Entra ID dynamic groups are one of the most powerful tools available to Microsoft Intune administrators. Specifically, instead of manually adding devices or users to groups, you define rules based on attributes — and Entra ID handles group membership automatically. This guide explains how to create and use dynamic groups in Entra ID for Intune, covering user groups, device groups, BYOD/CYOD scenarios, and deployment rings.
📱 Need help setting up Entra ID dynamic groups in Intune?
Our team configures Intune group structures, dynamic membership rules, and policy assignments for organizations of all sizes. 📅 Book a Free Call | 💬 WhatsApp
Dynamic groups require an Entra ID P1 or P2 license, included with Microsoft 365 Business Premium, E3, E5, or as an add-on. For the full attribute reference, see the official Microsoft Entra ID dynamic membership documentation. See also our guide on what Microsoft Intune is for context.
What Are Dynamic Groups in Entra ID?
A dynamic group uses a membership rule to automatically add or remove users and devices based on their attributes. As a result, when a device enrolls in Intune, Entra ID evaluates it against all active dynamic group rules and adds it to matching groups. Furthermore, as device attributes change — ownership type, OS version, compliance status — Entra ID updates group membership automatically, without any admin intervention.
Specifically, two types of dynamic groups exist: Dynamic User groups (based on user attributes like department, job title, or license assignment) and Dynamic Device groups (based on device attributes like OS version, ownership type, or enrollment type). Moreover, both integrate directly with Intune for policy and app assignment.
Create a Dynamic Device Group in Entra ID
- Sign in to the Microsoft Intune admin center at intune.microsoft.com
- Go to Groups → All groups → New group
- Set Group type to Security
- Enter a descriptive Group name (e.g., Intune-Windows11-Corporate)
- Set Membership type to Dynamic Device
- Click Add dynamic query and define your rule
- Click Save to create the group
Key Dynamic Membership Rules for Intune
BYOD vs Corporate Devices
Intune automatically assigns ownership type during enrollment. Use the following rules to separate personal (BYOD) from corporate devices:
# Corporate-owned devices
(device.deviceOwnership -eq "Company")
# Personal BYOD devices
(device.deviceOwnership -eq "Personal")Importantly, in the Intune admin center, ownership displays as Corporate, but the Entra ID dynamic rule uses Company. This distinction matters for rule accuracy.
Windows OS Version Targeting
Target specific Windows builds for update rings or compliance policies:
# Devices running Windows 11 24H2
(device.deviceOSType -eq "Windows") -and (device.deviceOSVersion -startsWith "10.0.26100")
# All Windows 11 devices
(device.deviceOSType -eq "Windows") -and (device.deviceOSVersion -startsWith "10.0.2")Entra ID Join Type
Separate Entra ID joined, hybrid joined, and registered devices:
# Entra ID joined (formerly Azure AD joined)
(device.deviceTrustType -eq "AzureAD")
# Hybrid Entra ID joined
(device.deviceTrustType -eq "ServerAD")
# Entra ID registered (BYOD)
(device.deviceTrustType -eq "Workplace")
Deployment Rings with Dynamic Groups
Dynamic groups with regex rules let you create percentage-based deployment rings for Intune updates, eliminating manual ring assignment for large device fleets. Entra ID device IDs are 32-character hexadecimal strings, and their last character distributes evenly across 16 values. By targeting specific last characters, you can build rings covering any percentage of your fleet:
# Pilot ring (~6% of devices - last character is 0)
(device.deviceId -match "^.*[0]$")
# Early ring (~25% of devices - last character is 0-3)
(device.deviceId -match "^.*[0123]$")
# Production ring (~75% of devices - last character is 4-f)
(device.deviceId -match "^.*[456789abcdef]$")Consequently, this approach scales seamlessly from 200 to 100,000 devices and integrates directly with Windows Autopatch and Feature Update rings in Intune.
Assign Intune Policies to Dynamic Groups
Once your dynamic groups exist, assign policies and apps directly from the Intune admin center. Navigate to the policy or app, click Assignments, and select your dynamic group as the target. Subsequently, Intune automatically applies the policy to every device that joins the group — and removes it when a device no longer matches the rule.
To configure compliance policies that work with these groups, see our guide on Intune compliance policies. Device enrollment prerequisites are covered in our guide on enrolling a Mac in Intune. Finally, see our Microsoft Entra ID complete guide for identity governance context.
