Close Menu
Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Facebook X (Twitter) Instagram
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    • Home
    • Intune
    • Windows
      • Modern Workplace
    • macOS
    • Android
    • iOS
    • Automation
      • Logic Apps
      • Intune Monitoring
      • GitHub
    • Security
      • Passwordless
      • Security
    • Speaking
    • About me
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Home»Intune»Create Azure AD Dynamic Device Group using Mobile Device Management Type
    Intune

    Create Azure AD Dynamic Device Group using Mobile Device Management Type

    Peter KlapwijkBy Peter KlapwijkJune 14, 2022Updated:June 14, 202223 Mins Read

    I actually didn’t even notice it myself in the Azure AD portal but I was triggered by Scott Duffey his tweet, we have new dynamic device group properties available. And these are not just dynamic group properties, these are properties for which we are already screaming for years!

    We finally have the option to use Mobile Device Management Type as property to create our dynamic device groups. We can now create a group with all our System Center Configuration Manager (SCCM) managed devices, or all our Intune managed devices.

    But we now also have a property to set the Join Type, which means we can create groups for our Hybrid Azure AD Joined and Azure AD Joined devices.

    deviceTrustType is used to set the join type (ServerAd, AzureAd or Workplace).
    deviceManagementAppId is used to set the MDM Management Type.

    But as you can see we need to use an MDM App ID to configure this property, we can’t just use the name of the MDM solution as seen in the Azure portal. So let’s quickly look at how we can determine which ID we should use for Intune and SCCM.

    Look up the MDM App Id

    In the Azure AD portal, when we open the properties of our Windows devices it shows System Center Configuration Manager as MDM.

    Or it shows Microsoft Intune as MDM.

    It also shows the Object ID. With that object ID, we are able to look up the mdmAppId via Microsoft Graph Explorer, which we need to set the deviceManagementAppId in our dynamic device group.

    To look up the Id, we do that by running this query:
    https://graph.microsoft.com/v1.0/devices/[ObjectID]
    Replace [ObjectID] with the object ID from your device.

    When we run the query for an SCCM-managed device, we see the mdmAppId in the response:
    54b943f8-d761-4f8d-951e-9cea1846db5a

    And when we run the query for an Intune-managed device, the mdmAppId is:
    0000000a-0000-0000-c000-000000000000

    With this information, we can create a dynamic device group based on the MDM Type.

    Create an AAD Dynamic group using the MDM Type

    To create an AAD Dynamic device group using the MDM Type we need to select deviceManagementAppId as Property.
    As a value, we enter one of the IDs we found via Graph Explorer:
    54b943f8-d761-4f8d-951e-9cea1846db5a for SCCM.
    0000000a-0000-0000-c000-000000000000 for Intune.

    Depending on the operator you prefer, you need to enter the whole ID or can use a part of the ID.

    If needed you can expand the dynamic query, for example with deviceOSType, or for a short while, also with deviceTrustType.

    Thanks for reading!

    Azure AD Intune MEM Microsoft 365 Microsoft Endpoint Manager Windows
    Share. Facebook Twitter LinkedIn Email WhatsApp
    Peter Klapwijk
    • Website
    • X (Twitter)
    • LinkedIn

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Add a certificate to the Trusted Publishers with Intune without reporting errors

    May 31, 2022

    Offer remote assistance to your Windows 10 users – even with admin rights

    April 15, 2020

    Manage Mozilla Firefox settings with Microsoft Intune

    March 11, 2020
    View 2 Comments

    2 Comments

    1. Mo on November 9, 2022 20:21

      Do either of these device management app IDs change with each domain or is it static and built into Azure from Microsoft?

      Reply
    2. Big Easy on February 14, 2023 20:23

      is there a way to create a group based on device’s IPs

      Reply
    Leave A Reply Cancel Reply

    Peter Klapwijk

    Hi! Welcome to my blog post.
    I hope you enjoy reading my articles.

    Hit the About Me button to get in contact with me or leave a comment.

    Awards
    Sponsor
    Latest Posts

    Hide the “Turn on an ad privacy feature” pop-up in Chrome with Microsoft Intune

    April 19, 2025

    How to set Google as default search provider with Microsoft Intune

    April 18, 2025

    Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs

    April 13, 2025

    Using Visual Studio with Microsoft Endpoint Privilege Management, some notes

    April 8, 2025
    follow me
    • Twitter 4.8K
    • LinkedIn 6.1K
    • YouTube
    Tags
    Administrative Templates Android Automation Autopilot Azure Azure AD Browser Conditional Access Edge EMS Exchange Online Feitian FIDO2 Flow Google Chrome Graph Graph API Identity Management Intune Intune Monitoring iOS KIOSK Logic Apps macOS MEM MEMMonitoring Microsoft 365 Microsoft Edge Microsoft Endpoint Manager Modern Workplace Office 365 OneDrive for Business Outlook Passwordless PowerApps Power Automate Security SharePoint Online Teams Windows Windows 10 Windows10 Windows 11 Windows Autopilot Windows Update
    Copy right

    This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors, or In The Cloud 24-7.

     

    Copyright © 2025 by In The Cloud 24-7/ Peter Klapwijk. All rights reserved, No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

    Shorthand; Don’t pass off my work as yours, it’s not nice.

    Recent Comments
    • Peter Klapwijk on Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs
    • John M on Using Windows Autopilot device preparation with Windows 365 Frontline shared cloud PCs
    • Christoffer Jakobsen on Connect to Azure file shares with Microsoft Entra Private Access
    • Ludo on How to block Bluetooth file transfer with Microsoft Intune
    • RCharles on Automatically configure the time zone (during Autopilot enrollment)
    most popular

    Application installation issues; Download pending

    October 1, 2024

    Restrict which users can logon into a Windows 10 device with Microsoft Intune

    April 11, 2020

    How to change the Windows 11 language with Intune

    November 11, 2022

    Update Microsoft Edge during Windows Autopilot enrollments

    July 9, 2024
    Peter Klapwijk – In The Cloud 24-7
    X (Twitter) LinkedIn YouTube RSS
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}