Let’s learn to create Windows 11 Azure AD Device Group. You will have to get ready with Windows 11 PCs sooner than later. One of the things you can start with is creating Azure AD dynamic devices for Windows 11 PCs.
You can create Azure AD dynamic device groups based on available device properties. Well, you can’t create dynamic device groups based on applications installed device (unlike SCCM collections). This is expected because Azure AD is not a device management solution like Intune and SCCM.
The Intune assignment filters are another useful method to filter devices based on their properties. I think Intune filter rules will be powerful as SCCM collection queries in the future. I’ve shared details on using filter rules to include or exclude Windows 11 devices from an app or policy deployment.
Useful Device Properties in Azure AD
There is a bunch of device properties supported in Azure AD. However, I don’t think all the Azure AD device properties are exposed to the public. Let’s first check what the useful device properties in Azure AD from a device management perspective are.
| AAD Device Properties | What? |
|---|---|
| Account Enabled | Never Used it |
| Object ID | Never Used it |
| Display Name | Useful |
| Is Rooted | Not for Windows |
| Device OS Type | Useful |
| Device OS Version | Useful |
| Device Category | Never Used it |
| Device Manufacturer | Useful |
| Device Model | Useful |
| Device Ownership | Useful |
| Enrollment Profile Name | Useful |
| Management Type | Never Used it |
| OU Details | Never Used it |
| Device ID | Never Used it |
| Device Physical IDs | Never Used it |
| System Label | Useful |
Create Windows 11 Azure AD Device Group – AAD Dynamic Device Group
Create Azure AD Dynamic Device Group for Windows 11
Let’s now build an Azure AD dynamic device group for Windows 11 PCs. I think the best reliable option is to go with OS version properties. However, if you plan to onboard Hololens and another kind of Windows 11 device into Azure AD/MEM management, you should use additional properties as well.
- Open portal.azure.com
- Navigate to Azure AD (Azure Active Directory) -> Groups – All Groups.
- Click on “+ New Group“.
- Select Security – Group Type from the drop-down option.
- Enter Group Name “Windows 11 Devices” (any name is fine).
- Enter Group Description “Group for Windows 11 Devices” (any description is fine).
- Select Dynamic Device as Membership type.
- Click on Add Dynamic Query under Dynamic Device Members.
Hover over the properties column so that you get an option to select Azure AD dynamic device groups based on Windows 11 OS Version. Otherwise, you can also copy-paste the following query to create an Azure AD dynamic device for Windows 11 Devices.
- Property – osVersion
- Operator – StartsWith
- Value – 10.0.2
(device.deviceOSVersion -startsWith "10.0.2")
NOTE! – I don’t know whether there will be other types of Windows 11 Devices in your production tenants. For Examples, Surface Studio, Devices in meeting rooms, Hololens? You will have to be careful whether these devices will be part of Azure AD Windows 11 Device Group or not.
Validate the Logic of Azure AD Dynamic Query
Always perform the validation of Dynamic queries before putting those into production. There is Validate Rules tab within Dynamic query membership rules. You can use the validate options to confirm whether the AAD dynamic query logic works as you expect or not.
- Click on Validate Rules
- Add Devices – Select at least two or three devices. Some of the devices you think should be part of this group and some of them that should not be part of this group.
- Check the validation results blade to understand and confirm whether your Azure AD dynamic device group query logic is correct or not.
There is an option to validate the dynamic query, and it’s beneficial. Once validation is completed, you can click on SAVE and CREATE buttons to complete the process of building Windows 11 Azure AD dynamic device group creation.
Results
You can check the results from the member’s tab of the Windows 11 AAD dynamic group. Normally, the Azure AD dynamic device groups get updated within 5 minutes or so. However, Microsoft doesn’t have any SLA less than 24 hours for the AAD dynamic group auto-update process.
Ref: Cannot sign in to Office 365 Desktop Apps – Microsoft Community