Azure AD dynamic group query examples

Hello Readers! If you want to automate part of your Intune deployment process, you can easily create Azure AD dynamic groups that will help you to organize devices. If a device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. On this post I will provide some good examples that can be helpful for your deployment!

If you haven’t created dynamic groups before, check this guide: Create or update a dynamic group in Azure Active Directory. On this post we will focus on query examples, see them below:

Windows 10 Corporate Devices
(device.deviceOSType -startsWith "Windows") and (device.deviceOSVersion -startsWith "10.0") and (device.deviceOwnership -eq "Company")

(device.deviceOSVersion -startsWith "10.0") and (device.deviceOSType -startsWith "Windows") and (device.managementType -eq "MDM")

iOS BYOD Devices
(device.deviceOwnership -eq "Personal") and (device.deviceOSType -eq "iPhone") or (device.deviceOSType -eq "iPad") and (device.deviceOwnership -eq "Personal")

iOS Corporate Devices
(device.deviceOwnership -eq "Company") and (device.deviceOSType -eq "iPhone") or (device.deviceOSType -eq "iPad") and (device.deviceOwnership -eq "Company")

DEP devices using a profile named ‘DEP devices’
(device.enrollmentProfileName -eq "DEP devices")

Android Personal devices
(device.deviceOSType -contains "AndroidForWork") and (device.deviceOwnership -eq "Personal") and (device.managementType -eq "MDM")

Android Enterprise devices
(device.deviceOSType -contains "AndroidEnterprise")

Android Enterprise corporate-owned dedicated devices using a profile named ‘Dedicated Android’
(device.enrollmentProfileName -match "Dedicated Android")

Corporate-owned Android Enterprise devices
(device.deviceOSType -contains "AndroidEnterprise") and (device.deviceOwnership -eq "Company") and (device.enrollmentProfileName -eq null)

Corporate-owned Google Pixel devices
device.deviceManufacturer -eq "Google") -and (device.deviceModel -contains "Pixel") -and (device.deviceOwnership -eq "Company")

DEP devices with no user affinity profile named ‘DEP devices NUA’
(device.enrollmentProfileName -eq "DEP devices NUA")

Hololens devices
(device.displayName -contains "HOLOLENS")

Windows Autopilot for HoloLens 2 with ‘HL2’ group tag
(device.devicePhysicalIds -any _ -eq "[OrderID]:HL2")

Windows Autopilot for HoloLens 2 with ‘Autopilot Test’ group tag
device.devicePhysicalIds -any _ -eq "[OrderID]:Autopilot Test"

Quick Tips

For the deviceOwnership property when creating dynamic groups you need to set the value equal to “Company” eventhough on Intune the device ownership is represented instead as Corporate.

Also, use the ‘Validate Rules’ tool that can help you to verify if a device or multiple devices are satisfying the rules.


  • You can’t manually add or remove a member of a dynamic group.
  • You can create a dynamic group for devices or for users, but you can’t create a rule that contains both users and devices.
  • Device membership rules can only reference device attributes.
  • This feature requires an Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups.

If you have more query examples that may be helpful for Intune deployments, don’t forget to drop them on the comment section! ♥


Dynamic membership rules for groups in Azure Active Directory
Create or update a dynamic group in Azure Active Directory

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s