Create a dynamic device group for all DEM/user enrolled devices

The purpose of this blog post is to inform you how to create a dynamic device group for all devices that have been enrolled by a Device Enrollment Managers or a specific user.

I thought it was not possible to create a dynamic device group for devices that has been enrolled by a specific user or Device Enrollment Manager. I saw this question on the Microsoft Intune forum and I decided to do some research. My first thoughts go to an Azure Logic app, I opened the Graph API and search for a field that I could use. I check the device page to check if the user account was registered in the Graph API, but it was not. After a while, I mentioned the PhysicalIds field where the needed information was stored, did some tests with the Dynamic Rule Queries and I made some progress, and create a dynamic device group based on the user account that enrolled the device into Azure AD

Requirements:

  • Group Administrator
  • Microsoft Intune
  • Azure AD

Requirements:

  • Global Administrator
  • Device Enrollment Managers account

Device Enrollment Managers

A device enrollment manager (DEM) is a non-administrator user who can enroll devices in Intune. When you need to enroll a lot of devices or set up for e.g., 20 KIOSK devices, device enrollment managers would be a solution. A DEM account can enroll and administer up to 1,000 devices.

A DEM account needs an associated Azure AD user and an Intune user or device license. Global Administrators and Intune Service Administrators can manage in the Microsoft Endpoint Manager admin center the device enrollment managers accounts.

A Device Enrollment Managers account can be created in the following way:

  • Click on + Add
  • Enter the UPN of your DEM-account
  • Click on Add

What is a Dynamic device groups?

To assign policies in Intune you must use Azure AD Groups. You can choose between static or dynamic groups. Static groups must be populated manually, and dynamic groups will be populated automatically based on an attribute-based rule. Dynamic groups can be a security group or a Microsoft 365 group. Azure AD has 2 types of dynamic groups, user or device based.

When an attribute of a user or device has been changed, Azure AD will evaluate if the device or user matched the dynamic group rule and remove or add the user or device to/from the dynamic group. Dynamic groups are managed in Azure AD, and you cannot add users or devices manually.

More information and the Dynamic group rule syntaxes can be found here

How to get the Object ID of a user account

  • Open Azure AD
  • Select Users in the menu
  • Search for your DEM or a user account
    (in my case is this Alex Wilber)
  • Copy the object ID

The devicePhysicalIds field

Almost everyone knows how to create a Dynamic group for all AutoPilot devices or a Dynamic group for all AutoPilot devices based on a group tag. So, the following queries will not be unfamiliar to you.

device.devicePhysicalIds -any _ -contains "[ZTDId]"
(device.devicePhysicalIds -any _ -eq "[OrderID]:<grouptag>"

Almost everyone knows how to create a Dynamic group for all AutoPilot devices or a Dynamic group for all AutoPilot devices based on a group tag. So, the following queries will not be unfamiliar to you.

But if you check a device via the Graph API, you will mention that the physicalIds field stores more information than only the above filters.

https://graph.microsoft.com/v1.0/devices/{device id}

In the physicalIds is more information stored, you can find the USER-HWID and USER-GID information as well.

If you check the USER-HWID and USER-GID fields, do you recognize the first part after the colon? This is the Object ID of the uses Alex Wilber in my tenant. So ID will be different in your tenant because the Object ID is unique for each user.

Hmm, if you can create a Dynamic group for AutoPilot devices based on the PhysicalIds, then we can do the same for devices that have been enrolled by a specific user.

How to create a dynamic device group

SETTINGVALUE
Group typeSecurity
Group NameE.G., Enrolled devices by user : Alex
Group DescriptionSet a good description, so that everyone with access to the portal knows the purpose of the group
Azure AD roles can be assigned to the groupNo
  • Set the Membership type to Dynamic Device and click on Add dynamic query
Azure AD Add dynamic Query
  • Click on the Edit button at the right side of Rule Syntax
  • Set the following Rule syntax
(device.devicePhysicalIDs -any _ -contains "[USER-HWID]: <Object ID of your DEM/user account> ")
  • Or the following Rule syntax
device.devicePhysicalIDs -any _ -contains "[USER-GID]:<Object ID of your DEM/user account>"

Example:

device.devicePhysicalIDs -any _ -contains "[USER-GID]:6e263486-7162-4223-b8df-f557a7546b5f"
  • Click on Save and wait till the group has been filled with all the devices that have been enrolled by your DEM/user account.

Note. Do you want more cool dynamic groups? take a look at the following blog post

Results

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.