Let’s see how Intune Admin validate Azure AD Dynamic Group Rules. There are lots of improvements in Intune. One of the features in Azure Active Directory (AAD) has to be the Validate Rules options of dynamic group memberships is in public preview. You will see this as a separate tab in the Dynamic membership rules section. The Validate Rules tab will run your query against your selected target users or devices and confirm if they would meet the requirements to be a group member or not.
If you want to create an Azure AD dynamic group, we recommend you check the detailed instructions in the below posts. Here very well explained this scenario in HTMD Free Intune Training – Azure AD Dynamic Device Group
Related Post – Intune Admins Basic Azure AD Dynamic Device Group Rules | Queries
Validate Azure AD Dynamic Group Rules
Let’s get started –
- Sign in to the Microsoft Endpoint Manager admin center.
- Navigate to Groups > All groups. Select an existing dynamic group or create a new dynamic group. Here I checked for existing, dynamic devices group and selected from the list.

- Click on Dynamic membership rules. You will see the Validate Rules tab on top. Here you can also edit an existing group rule. Let’s find out All Windows 10 20H2 Corporate Devices from Azure AD tenant with the following Azure AD rule –
(device.deviceOSType -eq "Windows") and (device.deviceOSVersion -contains "10.0.19042") and (device.deviceOwnership -eq "Company")

- On Validate Rules tab, Click on Add devices or Add users based on group selection to validate configured rules for group.
Note – You can select 20 users or devices to validate added membership rules at one time.

- After choosing the users or devices from the picker, click Select. Validation will automatically start.

- Validation results will appear and show whether a device or user is a member of the group or not. The result will show Status as following –
In group - If a user or device satisfies a rule on a group, the result will show as In group (✅Green Tick).
Not in group - If a user or device no longer satisfies the rule, the result will show as Not in group (❌Red Cross).
Unknown - If the rule is not valid or there is a network issue, the result will show as Unknown.
You can modify the rule, and validation of memberships will be triggered. To see why the device or user is not a group member, click on View details. Here I selected 3 devices to validate against the rule syntax.

- On the device, click on View details. In Verification details, It will display the result of each expression composing the rule. Click OK to exit. Here added device doesn’t meet the criteria OSVersion as this Windows device is having OS Version 2004 (OS Build 19041).

- In this case added device in a group matches the membership rules and verified successfully.

- The added device doesn’t meet OSVersion and Ownership criteria as this device is personal and has Windows OS Version 1909 (OS Build 18363).

- You can edit rules directly by clicking Edit in the box below and Click on validate to check status.

Resources
- Validate a dynamic group membership rule (preview) – Microsoft Docs
- Windows 10 Major Minor Build Rev | Where Can I Get Details?
- Intune Search Option Improvements for Groups and Members | Endpoint Manager
- Windows 10 Feature Update Intune Report | Endpoint Manager
- How to Use Group Policy Analytics in Intune Portal | Endpoint Manager
- Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
- How to Check Intune Service Release Version | Endpoint Manager
- How to Export All Devices Data from Intune Portal | Endpoint Manager
- Sign-in Activity Reports in Intune portal | Endpoint Manager