Azure AD Dynamische Gruppen für Geräte / Benutzer – Syntex/Query
Bei der Verwaltung von Benutzerzugriff und -einstellungen, Benutzern und Geräten in der Active Directory/Intune-Domäne kann der Administrator damit beauftragt werden, eine dynamische Gruppe von Benutzern oder Geräten zu erstellen. Eine solche dynamische Gruppe sollte automatisch Benutzer/Geräte in die Gruppe aufnehmen oder von ihr ausschließen. Du möchtest z. B. automatisch Benutzer/Geräte aus einer bestimmten Organisationseinheit zu der Gruppe hinzufügen oder eine Gruppe von Benutzern/Geräten erstellen, die alle Konten einer bestimmten Abteilung umfasst, usw. Mit dynamischen Gruppen kann der Administrator die Zuweisung von Berechtigungen für Dateiserver, Workstations, Intune usw. vereinfachen.
Hinzufügen von Dynamischen Security Groups in Intune
- Neue dynamische Gruppe
- Select Membership type
- Dynamic User
- Dynamic Device
- Add dynamic query
- Die Konfiguration – Dynamic membership rules
- Edit
- set rule syntax
- Save
Dynamic Groups Syntex/Query für Device und User
Devices Queries
Description | Query |
All Company owned devices | (device.deviceOwnership -eq “Company”) |
All personally owned devices | (device.deviceOwnership -eq “Personal”) |
All devices not managed by a MDM | (device.managementType -ne “MDM”) |
All devices managed by a MDM | (device.managementType -eq “MDM”) |
Windows | |
All Windows Devices | (device.deviceOSType -match “Windows”) |
All company owned Windows devices | (device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Company”) |
All personally owned Windows devices | (device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Personal”) |
All Windows virtual machines | (device.deviceModel -eq “Virtual Machine”) |
Android | |
All Android devices | (device.deviceOSType -match “Android”) |
All company owned Android devices | (device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Company”) |
All personally owned Android devices | (device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Personal”) |
All Android Enterprise devices | (device.deviceOSType -match “AndroidEnterprise”) |
All company owned Android Enterprise devices | (device.deviceOSType -eq “AndroidEnterprise”) -and (device.deviceOwnership -eq “Company”) |
iOS | |
All iPads devices | (device.deviceOSType -eq “iPad”) |
All personally owned iPad devices | (device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Personal”) |
All Company owned iPad devices | (device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Company”) |
All iPhones devices | (device.deviceOSType -eq “IPhone”) |
All personally owned iPhone devices | (device.deviceOSType -eq “IPhone”) -and (device.deviceOwnership -eq “Personal”) |
All Company owned iPhone devices | (device.deviceOSType -eq “IPhone”) -and (device.deviceOwnership -eq “Company”) |
macOS | |
All Mac devices | (device.deviceOSType -eq “MacMDM”) |
All Company owned Mac devices | (device.deviceOSType -eq “MacMDM”) -and (device.deviceOwnership -eq “Company”) |
Device queries for Autopilot
Description | Query |
All Autopilot registered devices | (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) |
A specific device thats autopilot registered | (device.devicePhysicalIDs -contains “[ZTDId]:6598-3522-1234-2658-5678-8581-32”) |
Autopilot devices with a specific OrderID | (device.devicePhysicalIds -any _ -eq “[OrderID]:CloudOnly”) |
Autopilot devices that have been enrolled using a specific enrollment profile | (device.enrollmentProfileName -eq “HybridJoin”) |
User Queries
Description | Query |
All Users with EMS assigned and enabled | user.assignedPlans -any (assignedPlan.service -eq “SCO” -and assignedPlan.capabilityStatus -eq “Enabled”) |
All users with an AAD enabled account | (user.accountEnabled -eq True) |
All users with an email that contains .com | (user.mail -contains “.com”) |
All Users with a Intune license thats not disabled. | USER.ASSIGNEDPLANS -ANY (ASSIGNEDPLAN.SERVICEPLANID -EQ “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -ne “Disabled”) |
All users with Yammer Enterprise license assigned and enabled. | user.assignedPlans -any (assignedPlan.service -eq “YammerEnterprise” -and assignedPlan.capabilityStatus -eq “Enabled”) |
All users with MicrosoftPrint license assigned and enabled. | user.assignedPlans -any (assignedPlan.service -eq “MicrosoftPrint” -and assignedPlan.capabilityStatus -eq “Enabled”) |
All guest users in AAD | (user.userType -eq “Guest”) |