How to Create AAD Dynamic Groups for Hybrid Azure AD Joined Devices

Let’s create Azure AD dynamic groups for Hybrid Azure AD joined devices. You can now use DeviceTrustType to create Hybrid Azure AD joined dynamic device groups. This is helpful to segregate AAD joined, and Hybrid AD joined devices.

You can create the AAD dynamic device group using the domain join type. Follow the steps to create this type of Hybrid Azure AD joined devices group.

  • Login to AAD.Portal.Azure.com.
  • Navigate to the Azure Active Directory -> Groups node -> Click on the New Group button.
  • Group Type -> Security
  • Group Name -> HTMD Hybrid AAD Device Group
  • Group Description -> To add all Hybrid AAD joined Windows devices
  • Membership Type -> Dynamic Device
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 2
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 2

Click on the Dynamic device members -> Add dynamic query link as shown in the below screenshot. You now need to make a query to add members to the dynamic group for Hybrid Azure AD devices.

NOTE! – You need to select membership type as Dynamic Device or User to have Add Dynamic Query in this blade to appear.

Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 3
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 3

There are two options to build the Azure AD dynamic group query. You can use the rule builder or rule syntax text box to create or edit an AAD device group dynamic membership rule.

  • Rule Builder -> Graphical interface – Easy to create the dynamic query.
  • Rule Syntax -> Advanced technical users for complex queries.

You need to follow the steps mentioned below to use Azure AD dynamic group Rule Builder to create dynamic query rules for Hybrid Azure AD joined devices.

  • Under Configure Rules -> Choose Property drop-down list.
  • Select deviceTrustType as the property from the drop-down list.
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 4
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 4

It’s time to choose an operator now for the devicetrustType policy. I have selected Equals from the operator drop-down menu.

Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 5
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 5

Let’s look at the value of the property deviceTrustType that you want to look for in the Hybrid Azure AD Joined scenario. The value that you want to look for is ServerAD for Hybrid AAD joined devices.

Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 6
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 6

You can click on the Validate Rules tab to validate the dynamic query just created. Follow the steps to validate the query with Azure AD Joined and Hybrid Azure AD joined devices.

Dynamic Query for Hybrid AAD joined devices = (device.deviceTrustType -eq “ServerAd”)

  • Click on Validate Rules tab once the query rule is built as per the above steps.
  • Click on Add Devices link to add Azure AD Joined, and Hybrid Azure AD joined devices.
  • Search for AAD Joined, and HAAD joined devices.
  • Select both domain join type devices and click on the Select button.
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 7
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 7

Let’s check the results of the validation rules now. I have added one Hybrid joined and Azure AD joined device. So it’s expected to get the following results. The AAD group dynamic query that is created is accurate!

  • CPC-vidyam-2-CC -> Not in Hybrid Azure AD joined group because this device is Azure AD joined.
  • CPC-anoopb-L-DA -> In Hybrid Azure AD joined the group because this device is Hybrid Azure AD joined.
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 8
Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 8

You need to click the Save and the Create buttons to complete the Hybrid Azure AD dynamic device group creation process.

Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD 9
Ref: Create AAD Dynamic Groups Based On Domain Join Type Hybrid Azure AD And Azure AD HTMD Blog (anoopcnair.com)