I need to make this smarter really, but… hopefully this helps a few people get up and running with Device Collection Queries… I’m constantly evolving this in my personal file share, but thought I’d dump a copy here as sharing is caring.
If you were to throw this into PowerShell “as-is”, you’d be prompted to authenticate, and then, if you have the AzureADPreview module installed, you’d get a bunch of new Security Groups prefixed “SG-” in your tenant.
The bottom of this code snippet includes some commented out device queries, mostly for reference.
#### As of March 2021, the default/stock AzureAD module still seemingly has a problem with the -MembershipRule parameter
#
# Check if AzureADPreview module is installed
if (-not (Get-Module -Name AzureAD -ListAvailable)) {
Write-Host "AzureAD module is not installed installed."
} else {
Write-Host "AzureAD module is installed. This needs to be replaced with AzureADPreview."
Write-Host "Please run: Uninstall-Module -Name AzureAD"
Write-Host "...and try again."
Exit 1
}
#### Solution, install the AzureADPreview module
# Check if AzureADPreview module is installed
if (-not (Get-Module -Name AzureADPreview -ListAvailable)) {
# Install the AzureADPreview module
Install-Module -Name AzureADPreview -Force
Write-Host "AzureADPreview module has been installed."
} else {
Write-Host "AzureADPreview module is already installed."
}
#### Dynamic Group Creation
New-AzureADMSGroup -DisplayName "SG-User-Everyone" -Description "Contains all Enabled Users" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(user.accountEnabled -eq True)" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Virtual Machines" -Description "Contains all Virtual Machines" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceModel -contains "Virtual")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-HoloLens" -Description "Contains all Company Owned iPad/iPhone devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -contains ""Windows Holographic"") or (device.deviceModel -contains ""HoloLens"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Android Kiosk" -Description "Contains all Company Owned Android Enterprise devices for Kiosk Mode usage" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.enrollmentProfileName -eq ""AE Kiosk Enrollment Token"") and (device.deviceOSType -contains ""Android"") and (device.deviceOwnership -eq ""Company"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Autopilot-Virtual Enrolled Devices" -Description "Uses GroupTag/OrderID, which when specified as Virtual, gives you the ability to target a different profile - IF REQUIRED. This is most likely for testing purposes." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.devicePhysicalIds -any (_ -eq ""[OrderID]:Virtual""))" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Autopilot-HoloLens Enrolled Devices" -Description "Uses GroupTag/OrderID, which when specified as HoloLens, gives you the ability to target a different profile - IF REQUIRED. This is most likely for testing purposes." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.devicePhysicalIDs -any (_ -contains ""[ZTDId]"")) and (device.deviceOSType -contains ""Windows Holographic"") or (device.deviceModel -contains ""HoloLens"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Autopilot-All Autopilot Enrolled Devices" -Description "Contains all Company Owned iPad/iPhone devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.devicePhysicalIDs -any (_ -contains ""[ZTDId]""))" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-iOS Devices" -Description "Contains all Company Owned iPad/iPhone devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOwnership -eq ""Company"") and (device.deviceManufacturer -eq ""Apple"") and (device.deviceOSType -eq ""iPad"") or (device.deviceOSType -eq ""iPhone"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-All Company Owned Windows Devices" -Description "Contains all Company Owned Windows devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") -and (device.deviceOwnership -eq ""Company"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-All Personally Owned Windows Devices" -Description "Contains all Personally Owned Windows devices (BYOD)" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") -and (device.deviceOwnership -eq ""Personal"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-All Managed Windows Devices" -Description "Contains all Managed (by MDM) Windows devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSVersion -startsWith ""10"") -and (device.DeviceOSType -startsWith ""Windows"") -and (device.managementType -eq ""MDM"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-All Windows Devices" -Description "Contains all Windows devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSVersion -startsWith ""10"") -and (device.DeviceOSType -startsWith ""Windows"")" -MembershipRuleProcessingState "On"
#Windows
#10
