You can create attribute-based rules to enable dynamic membership for a group in Azure Active Directory (Azure AD), part of Microsoft Entra. Dynamic group membership adds and removes group members automatically using membership rules based on member attributes. This article details the properties and syntax to create dynamic membership rules for users or devices. You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.
When the attributes of a user or a device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they’re added as a member of that group. If they no longer satisfy the rule, they’re removed. You can’t manually add or remove a member of a dynamic group.
- You can create a dynamic group for devices or for users, but you can’t create a rule that contains both users and devices.
- You can’t create a device group based on the user attributes of the device owner. Device membership rules can reference only device attributes.
| Device attribute | Values | Example |
|---|---|---|
| accountEnabled | true false | device.accountEnabled -eq true |
| deviceCategory | a valid device category name | device.deviceCategory -eq “BYOD” |
| deviceId | a valid Azure AD device ID | device.deviceId -eq “d4fe7726-5966-431c-b3b8-cddc8fdb717d” |
| deviceManagementAppId | a valid MDM application ID in Azure AD | device.deviceManagementAppId -eq “0000000a-0000-0000-c000-000000000000” for Microsoft Intune managed or “54b943f8-d761-4f8d-951e-9cea1846db5a” for System Center Configuration Manager Co-managed devices |
To Create a Dynamic Membership Group to Include All Intune MDM Devices, below is the rule.
device.deviceManagementAppId -eq “0000000a-0000-0000-c000-000000000000” for Microsoft Intune managed
Ref: Rules for dynamically populated groups membership – Azure AD – Microsoft Entra | Microsoft Learn