Dynamic Group Based on Enrollment Profile in Intune

A dynamic group membership updates automatically based on defined rules. You can create attribute-based rules to update the group membership. You can create a dynamic group in Entra ID for users or devices. However, you can’t create rules that contain both the user and the device. You can add multiple membership rules in a dynamic device group.

In this article, we will explain how to create an Azure AD dynamic group / Intune dynamic device group based on the device enrolment profile. You can have multiple enrolment profiles for different user groups or departments based on business requirements. The business units may also need different applications and configurations for different sets of users.

You can create an Azure dynamic group based on enrolment profiles and assign Microsoft Intune applications, device configuration, device restriction, and other policies to that Azure AD/Entra ID group. This automates the administration and no manual intervention is required for the device once enrolled. You can create dynamic groups for Windows Autopilot enrolment profiles, iOS Automated device enrolment (ADE) profiles, and Android enrolment profiles.

How to Create Dynamic Group Based on Enrollment Profile in Entra ID

Follow the below steps to create a dynamic group based on the device enrollment profile name.

• Open Microsoft Intune admin center and navigate to Groups blade.
• Click on All Groups > New Group

• On the New Group page, provide the following details.
  • Group Type: Security
  • Group Name: Provide a meaningful name for the group
  • In the Membership type, select Dynamic Device
  • Click on Add dynamic query

• In the Dynamic membership rules page, add the following query builder rules.
  • Property: EnrollmentProfileName
  • Operator: Equals
  • Value: Enter an enrolment profile name
  • Click on Save

You can also add additional membership rules. For example, an enrolment profile was used for iOS/iPadOS devices. However, in a dynamic group, you only want to have the iPad. in that case, you can add another rule “deviceOSversion = iPadOS”.

Back to the New Group page, click on the Create button to create the Entra ID group.

• You can now see the newly created group in Entra ID Groups.

Sample Membership Rules for Dynamic Groups Based on Enrollment Profile Name

Entra ID dynamic group where device enrollment profile is “Production Floor Supervisors” and device type is iPad

(device.enrollmentProfileName -eq "Production Floor Supervisors") and (device.deviceOSType -eq "iPad")

Entra ID dynamic group where device enrollment profile is “Production Floor Supervisors” and device type is iPhone

(device.enrollmentProfileName -eq "Production Floor Supervisors") and (device.deviceOSType -eq "iPhone")

Dynamic membership rules for profile name start with “Safety Inspections” and device type is either iPhone or iPad

(device.enrollmentProfileName -startsWith "Safety Inspections") and ((device.deviceOSType -eq "iPad") or (device.deviceOSType -eq "iPhone"))

Dynamic membership rules for profile name start with “Field Supervisors” and device type is AndroidForWork

(device.enrollmentProfileName -startsWith "Field Supervisors") and (device.deviceOSType -eq "AndroidForWork")

Related Posts

• How to Get AAD Group Members Details Using PowerShell SDK for Microsoft Intune Graph API
• Powershell Script to Add Bulk Users / Computers to AD Group