New-AzureADMSGroup -DisplayName "SG-Device-Win10-1909orEarlier" -Description "Contains all Windows 10 devices, running 1909 or earlier" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and ((device.deviceOSVersion -startsWith ""10.0.10"") or (device.deviceOSVersion -startsWith ""10.0.11"") or (device.deviceOSVersion -startsWith ""10.0.12"") or (device.deviceOSVersion -startsWith ""10.0.13"") or (device.deviceOSVersion -startsWith ""10.0.14"") or (device.deviceOSVersion -startsWith ""10.0.15"") or (device.deviceOSVersion -startsWith ""10.0.16"") or (device.deviceOSVersion -startsWith ""10.0.17"") or (device.deviceOSVersion -startsWith ""10.0.18""))" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Win10-2004" -Description "Contains all Windows 10 devices, running 2004" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.19041"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Win10-20H2" -Description "Contains all Windows 10 devices, running 20H2" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.19042"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Win10-21H1" -Description "Contains all Windows 10 devices, running 21H1" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.19043"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Win10-21H2" -Description "Contains all Windows 10 devices, running 21H2" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.19044"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Win10-22H2" -Description "Contains all Windows 10 devices, running 22H2" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.19045"")" -MembershipRuleProcessingState "On"
#11
New-AzureADMSGroup -DisplayName "SG-Device-Win11-21H2" -Description "Contains all Windows 11 devices, running 21H2" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.22000"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Win11-22H2" -Description "Contains all Windows 11 devices, running 22H2" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.22621"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-Win11-23H2" -Description "Contains all Windows 11 devices, running 23H2" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.22631"")" -MembershipRuleProcessingState "On"
#All Windows Devices
New-AzureADMSGroup -DisplayName "SG-Device-All Windows 10 Devices" -Description "Contains all Windows 10 devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.1"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-All Windows 11 Devices" -Description "Contains all Windows 11 devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""Windows"") and (device.deviceOSVersion -startsWith ""10.0.2"")" -MembershipRuleProcessingState "On"
#iOS
New-AzureADMSGroup -DisplayName "GLB-iOS-BYOD Personally Owned Devices-PRD" -Description "Contains all Personally Owned Apple devices, including iPhones and iPads (BYOD)." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOwnership -eq ""Personal"") and (device.deviceManufacturer -eq ""Apple"") and ((device.deviceOSType -eq ""iPad"") or (device.deviceOSType -eq ""iPhone""))" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "GLB-iOS-Corporate Owned Devices-PRD" -Description "Contains all Corporate Owned Apple devices, including iPhones and iPads." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceManufacturer -eq ""Apple"") and (device.enrollmentProfileName -eq ""GLB-iOS-Automated Device Enrolment-PRD"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "GLB-iOS-BYOD Personally Owned iPad Devices-PRD" -Description "Contains all Personally Owned Apple iPad devices." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOwnership -eq ""Personal"") and (device.deviceManufacturer -eq ""Apple"") and (device.deviceOSType -eq ""iPad"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "GLB-iOS-BYOD Personally Owned iPhone Devices-PRD" -Description "Contains all Personally Owned Apple iPhone devices." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOwnership -eq ""Personal"") and (device.deviceManufacturer -eq ""Apple"") and (device.deviceOSType -eq ""iPhone"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "GLB-iOS-Corporate Owned iPad Devices-PRD" -Description "Contains all Corporate Owned Apple iPad devices." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceManufacturer -eq ""Apple"") and (device.deviceOSType -eq ""iPad"") and (device.enrollmentProfileName -eq ""GLB-iOS-Automated Device Enrolment-PRD"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "GLB-iOS-Corporate Owned iPhone Devices-PRD" -Description "Contains all Corporate Owned Apple iPhone devices." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceManufacturer -eq ""Apple"") and (device.deviceOSType -eq ""iPhone"") and (device.enrollmentProfileName -eq ""GLB-iOS-Automated Device Enrolment-PRD"")" -MembershipRuleProcessingState "On"
#Android
New-AzureADMSGroup -DisplayName "GLB-Android-BYOD Personally Owned Devices-PRD" -Description "Contains all Personally Owned Android devices (BYOD)." -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -contains ""Android"") and (device.deviceOwnership -eq ""Personal"") and (device.managementType -eq ""MDM"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "GLB-Android-COBO Corporate Owned Fully Managed Devices-PRD" -Description "Contains all Corporate Owned Fully Managed Android devices (COBO)" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""AndroidEnterprise"") and (device.deviceOwnership -eq ""Company"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "GLB-Android-COPE Corporate Owned Work Profile Devices-PRD" -Description "Contains all Corporate Owned with Work Profile Android devices (COPE)" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""AndroidEnterprise"") and (device.enrollmentProfileName -eq ""GLB-Android-COPE Corporate Owned Work Profile-PRD"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "GLB-Android-COSU Corporate Owned Dedicated Devices-PRD" -Description "Contains all Corporate Owned, Dedicated Android devices (COSU)" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceOSType -eq ""AndroidEnterprise"") and (device.enrollmentProfileName -eq ""GLB-Android-COSU Corporate Owned Dedicated Profile-PRD"")" -MembershipRuleProcessingState "On"
