Azure AD – New device attributes are available for use for dynamic group membership

As you are already probably aware, Azure AD allows you to create users or devices group with dynamic membership.

Well, the attributes available for creating a device dynamic group have been extended and now allow you to use:

  • deviceManagementAppId: defines the MDM application ID in Azure AD. If you use Intune, the Azure App ID is 0000000a-0000-0000-c000-000000000000, making the membership rule looking like this device.deviceManagementAppId -eq “0000000a-0000-0000-c000-000000000000”. For SCCM co-management it should be 54b943f8-d761-4f8d-951e-9cea1846db5a
  • deviceTrustType: defines if the devices is AAD Joined, Hybrid AAD Joined or registered. Values can be either AzureAD, ServerAD (for Active Directory joined devices, including servers) or Workplace
  • extensionAttribute1 to 15
  • profileType: defines a valid profile type in AAD. Possible values are RegisteredDevice (default), SecureVM, Printer, Shared, IoT

Enjoy these new attributes for dynamic group membership

image

2 thoughts on “Azure AD – New device attributes are available for use for dynamic group membership”

  1. Could you please provide an MS article which tells that For SCCM co-management it should be 54b943f8-d761-4f8d-951e-9cea1846db5a deviceManagementAppId can be used? My problem is customer is not agreeing and they want MS article.

    1. There is no Microsoft documentation
      You can find this by creating the dynamic group using the deviceManagementAppId with any value and validate it; when you select a co-managed device, the rule will report the device is not member of the group and you will get the AppId value

Leave a Comment

Your email address will not be published.