynamic query.
Now I need to create a Azure AD Group that only includes AutoPilot registered devices with the PAW group tag.
How to create an Azure AD Group?
Within Azure/Endpoint Manager select groups > New Group.
Enter a Group names
Ensure Dynamic Device is selected within the drop down
Select 'Add dynamic query' to input query syntax
The following query is well documented to populate a group with all AutoPilot registered devices.
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
By using the 'and' operator we are now adding an additional parameter that must be found within Azure AD to be listed in the group.
As seen within Graph Explorer the OrderID propery now details 'PAW' which can be discovered with the following query.
(device.devicePhysicalIDs -any _ -contains "[ZTDId]") and (device.devicePhysicalIds -any _ -eq "[OrderID]:PAW")