Niklas Blog

Exploring Device Management.

Automating a Windows Autopilot profile deployment using a Dynamic Device Membership group from Azure AD

31 December 2023

Creating a dynamin membership group

Managing a large number of devices in an organization can be a daunting task, especially when it comes to ensuring secure and efficient access control. Azure Active Directory (Azure AD) provides a powerful set of tools to streamline device management, and one such feature is the ability to create Azure AD groups with dynamic device membership. In this blog post, we will explore how to leverage this capability to automatically include devices that have been uploaded with an Autopilot hardware hash, using the membership rule:

(device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))

What is Azure AD Dynamic Device Membership?

Azure AD Dynamic Device Membership allows you to define membership rules based on specific device properties. Instead of manually adding devices to groups, the membership is dynamically determined by evaluating the properties of each device. This helps automate the process and keeps your groups up-to-date with minimal effort.

Creating an Azure AD Group with Dynamic Device Membership: To create an Azure AD group with dynamic device membership, follow these steps:

Sign in to the Azure portal using your Azure AD administrator credentials.

Navigate to Azure Active Directory from the left-hand menu.

Select Groups and click on the + New group button.

In the Group type section, choose Security.

Enter a name and description for the group, ensuring it clearly represents the purpose of the group, such as Autopilot Devices Group.

Under the Membership type section, select Dynamic User or Dynamic Device based on your requirements. In this case, we will choose Dynamic Device.

In the Add dynamic query section, click on the Edit button next to Advanced rule.

In the Advanced rule editor, enter the following membership rule:

(device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))

This rule filters devices based on the presence of the Autopilot hardware hash [ZTDID].

Click Save to apply the membership rule.

Finally, click Create to create the Azure AD group with dynamic device membership.

The Result

Once the group is created, Azure AD will automatically evaluate the membership rule and include devices that match the criteria. Any device uploaded with an Autopilot hardware hash will be dynamically added to the group, ensuring streamlined access control and management.

Benefits of Dynamic Device Membership

By utilizing dynamic device membership in Azure AD groups, organizations can enjoy several benefits:

  • Automation: The membership rule automatically adds devices to groups based on specified criteria, eliminating the need for manual updates.
  • Time and Effort Savings: IT administrators save valuable time and effort as devices are dynamically included or excluded from groups based on their properties.
  • Security and Access Control: With dynamic membership, you can ensure that only devices meeting specific criteria, such as having an Autopilot hardware hash, are granted access to resources, enhancing security and control.
  • Scalability: Dynamic device membership scales effortlessly as new devices are added or removed, reducing administrative overhead.

Conclusion

Azure AD groups with dynamic device membership simplify device management by automating the process of including devices that meet specific criteria. By using the membership rule:

(device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))

to target devices uploaded with an Autopilot hardware hash, organizations can streamline access control and efficiently manage their device ecosystem. Embracing this powerful feature enables IT administrators to focus on higher-value tasks while ensuring a secure and well-organized device environment.