Android / Apple / Azure AD / Intune / Windows 10

Some Azure AD groups for Intune management

Posted by

Quick post on some Azure AD dynamic groups that I use for manage parts of Intune, push apps, send configuration, create Intune roles and such

AZ-MDM-ANE-All Android for Work Devices (All Android Enterprise Work Profile Devices)
(device.deviceOSType -eq “AndroidForWork”)

AZ-MDM-ANE-All Android Enterprise (All other Android enterprise devices, kiosk)
(device.deviceOSType -contains “AndroidEnterprise”)

AZ-MDM-ANE-All Samsung devices (All Samsung devices)
(device.deviceManufacturer -contains “Samsung”)

AZ-MDM-iOS-All Managed devices (All MDM/managed iOS devices)
(device.deviceOSType -eq “iPad”) -or (device.deviceOSType -eq “iPhone”) -and (device.managementType -eq “MDM”)

AZ-MDM-Profile-Default Personal (All devices enrolled with Profile name “Default personal”)
(device.enrollmentProfileName -eq “Default Personal”)

AZ-MDM-iOS-Profile-Default Personal (All iPad devices enrolled with Profile name “Default personal”)
(device.enrollmentProfileName -eq “Default Personal”) -and (device.deviceOSType -eq “iPad”)

AZ-MDM-W10-Ring 1 (All Windows devices with an object ID that starts with 0,1,2,3,4)
((device.objectId -startsWith “0”) -or (device.objectId -startsWith “1”) -or (device.objectId -startsWith “2”) -or (device.objectId -startsWith “3”) -or (device.objectId -startsWith “4”)) -and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

AZ-MDM-W10-Ring 2 (All Windows devices with an object ID that starts with 5,6,7,8,9,a,b,c,d,e,f)
((device.objectId -startsWith “9”) or (device.objectId -startsWith “a”) or (device.objectId -startsWith “5”) or (device.objectId -startsWith “6”) or (device.objectId -startsWith “7”) or (device.objectId -startsWith “8”) or (device.objectId -startsWith “9”) or (device.objectId -startsWith “a”) or (device.objectId -startsWith “b”) or (device.objectId -startsWith “c”) or (device.objectId -startsWith “d”) or (device.objectId -startsWith “e”) or (device.objectId -startsWith “f”)) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

AZ-All MFA licensed Users
(user.assignedPlans -any (assignedPlan.service -eq “MultiFactorService” -and assignedPlan.capabilityStatus -eq “Enabled”))

AZ-All Intune licensed Users
(user.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”))

Leave a comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.