As a AAD-Ninja – Phase out changes with dynamic groups!

Posted by

Another quick post. So from time to time you need to phase out changes in your environment to random users in your organisation. You can for sure create a script and add people according to your criteria and requirements, but I have another idea for you!

Use Azure AD dynamic groups to create a growing group of users, with the criteria of your choice. I have here 4 Azure AD dynamic group queries for you to that are limited to Intune licensed users. If you have an environment of 8 000 users the first group will include about 500, next around 1500, and the two last groups will have equal amount of about 3000 users.

Why should you phase out changes? For me that’s how most changes should be handled in an organisation regardless of size. If you hit any issues, it’s not in your limited testing environment where you find issues and questions, go for phasing out your changes and listen to your users.

(user.objectId -startsWith “0”) -and (user.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”))

((user.objectId -startsWith “1”) -or (user.objectId -startsWith “2”) -or (user.objectId -startsWith “3”)) -and (user.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”))

((user.objectId -startsWith “4”) -or (user.objectId -startsWith “5”) -or (user.objectId -startsWith “6”) -or (user.objectId -startsWith “7”) -or (user.objectId -startsWith “8”) -or (user.objectId -startsWith “9”)) -and (user.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”))

((user.objectId -startsWith “a”) -or (user.objectId -startsWith “b”) -or (user.objectId -startsWith “c”) -or (user.objectId -startsWith “d”) -or (user.objectId -startsWith “e”) -or (user.objectId -startsWith “f”)) -and (user.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”))

For sure if you want to limit to any other AAD attribute that’s fine just switch this

(user.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”))

to your limit, example city, department etc. Here is a list of all possible attributes

Rules for dynamically populated groups membership – Azure AD | Microsoft Docs

And while your at it, go vote to limit a dynamic group to another assigned group and App Collections in Android

Enable limit a dynamic group to a another group -Azure AD
Manage Google Play App Collections – Microsoft Intune Feedback

Image by Dmitry Abramov from Pixabay

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.