Create Azure AD dynamic device security group using display Name property

Security groups are very useful for managing objects in Azure AD. You can group devices or users and then use the security group to assign permissions or licenses etc.

You can add Devices / Users to the Azure AD security group. You have three types of Azure AD security groups with respect to membership type Assigned, Dynamic User, and Dynamic Device. In this blog post, we will focus on the Dynamic Device type group.

We’ll create a dynamic device group called “Win10-Isolated-Devices.” This group will include devices with “Win10” in their name. After checking Azure Active Directory/Entra ID, it appears that there are currently two devices that match this query.

Existing Windows 10 devices
Existing Windows 10 devices

We want to collect/group all the devices that contain Win10 in their name in Win10-Isolated-Devices Azure AD dynamic device security group.

Let’s check the steps:

  • Go to Entra ID admin center -> Groups -> All groups > Click on New Group.
  • Group Type: Security
  • Group Name: Win10-Isolated-Devices
  • Group Description: Provide a description of this group
  • Azure AD roles can be assigned to the group: Select No
  • Membership type: Select Dynamic Device. (Other options are Assigned and Dynamic User).
  • Click on Add dynamic query to define your dynamic query.
Add Dynamic Query for Azure AD group
Add Dynamic Query for Azure AD group
  • In this case, the requirement is to add devices to the “Win10-Isolated-Devices” Azure AD group if their display name contains “Win10.” You can customize the rule using different options for Property and Operator values. Once the rule is configured, click on “Save.”
    • Property: displayName
    • Operator: Contains
    • Value: Win10
Create a query to collect Windows 10 devices
Create a query to collect Windows 10 devices
  • Please be aware that you won’t immediately see the devices added to the group. The dynamic rule query may take a few minutes to run and update the device members in the group. As shown in the screenshot below, both devices with “Win10” in their name have been automatically added. Furthermore, any future devices added to Azure AD with “Win10” in their name will also be automatically included in this Azure AD dynamic device security group.
Azure AD dynamic device security group
Devices are automatically added to the group

Leave a Comment