Validate Azure AD Dynamic Group Rules | Intune

Let’s see how Intune Admin validate Azure AD Dynamic Group Rules. There are lots of improvements in Intune. One of the features in Azure Active Directory (AAD) has to be the Validate Rules options of dynamic group memberships is in public preview. You will see this as a separate tab in the Dynamic membership rules section. The Validate Rules tab will run your query against your selected target users or devices and confirm if they would meet the requirements to be a group member or not.

If you want to create an Azure AD dynamic group, we recommend you check the detailed instructions in the below posts. Here very well explained this scenario in HTMD Free Intune Training – Azure AD Dynamic Device Group

Related Post – Intune Admins Basic Azure AD Dynamic Device Group Rules | Queries

Validate Azure AD Dynamic Group Rules

Let’s get started –

  • Sign in to the Microsoft Endpoint Manager admin center.
  • Navigate to Groups > All groups. Select an existing dynamic group or create a new dynamic group. Here I checked for existing, dynamic devices group and selected from the list.
Validate Azure AD Dynamic Group Rules | Intune
Validate Azure AD Dynamic Group Rules | Intune
  • Click on Dynamic membership rules. You will see the Validate Rules tab on top. Here you can also edit an existing group rule. Let’s find out All Windows 10 20H2 Corporate Devices from Azure AD tenant with the following Azure AD rule –
(device.deviceOSType -eq "Windows") and (device.deviceOSVersion -contains "10.0.19042") and (device.deviceOwnership -eq "Company")
Validate Azure AD Dynamic Group Rules | Intune
Validate Azure AD Dynamic Group Rules | Intune
  • On Validate Rules tab, Click on Add devices or Add users based on group selection to validate configured rules for group.

Note – You can select 20 users or devices to validate added membership rules at one time.

Validate Azure AD Dynamic Group Rules | Intune
Validate Azure AD Dynamic Group Rules | Intune
  • After choosing the users or devices from the picker, click Select. Validation will automatically start.
Validate Azure AD Dynamic Group Rules | Intune 1
Validate Azure AD Dynamic Group Rules | Intune
  • Validation results will appear and show whether a device or user is a member of the group or not. The result will show Status as following –
In group - If a user or device satisfies a rule on a group, the result will show as In group (✅Green Tick). 
Not in group - If a user or device no longer satisfies the rule, the result will show as Not in group (❌Red Cross).
Unknown - If the rule is not valid or there is a network issue, the result will show as Unknown. 

You can modify the rule, and validation of memberships will be triggered. To see why the device or user is not a group member, click on View details. Here I selected 3 devices to validate against the rule syntax.

Validate Azure AD Dynamic Group Rules | Intune
Validate Azure AD Dynamic Group Rules | Intune
  • On the device, click on View details. In Verification details, It will display the result of each expression composing the rule. Click OK to exit. Here added device doesn’t meet the criteria OSVersion as this Windows device is having OS Version 2004 (OS Build 19041).
Validate Azure AD Dynamic Group Rules | Intune
Validate Azure AD Dynamic Group Rules | Intune
  • In this case added device in a group matches the membership rules and verified successfully.
Validate Azure AD Dynamic Group Rules | Intune
Validate Azure AD Dynamic Group Rules | Intune
  • The added device doesn’t meet OSVersion and Ownership criteria as this device is personal and has Windows OS Version 1909 (OS Build 18363).
Validate Azure AD Dynamic Group Rules | Intune
Validate Azure AD Dynamic Group Rules | Intune
  • You can edit rules directly by clicking Edit in the box below and Click on validate to check status.
Validate Azure AD Dynamic Group Rules | Intune
Validate Azure AD Dynamic Group Rules | Intune

Resources

Leave a Comment

Your email address will not be published. Required fields are marked *