You can also create a rule that selects device objects for membership in a group. You can't have both users and devices as group members.
Note
The organizationalUnit attribute is no longer listed and should not be used. This string is set by Intune in specific cases but is not recognized by Microsoft Entra ID, so no devices are added to groups based on this attribute.
The systemlabels attribute is read-only and cannot be set with Intune.
For Windows 10, the correct format of the deviceOSVersion attribute is as follows: (device.deviceOSVersion -startsWith "10.0.1"). The formatting can be validated with the Get-MgDevice PowerShell cmdlet:
Get-MgDevice -Search "displayName:YourMachineNameHere" -ConsistencyLevel eventual | Select-Object -ExpandProperty 'OperatingSystemVersion'
The following device attributes can be used.
| Device attribute | Values | Example |
|---|---|---|
| accountEnabled | true false | device.accountEnabled -eq true |
| deviceCategory | a valid device category name | device.deviceCategory -eq "BYOD" |
| deviceId | a valid Microsoft Entra device ID | device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d" |
| deviceManagementAppId | a valid MDM application ID in Microsoft Entra ID | device.deviceManagementAppId -eq "0000000a-0000-0000-c000-000000000000" for Microsoft Intune managed or "54b943f8-d761-4f8d-951e-9cea1846db5a" for System Center Configuration Manager Co-managed devices |
| deviceManufacturer | any string value | device.deviceManufacturer -eq "Samsung" |
| deviceModel | any string value | device.deviceModel -eq "iPad Air" |
| displayName | any string value | device.displayName -eq "Rob iPhone" |
| deviceOSType | any string value | (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iOS") device.deviceOSType -startsWith "AndroidEnterprise" device.deviceOSType -eq "AndroidForWork" device.deviceOSType -eq "Windows" |
| deviceOSVersion | any string value | device.deviceOSVersion -eq "9.1" device.deviceOSVersion -startsWith "10.0.1" |
| deviceOwnership | Personal, Company, Unknown | device.deviceOwnership -eq "Company" |
| devicePhysicalIds | any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID | device.devicePhysicalIDs -any _ -startsWith "[ZTDId]" (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881" (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342" |
| deviceTrustType | AzureAD, ServerAD, Workplace | device.deviceTrustType -eq "AzureAD" |
| enrollmentProfileName | Apple Device Enrollment Profile name, Android Enterprise Corporate-owned dedicated device Enrollment Profile name, or Windows Autopilot profile name | device.enrollmentProfileName -eq "DEP iPhones" |
| extensionAttribute1 | any string value | device.extensionAttribute1 -eq "some string value" |
| extensionAttribute2 | any string value | device.extensionAttribute2 -eq "some string value" |
| extensionAttribute3 | any string value | device.extensionAttribute3 -eq "some string value" |
| extensionAttribute4 | any string value | device.extensionAttribute4 -eq "some string value" |
| extensionAttribute5 | any string value | device.extensionAttribute5 -eq "some string value" |
| extensionAttribute6 | any string value | device.extensionAttribute6 -eq "some string value" |
| extensionAttribute7 | any string value | device.extensionAttribute7 -eq "some string value" |
| extensionAttribute8 | any string value | device.extensionAttribute8 -eq "some string value" |
| extensionAttribute9 | any string value | device.extensionAttribute9 -eq "some string value" |
| extensionAttribute10 | any string value | device.extensionAttribute10 -eq "some string value" |
| extensionAttribute11 | any string value | device.extensionAttribute11 -eq "some string value" |
| extensionAttribute12 | any string value | device.extensionAttribute12 -eq "some string value" |
| extensionAttribute13 | any string value | device.extensionAttribute13 -eq "some string value" |
| extensionAttribute14 | any string value | device.extensionAttribute14 -eq "some string value" |
| extensionAttribute15 | any string value | device.extensionAttribute15 -eq "some string value" |
| isRooted | true false | device.isRooted -eq true |
| managementType | MDM (for mobile devices) | device.managementType -eq "MDM" |
| memberOf | Any string value (valid group object ID) | device.memberOf -any (group.objectId -in ['value']) |
| objectId | a valid Microsoft Entra object ID | device.objectId -eq "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" |
| profileType | a valid profile type in Microsoft Entra ID | device.profileType -eq "RegisteredDevice" |
| systemLabels | a read-only string matching the Intune device property for tagging Modern Workplace devices | device.systemLabels -startsWith "M365Managed" SystemLabels |
Note
When using systemLabels, a read-only attribute that is used in various contexts, such as device management and sensitivity labeling, is not editable through Intune.
When using deviceOwnership to create dynamic membership groups for devices, you need to set the value equal to Company. On Intune the device ownership is represented instead as Corporate. For more information, see OwnerTypes for more details.
When using deviceTrustType to create dynamic membership groups for devices, you need to set the value equal to AzureAD to represent Microsoft Entra joined devices, ServerAD to represent Microsoft Entra hybrid joined devices or Workplace to represent Microsoft Entra registered devices.
When using extensionAttribute1-15 to create dynamic membership groups for devices you need to set the value for extensionAttribute1-15 on the device. Learn more on how to write extensionAttributes on a Microsoft Entra device object
More Information at: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
Comments
0 comments
Please sign in to leave a comment.