Create a dynamic device group for all DEM/user enrolled devices
The purpose of this blog post is to inform you how to create a dynamic device group for all devices that have been enrolled by a Device Enrollment Managers or a specific user.
I thought it was not possible to create a dynamic device group for devices that has been enrolled by a specific user or Device Enrollment Manager. I saw this question on the Microsoft Intune forum and I decided to do some research. My first thoughts go to an Azure Logic app, I opened the Graph API and search for a field that I could use. I check the device page to check if the user account was registered in the Graph API, but it was not. After a while, I mentioned the PhysicalIds field where the needed information was stored, did some tests with the Dynamic Rule Queries and I made some progress, and create a dynamic device group based on the user account that enrolled the device into Azure AD
Requirements:
Requirements:
Device Enrollment Managers
A device enrollment manager (DEM) is a non-administrator user who can enroll devices in Intune. When you need to enroll a lot of devices or set up for e.g., 20 KIOSK devices, device enrollment managers would be a solution. A DEM account can enroll and administer up to 1,000 devices.
A DEM account needs an associated Azure AD user and an Intune user or device license. Global Administrators and Intune Service Administrators can manage in the Microsoft Endpoint Manager admin center the device enrollment managers accounts.
A Device Enrollment Managers account can be created in the following way:
- Open Microsoft endpoint manager
- Select devices in the menu
- And in the second menu select Enroll devices
- Select now Device enrollment managers
or use the following link: Enroll devices – Microsoft Endpoint Manager admin center
- Click on + Add
- Enter the UPN of your DEM-account
- Click on Add
What is a Dynamic device groups?
To assign policies in Intune you must use Azure AD Groups. You can choose between static or dynamic groups. Static groups must be populated manually, and dynamic groups will be populated automatically based on an attribute-based rule. Dynamic groups can be a security group or a Microsoft 365 group. Azure AD has 2 types of dynamic groups, user or device based.
When an attribute of a user or device has been changed, Azure AD will evaluate if the device or user matched the dynamic group rule and remove or add the user or device to/from the dynamic group. Dynamic groups are managed in Azure AD, and you cannot add users or devices manually.
More information and the Dynamic group rule syntaxes can be found here
How to get the Object ID of a user account
- Open Azure AD
- Select Users in the menu
- Search for your DEM or a user account
(in my case is this Alex Wilber)
- Copy the object ID
The devicePhysicalIds field
Almost everyone knows how to create a Dynamic group for all AutoPilot devices or a Dynamic group for all AutoPilot devices based on a group tag. So, the following queries will not be unfamiliar to you.
device.devicePhysicalIds -any _ -contains "[ZTDId]"
(device.devicePhysicalIds -any _ -eq "[OrderID]:<grouptag>"Almost everyone knows how to create a Dynamic group for all AutoPilot devices or a Dynamic group for all AutoPilot devices based on a group tag. So, the following queries will not be unfamiliar to you.
But if you check a device via the Graph API, you will mention that the physicalIds field stores more information than only the above filters.
https://graph.microsoft.com/v1.0/devices/{device id}In the physicalIds is more information stored, you can find the USER-HWID and USER-GID information as well.
If you check the USER-HWID and USER-GID fields, do you recognize the first part after the colon? This is the Object ID of the uses Alex Wilber in my tenant. So ID will be different in your tenant because the Object ID is unique for each user.
Hmm, if you can create a Dynamic group for AutoPilot devices based on the PhysicalIds, then we can do the same for devices that have been enrolled by a specific user.
How to create a dynamic device group
- Open Microsoft endpoint manager
- Select Groups in the menu
- Under Groups, select All groups
- Click on New group
Or use the following link New Group – Microsoft Endpoint Manager admin center - Set the following settings
| SETTING | VALUE |
|---|---|
| Group type | Security |
| Group Name | E.G., Enrolled devices by user : Alex |
| Group Description | Set a good description, so that everyone with access to the portal knows the purpose of the group |
| Azure AD roles can be assigned to the group | No |
- Set the Membership type to Dynamic Device and click on Add dynamic query
- Click on the Edit button at the right side of Rule Syntax
- Set the following Rule syntax
(device.devicePhysicalIDs -any _ -contains "[USER-HWID]: <Object ID of your DEM/user account> ")- Or the following Rule syntax
device.devicePhysicalIDs -any _ -contains "[USER-GID]:<Object ID of your DEM/user account>"Example:
device.devicePhysicalIDs -any _ -contains "[USER-GID]:6e263486-7162-4223-b8df-f557a7546b5f"- Click on Save and wait till the group has been filled with all the devices that have been enrolled by your DEM/user account.
Note. Do you want more cool dynamic groups? take a look at the following blog post
Results
Hi! My name is René Laas. I have passion and enthusiasm for the Microsoft 365 Cloud. I am based in the Netherlands.
Rami Al-zayat 
Albert Stoynov
Andrea De Santis
ThisIsEngineering
Startup Stock Photos
Leave a Reply
Want to join the discussion?Feel free to contribute!