How to Use Dynamic Azure AD Groups and Filters to Improve Targeting

Creating Dynamic Groups in Azure AD is a helpful way to automatically add and remove members to a group. However, when using those groups for assignments, there can be performance and latency issues depending on the size of your environment. Also, let’s say we wanted to include a user group but exclude a device group from an app or policy assignment. This type of scenario is not supported. There are partially supported scenarios like including a dynamic device group and excluding another dynamic device group for an assignment but even that could cause latency issues. (more information can be found here: Assign device profiles in Microsoft Intune | Microsoft Learn). Filters can help with these types of scenarios. In Intune you can create filters to target a specific set of devices from your Azure AD Groups. Filters are high performance and low latency. Combine them with groups and you can do great things. In this article we will learn how to create a simple Dynamic User Group and Filter. We will then pull it all together by using our group and filter for an app assignment. Lastly, we will look at the results of the filter evaluation once it has completed.

Dynamic Groups allows us to create groups that will evaluate if members need to be added or removed based on rules we create. You can create Dynamic User Groups or Dynamic Device Groups. The rules you create will be based on Azure AD attributes. For example, I can create a dynamic user group for my Engineering Team. This way when we get new Engineering team members, instead of me having to manually add them to an assigned group, when the dynamic group processes, it will add in the new engineering team members to that group.

There are limitations to dynamic groups though. Since it is relying on Azure AD attributes, the processing time for your dynamic groups can take a while. Depending on the size of your environment, it can take up to 24 hours to process when creating a rule for the first time or when changes are made (more information can be found here: Fix problems with dynamic group memberships – Azure AD – Microsoft Entra | Microsoft Learn).

What are Filters?

You can create filters in Intune to add more specific targeting for your Intune enrolled devices. You can also use filters for app and policy assignments. Unlike dynamic groups, filters do not rely on Azure AD attributes. Instead, they are based on Intune device object properties. This means that filters evaluate faster than dynamic groups. The filter evaluation happens from the moment a device enrolls and then at every MDM check-in. You can also reuse your filters for different assignments and use them in the Include or Exclude mode. Keep in mind that filters will only evaluate for devices that are enrolled in Intune. (More information can be found here: Create filters in Microsoft Intune | Microsoft Learn).

How to create a Dynamic User Group

For this post we will create a Dynamic User Group to add users that are in the Engineering department. Note that you will need to have a Global administrator, Intune administrator, or User administrator role in the Azure AD organization to create a group.

First, let us navigate to your Azure AD Portal > Select Groups > All Groups > New Group

In the New Group window, we have several options available. In our example, we will be creating a Security Group and our Membership type will be Dynamic User. Next, we will select Add dynamic query to create our dynamic membership rule.

Now it is time to create our rule. We can create rules with the rule builder or the rule syntax text box (More information can be found here: Rules for dynamically populated groups membership – Azure AD – Microsoft Entra | Microsoft Learn).

For our scenario, we will use the rule builder. Since I want to target the Engineering department, I will select department for the Property. We will set our Operator to Equals and our Value will be Engineering. After creating our rule with the rule builder, we can see the rule syntax was automatically created for our membership rule.

We can use the Validate Rules (Preview) to verify that this is working as intended. Start by selecting Add users.

Here you can select users to validate against your rule. In my case, I only have two users in my environment so we can pick our two users > Select.

We can now see that Helen Harris is not in the group, but Wade Watts is.

Selecting View details will show me that Helen Harris is in the Leadership department. Therefore, she doesn’t meet the membership rules.

Wade Watts is in this group because he is in the Engineering department.

After validating the rule, click Save. Then select Create in the New Group Window

After creating the Dynamic User Group, we can see that the Dynamic Rule Processing Status has Not started yet.

It took less than 15 minutes for the Dynamic Group Membership to Process. Now I can see the Dynamic rule processing status shows as succeeded and I have 1 user as a member (Wade Watts).

How to create a Filter in Intune

Next, we will create our filter. I want to create a filter to catch all the corporate devices enrolled in Intune. Note, you need to be signed in as an Intune Administrator to create filters.

Filters can be created in the Endpoint Manager Admin center. We’ll be creating our filter by selecting Apps > Filters > Create.

In the Create filter window > Basics, our Filter name will be Corporate Devices. We will include a brief description of the filter and our Platform will be for Windows 10 and later.

