How to Use Dynamic Azure AD Groups and Filters to Improve Targeting

by | Feb 13, 2023 | Tech Blog

Patch Tuesday Webinar

Join Patch My PC's Jordan Benzing and Bryan Dam every Thursday succeeding Patch Tuesday for the Patch Tuesday Support Group Webinar.

Patch Tuesday Releases

Tech Blogs

Critical Patches

Creating Dynamic Groups in Azure AD is a helpful way to automatically add and remove members to a group. However, when using those groups for assignments, there can be performance and latency issues depending on the size of your environment. Also, let’s say we wanted to include a user group but exclude a device group from an app or policy assignment. This type of scenario is not supported. There are partially supported scenarios like including a dynamic device group and excluding another dynamic device group for an assignment but even that could cause latency issues. (more information can be found here: Assign device profiles in Microsoft Intune | Microsoft Learn). Filters can help with these types of scenarios. In Intune you can create filters to target a specific set of devices from your Azure AD Groups. Filters are high performance and low latency. Combine them with groups and you can do great things. In this article we will learn how to create a simple Dynamic User Group and Filter. We will then pull it all together by using our group and filter for an app assignment. Lastly, we will look at the results of the filter evaluation once it has completed.

What is a Dynamic Group?

Dynamic Groups allows us to create groups that will evaluate if members need to be added or removed based on rules we create. You can create Dynamic User Groups or Dynamic Device Groups. The rules you create will be based on Azure AD attributes. For example, I can create a dynamic user group for my Engineering Team. This way when we get new Engineering team members, instead of me having to manually add them to an assigned group, when the dynamic group processes, it will add in the new engineering team members to that group.

There are limitations to dynamic groups though. Since it is relying on Azure AD attributes, the processing time for your dynamic groups can take a while. Depending on the size of your environment, it can take up to 24 hours to process when creating a rule for the first time or when changes are made (more information can be found here: Fix problems with dynamic group memberships – Azure AD – Microsoft Entra | Microsoft Learn).

What are Filters?

You can create filters in Intune to add more specific targeting for your Intune enrolled devices. You can also use filters for app and policy assignments. Unlike dynamic groups, filters do not rely on Azure AD attributes. Instead, they are based on Intune device object properties. This means that filters evaluate faster than dynamic groups. The filter evaluation happens from the moment a device enrolls and then at every MDM check-in. You can also reuse your filters for different assignments and use them in the Include or Exclude mode. Keep in mind that filters will only evaluate for devices that are enrolled in Intune. (More information can be found here: Create filters in Microsoft Intune | Microsoft Learn).

How to create a Dynamic User Group

For this post we will create a Dynamic User Group to add users that are in the Engineering department. Note that you will need to have a Global administrator, Intune administrator, or User administrator role in the Azure AD organization to create a group.

First, let us navigate to your Azure AD Portal > Select Groups > All Groups > New Group

The Internet doesn't work

In the New Group window, we have several options available. In our example, we will be creating a Security Group and our Membership type will be Dynamic User. Next, we will select Add dynamic query to create our dynamic membership rule.

The Internet doesn't work

Now it is time to create our rule. We can create rules with the rule builder or the rule syntax text box (More information can be found here: Rules for dynamically populated groups membership – Azure AD – Microsoft Entra | Microsoft Learn).

 

The Internet doesn't work

For our scenario, we will use the rule builder. Since I want to target the Engineering department, I will select department for the Property. We will set our Operator to Equals and our Value will be Engineering. After creating our rule with the rule builder, we can see the rule syntax was automatically created for our membership rule.

The Internet doesn't work

We can use the Validate Rules (Preview) to verify that this is working as intended. Start by selecting Add users.

The Internet doesn't work

Here you can select users to validate against your rule. In my case, I only have two users in my environment so we can pick our two users > Select.

The Internet doesn't work

We can now see that Helen Harris is not in the group, but Wade Watts is.

The Internet doesn't work

Selecting View details will show me that Helen Harris is in the Leadership department. Therefore, she doesn’t meet the membership rules.

The Internet doesn't work

Wade Watts is in this group because he is in the Engineering department.

The Internet doesn't work

After validating the rule, click Save. Then select Create in the New Group Window

The Internet doesn't work

After creating the Dynamic User Group, we can see that the Dynamic Rule Processing Status has Not started yet.

The Internet doesn't work

It took less than 15 minutes for the Dynamic Group Membership to Process. Now I can see the Dynamic rule processing status shows as succeeded and I have 1 user as a member (Wade Watts).

The Internet doesn't work
The Internet doesn't work

How to create a Filter in Intune

Next, we will create our filter. I want to create a filter to catch all the corporate devices enrolled in Intune. Note, you need to be signed in as an Intune Administrator to create filters.

