Skip to main content

Azure Active Directory Dynamic Groups for AutoPilot and Group Tags

By

 

Introduction:
In Azure Active Directory (Azure AD), you can create dynamic membership rules to automatically update groups. To quote Microsoft "Dynamic group membership reduces the administrative overhead of adding and removing users".. Or devices. This blog is to detail the properties and syntax needed to create dynamic membership rules for AutoPilot devices and assign deployment and ESP profiles. 

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership 

I wanted to create a group of all AutoPilot registered devices that has a specific Group tag 'PAW'. The intention being to assign a specific AutoPilot deployment profile/ESP and a set of configuration but only to defined computers and not all AutoPilot registered devices. 
Group tags will be created for different departments so they receive specific policy, apps, config per department i.e. Finance, HR, IT services etc.

Within my list of AutoPilot devices (see how to populate AutoPilot list) I clicked on a device and gave it the group tag 'PAW'.


Within Graph Explorer this Group Tag name can be found within the 'PhsicalIds' properties and will form the basis of our dynamic query.

https://graph.microsoft.com/beta/devices/deviceid_1234#######################




Now I need to create a Azure AD Group that only includes AutoPilot registered devices with the PAW group tag.

How to create an Azure AD Group?

Within Azure/Endpoint Manager select groups > New Group.
Enter a Group names
Ensure Dynamic Device is selected within the drop down
Select 'Add dynamic query' to input query syntax





The following query is well documented to populate a group with all AutoPilot registered devices.

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")

By using the 'and' operator we are now adding an additional parameter that must be found within Azure AD to be listed in the group.

As seen within Graph Explorer the OrderID propery now details 'PAW' which can be discovered with the following query.

(device.devicePhysicalIDs -any _ -contains "[ZTDId]") and (device.devicePhysicalIds -any _ -eq "[OrderID]:PAW")







Comments

  1. AnonymousNovember 11, 2021 at 5:06 AM

    Honestly speaking, I am not getting it because I do not have much knowledge about Azure. However, I want to go in deep, but I do not have enough time to do that because I have to find a qualitative research methodology writing service for my brother. Otherwise, he would become angry at me.

    ReplyDelete
  2. SplegalnurseNovember 23, 2021 at 9:19 PM

    This comment has been removed by the author.

    ReplyDelete
  3. Antony ChristJanuary 20, 2022 at 11:26 PM


    Mycasestudyhelp.com is most rated and trusted assignment help services provider in the world.
    We are provide all assignment writing services for nursing all subjected like pharmacology,human anatomy and physiology etc. at affordable prices.
    It is not copy paste 100% plagiarism free and proper content.
    nursing case study help

    ReplyDelete
  4. joeypeterson786April 6, 2022 at 11:35 PM

    Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
    step change debt relief order

    ReplyDelete
  5. Aidan StoneNovember 7, 2024 at 10:36 PM

    This is such a useful guide for managing dynamic group memberships in Azure AD! Automating processes like this can save so much time. On a different note, I’ve been thinking about using a service to Take My Online History Class Help since balancing everything can be tricky. If anyone has any recommendations for that, I’d love to hear.

    ReplyDelete

Post a Comment

Popular posts from this blog

SCCM Unknown computer not able to see Task Sequences after installing Current Branch 1702

By
Soon after installing SCCM CB 1702 we were unable to see Task Sequences deployed to the unknown collection. This issue was identified as a random system taking the GUID of the 'x64 Unknown Computer (x64 Unknown Computer)' record. As a result it was now a known GUID; as we were only deploying Task Sequences to the Unknown collection none were made available. 'x64 Unknown Computer (x64 Unknown Computer)' record 'x86 Unknown Computer (x86 Unknown Computer)' record To get the GUID of your unknown systems open SQL management studio and run the following command: --Sql Command to list the name and GUID for UnknownSystems record data select ItemKey, Name0,SMS_Unique_Identifier0 from UnknownSystem_DISC Using the returned GUID (SMS_Unique_Identifier0) we can find the hostname that has been assigned the 'x64 Unknown Computer (x64 Unknown Computer)' GUID by running the query below. --x64 Unknown Computers select Name0,SMS_Unique_Identifier0,Decommissioned0 from Sys...
161 comments
Read more

Windows 7 Offline files will not go Online when connected to network

By
Issue Several laptop users move between networks, domain, home, etc and when they attempt to access DFS shares explorer status is working offline.  The issue only resolves it self after a reboot. Connecting directly to the share works and i am able to ping network resources.  This behavior occurs for VPN users as well. Possible Causes "slow-link mode". In win7 (with default settings) a client will enter slow-link mode if the latency to the server is above 80ms. In slow-link mode all writes are made to the local cache and a background sync only happens every 6 hours.  Depending on your connection the default slow link detection speed is 64,000 bps On client computers running Windows 7 or Windows Server 2008 R2, a shared folder automatically transitions to the slow-link mode if the round-trip latency of the network is greater than 80 milliseconds, or as configured by the "Configure slow-link mode" policy. After transitioning a folder to the slow-link mode, Offline Fil...
151 comments
Read more

SCCM Software Update - Job error 0x80004005 Failed to Add Update Source for WUAgent

By
SCCM Software Updates - Failed to Add Update Source for WUAgent  Today I have been looking at a range of servers (Server 2008 /R2 2012 /R2) that were failing to communicate with the Software Update Point (SUP) in SCCM and retrieve deployment policy. The UpdateDeployment.log was reporting the Job error 0x80004005 Job error (0x80004005) received for assignment ({af7a48e6-d550-4070-dd9b-ecc234567584}) action UpdatesDeploymentAgent 12/6/2017 10:32:27 AM 2096 (0x0830) The WUAHandler.log  was reporting "Unable to read existing WUA Group Policy object" and "Failed to Add Update Source for WUAgent " Unable to read existing WUA Group Policy object. Error = 0x80004005. WUAHandler 12/6/2017 3:41:00 AM 2828 (0x0B0C) Failed to Add Update Source for WUAgent of type (2) and id ({3AAB6A76-CE2D-4E8A-9F11-123AE69612A1}). Error = 0x80004005. WUAHandler 12/6/2017 11:03:31 AM 2276 (0x08E4) Until the agent can report back to the SUP, SCCM will not be able to summarize Software Update sta...
4 comments
Read more