Next, we will create our filter rule. Like the Dynamic membership group rules, we can use the rule builder or the rule syntax text box. The rule builder will fit our needs for our scenario. Since I want to filter our Corporate devices, I can take a look at the Device property for one of my Intune enrolled devices. Here I can see that the deviceOwnership is what I can use to assign the Corporate value.

We’ll set the Property to deviceOwnership, our Operator to Equals, and our Value to Corporate.

To see what devices this will apply to, we can select Preview devices. In the Preview devices window, I can see that this feature will apply to the WW-Corporate device.

Select Next > Create.

Putting it all together

Now we have a Dynamic User Group and a Filter. We’ll use those for an application assignment. For this scenario, I want my 7-Zip Win32 app to go out to only the corporate devices in my Engineering dept group. In the 7-Zip app properties, scroll down and select Edit in the Assignments section.

We’re going to add a Required assignment for this app. In the Required section, select Add Group > We’ll search and select our Engineering Dept Dynamic User Group > Select.

Next, in the Filter Mode option click on None > in the Filters window, select Include filtered devices in assignment > search and select the Corporate Devices filter we created > Select.

For our test, we want this to go out As soon as possible so we’ll leave the remaining options to the defaults. Select Review + Save > Save.

We now have our Required Assignment added for 7-Zip.

After the assignment has been applied and the evaluation has completed (this took less than an hour for my very small environment), we can see in the Device Install status blade that the WW-Corporate device has a status of Installed. The WW-Personal device has a status of Not applicable.

If we click on the Filters evaluated link for the WW-Corporate device, we can see that the app was offered to this device because it did match the included filter for Corporate devices.

If we click on the Filters evaluated link for the WW-Personal device, we can see that the app was not offered because it didn’t match the include filter for Corporate devices. In the Properties used for evaluation, we can see that the device ownership for this device is Personal.

We can also view the filter results in the User install status blade. Here we can see that Wade Watts has two devices. The application was installed on the corporate device but not on the personal devices based on the user and filter combo we used for the assignment.

Lastly, you can see the filter evaluation by going to Devices > All Devices. Here we are looking at the WW-Corporate device. In the Filter evaluation blade, we can see that this device had Google Chrome and 7-Zip pushed out with a filter in the assignment. Like we saw in the previous filter evaluation, it will show us if the app matched or did not match the filter we used.

In this post we covered Dynamic Azure AD Groups and Filters. We created a simple Dynamic user group for our Engineering Department and a Filter to target Corporate devices enrolled in Intune. Then, we combined our dynamic user group and corporate devices filter to deploy a 7-zip app to only the corporate devices from the engineering team user group. Lastly, we looked at the filter evaluations for our devices and users. We only scratched the surface on filters and group combinations but hopefully this will be a good start to help you improve targeting for app and policy assignments in Intune.

Resources

• Create filters in Microsoft Intune | Microsoft Learn
• Rules for dynamically populated groups membership – Azure AD – Microsoft Entra | Microsoft Learn
• Fix problems with dynamic group memberships – Azure AD – Microsoft Entra | Microsoft Learn
• Intune grouping, targeting, and filtering: recommendations for best performance – Microsoft Community Hub
• Assign device profiles in Microsoft Intune | Microsoft Learn
• Filter reports and troubleshooting in Microsoft Intune | Microsoft Learn
• Assign apps to groups in Microsoft Intune | Microsoft Learn
• Add groups to organize users and devices – Microsoft Intune | Microsoft Learn
• Supported filter device properties and operators in Microsoft Intune | Microsoft Learn
• Create or edit a dynamic group and get status – Azure AD – Microsoft Entra | Microsoft Learn
• Troubleshoot device profiles in Microsoft Intune | Microsoft Learn
• Platforms and policy types supported by filters in Microsoft Intune | Microsoft Learn
• Categorize devices into groups in Intune – Microsoft Intune | Microsoft Learn
• Validate rules for dynamic group membership (preview) – Azure AD – Microsoft Entra | Microsoft Learn
• Use Azure AD groups to manage role assignments – Azure Active Directory – Microsoft Entra | Microsoft Learn
• Azure subscription limits and quotas – Azure Resource Manager | Microsoft Learn
• Group membership for Azure AD dynamic groups with member Of – Azure AD – Microsoft Entra | Microsoft Learn