Updated – How to create AzureAD attribute-based rules for dynamic group membership for Windows 10 Builds

In the Azure Active Directory (AzureAD) portal it is possible to create dynamic groups for users and devices based on attributes. In this blog post I will show how to create a dynamic group for every Windows 10 Build that has been released at this moment.

First you need to find out what information you need in your groups.

I my case I what to create dynamics groups based on what build version there are installed on the devices I have in Azure AD. The I can assign policy, settings, applications etc. from my Microsoft Intune portal.

If I go inside my Intune management portal in Azure –>  Devices –> All Devices then I can see the OS Version number.

Now I can create some powershell commandlines to get my dynamic groups created.

First I need to run this to connect to my AzureAD

<span style="display: inline !important; float: none; background-color: transparent; color: #3d596d; cursor: text; font-family: 'Noto Serif',Georgia,'Times New Roman',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; line-height: 19.2px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;">$AzureAdCred = Get-Credential</span>
<span style="display: inline !important; float: none; background-color: transparent; color: #3d596d; cursor: text; font-family: 'Noto Serif',Georgia,'Times New Roman',Times,serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; line-height: 19.2px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;"> Connect-AzureAD -Credential $AzureAdCred</span>

The I have to login with a account in AzureAD with rights to create groups.

Then I can use the Command-let New-AzureADMSGroup

New-AzureADMSGroup -DisplayName "All Windows 10 1507 – MDM" -MailEnabled $false -MailNickname Win -SecurityEnabled $True -Description "All Windows 10 1507 – MDM" -GroupTypes DynamicMembership -MembershipRule "(device.deviceOSVersion -contains ""10.0.10240"")" -MembershipRuleProcessingState On
New-AzureADMSGroup -DisplayName "All Windows 10 1511 – MDM" -MailEnabled $false -MailNickname Win -SecurityEnabled $True -Description "All Windows 10 1511 – MDM" -GroupTypes DynamicMembership -MembershipRule "(device.deviceOSVersion -contains ""10.0.10586"")" -MembershipRuleProcessingState On
New-AzureADMSGroup -DisplayName "All Windows 10 1607 – MDM" -MailEnabled $false -MailNickname Win -SecurityEnabled $True -Description "All Windows 10 1607 – MDM" -GroupTypes DynamicMembership -MembershipRule "(device.deviceOSVersion -contains ""10.0.14393"")" -MembershipRuleProcessingState On
New-AzureADMSGroup -DisplayName "All Windows 10 1703 – MDM" -MailEnabled $false -MailNickname Win -SecurityEnabled $True -Description "All Windows 10 1703 – MDM" -GroupTypes DynamicMembership -MembershipRule "(device.deviceOSVersion -contains ""10.0.15063"")" -MembershipRuleProcessingState On
New-AzureADMSGroup -DisplayName "All Windows 10 1709 – MDM" -MailEnabled $false -MailNickname Win -SecurityEnabled $True -Description "All Windows 10 1709 – MDM" -GroupTypes DynamicMembership -MembershipRule "(device.deviceOSVersion -contains ""10.0.16299"")" -MembershipRuleProcessingState On

The result of the powershell commands

And now we can also find the newly created groups in AzureAD ready to use.

This blogpost has just been updated with Windows 10 1709 dynamic device groups