Filters can be created in the Endpoint Manager Admin center. We’ll be creating our filter by selecting Apps > Filters > Create.

In the Create filter window > Basics, our Filter name will be Corporate Devices. We will include a brief description of the filter and our Platform will be for Windows 10 and later.

The Internet doesn't work

Next, we will create our filter rule. Like the Dynamic membership group rules, we can use the rule builder or the rule syntax text box. The rule builder will fit our needs for our scenario. Since I want to filter our Corporate devices, I can take a look at the Device property for one of my Intune enrolled devices. Here I can see that the deviceOwnership is what I can use to assign the Corporate value.

The Internet doesn't work

We’ll set the Property to deviceOwnership, our Operator to Equals, and our Value to Corporate.

The Internet doesn't work

To see what devices this will apply to, we can select Preview devices. In the Preview devices window, I can see that this feature will apply to the WW-Corporate device.

The Internet doesn't work

Select Next > Create.

Putting it all together

Now we have a Dynamic User Group and a Filter. We’ll use those for an application assignment. For this scenario, I want my 7-Zip Win32 app to go out to only the corporate devices in my Engineering dept group. In the 7-Zip app properties, scroll down and select Edit in the Assignments section.

The Internet doesn't work

We’re going to add a Required assignment for this app. In the Required section, select Add Group > We’ll search and select our Engineering Dept Dynamic User Group > Select.

The Internet doesn't work

Next, in the Filter Mode option click on None > in the Filters window, select Include filtered devices in assignment > search and select the Corporate Devices filter we created > Select.

The Internet doesn't work

For our test, we want this to go out As soon as possible so we’ll leave the remaining options to the defaults. Select Review + Save > Save.

The Internet doesn't work

We now have our Required Assignment added for 7-Zip.

The Internet doesn't work

After the assignment has been applied and the evaluation has completed (this took less than an hour for my very small environment), we can see in the Device Install status blade that the WW-Corporate device has a status of Installed. The WW-Personal device has a status of Not applicable.

The Internet doesn't work

If we click on the Filters evaluated link for the WW-Corporate device, we can see that the app was offered to this device because it did match the included filter for Corporate devices.

The Internet doesn't work

If we click on the Filters evaluated link for the WW-Personal device, we can see that the app was not offered because it didn’t match the include filter for Corporate devices. In the Properties used for evaluation, we can see that the device ownership for this device is Personal.

The Internet doesn't work

We can also view the filter results in the User install status blade. Here we can see that Wade Watts has two devices. The application was installed on the corporate device but not on the personal devices based on the user and filter combo we used for the assignment.

The Internet doesn't work

Lastly, you can see the filter evaluation by going to Devices > All Devices. Here we are looking at the WW-Corporate device. In the Filter evaluation blade, we can see that this device had Google Chrome and 7-Zip pushed out with a filter in the assignment. Like we saw in the previous filter evaluation, it will show us if the app matched or did not match the filter we used.

The Internet doesn't work

Summary

In this post we covered Dynamic Azure AD Groups and Filters. We created a simple Dynamic user group for our Engineering Department and a Filter to target Corporate devices enrolled in Intune. Then, we combined our dynamic user group and corporate devices filter to deploy a 7-zip app to only the corporate devices from the engineering team user group. Lastly, we looked at the filter evaluations for our devices and users. We only scratched the surface on filters and group combinations but hopefully this will be a good start to help you improve targeting for app and policy assignments in Intune.

The Internet doesn't work

Priscilla Leon

Priscilla Leon is a Customer Success Engineer at Patch My PC. She has a Master's degree in Cyber Security and a Bachelor's degree in Information Management. She is fairly new to the IT field but she is always looking to learn and grow in the field. She is also passionate about helping others and empowering people to be successful.

Tech Blog

PowerShell Uses - Feature Image

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 Apps Guide to Availability and Deadlines Feature Image

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...
Discovery Apps - Intune Software Inventory - Feature Image

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...
Intune Discovery Apps - Detecting your applications and gaining back control Feature Image

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

Intune Microsoft Store Integration App Migration Failures (0x87D1041C)

In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has...
Automatic Deployment Rules and ConfigMgr

Automatic Deployment Rules (ADR) and ConfigMgr and why you should use them

What is an ADR Getting Started with ADR Creating and Defining an ADR What are Deployment Packages?In this blog we will review Automatic Deployment...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

Intune Microsoft Store Integration App Migration Failures (0x87D1041C)

In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has...

Automatic Deployment Rules (ADR) and ConfigMgr and why you should use them

What is an ADR Getting Started with ADR Creating and Defining an ADR What are Deployment Packages?In this blog we will review Automatic Deployment...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...