#Other Devices
New-AzureADMSGroup -DisplayName "SG-Device-All Virtual Machines" -Description "Contains all Virtual Machine devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceModel -eq ""Virtual Machine"") -or (device.deviceModel -eq ""VMware Virtual Platform"") -or (device.deviceModel -eq ""VMware7,1"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-All Lenovo Devices" -Description "Contains all Lenovo devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.manufacturer -eq ""LENOVO"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-All HP Devices" -Description "Contains all HP devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.manufacturer -eq ""HP"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "SG-Device-All Dell Devices" -Description "Contains all Dell devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.manufacturer -eq ""Dell Inc."")" -MembershipRuleProcessingState "On"
# #### Static/Assigned Group Creation
New-AzureADGroup -DisplayName "SG-AAD-ExcludeMFA" -Description "Members added to this collection, will be excluded from MFA requirements. Used ONLY during Testing/Pilot" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "SG-App-Windows-7zip" -Description "Members of this Security Group will either receive the product automatically, or see the related application for installation via Company Portal." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
#Application Specific Examples
New-AzureADGroup -DisplayName "SG-App-iOS-Microsoft Outlook" -Description "Members of this Security Group will either receive the product automatically, or see the related application for installation via Company Portal." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "SG-App-Android-Microsoft Outlook" -Description "Members of this Security Group will either receive the product automatically, or see the related application for installation via Company Portal." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "SG-App-HoloLens-Microsoft Word" -Description "Members of this Security Group will either receive the product automatically, or see the related application for installation via Company Portal." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Require-MicrosoftVisio" -Description "Users/Devices added to this group will automatically receive the specific application." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Allow-MicrosoftVisio" -Description "Users added to this group will be able to self-serve the specific application." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Remove-MicrosoftVisio" -Description "Users/Devices added to this group will have the specific application removed." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Require-MicrosoftAccess" -Description "Users/Devices added to this group will automatically receive the specific application." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Allow-MicrosoftAccess" -Description "Users added to this group will be able to self-serve the specific application." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Remove-MicrosoftAccess" -Description "Users/Devices added to this group will have the specific application removed." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Require-MicrosoftProject" -Description "Users/Devices added to this group will automatically receive the specific application." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Allow-MicrosoftProject" -Description "Users added to this group will be able to self-serve the specific application." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "App-Remove-MicrosoftProject" -Description "Users/Devices added to this group will have the specific application removed." -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
#Device Queries
# (device.devicePhysicalIDs -any _ -contains "[ZTDId]") and (device.devicePhysicalIds -not _ -eq "[OrderID]:Russia") and (device.devicePhysicalIds -not _ -eq "[OrderID]:China") and (device.devicePhysicalIds -not _ -eq "[OrderID]:Hong Kong")
# (device.displayName -startsWith "CHN-") and (device.deviceOSType -contains "Windows") or (device.devicePhysicalIds -any _ -eq "[OrderID]:China")
# (device.devicePhysicalIDs -any _ -eq "[OrderID]:AutoDeployApps") or
# (device.devicePhysicalIds -any _ -eq "[OrderID]:Australia") or
# (device.devicePhysicalIds -any _ -eq "[OrderID]:Bangladesh") or
#All Autopilot Devices Excluding Those with OrderID Hybrid
# (device.devicePhysicalIDs -any _ -contains "[ZTDId]") and (device.devicePhysicalIds -any _ -ne "[OrderID]:Hybrid")
# (device.devicePhysicalIDs -any _ -contains "[ZTDId]") or (device.devicePhysicalIds -any _ -eq "[OrderID]:China")
# (device.devicePhysicalIDs -any _ -eq "[OrderID]:AutoDeployApps")
## Core Apps with Deviation via Device Extension Attributes
## https://medium.com/learning-mem/using-azure-ad-device-extension-attributes-in-microsoft-endpoint-manager-19a3b4c30172
# Office 32bit
#(device.devicePhysicalIds -any _ -eq "[OrderID]:GBR") and (device.extensionAttribute5 -eq "Office365-x86")
# Office 64bit
#(device.devicePhysicalIds -any _ -eq "[OrderID]:GBR") and (device.extensionAttribute5 -notmatch "Office.*")
# Office 64bit with Access
#(device.devicePhysicalIds -any _ -eq "[OrderID]:GBR") and (device.extensionAttribute5 -eq "Office365-x64-Access")
Leave a Reply