Use Graph Explorer to discover property values for Dynamic Groups in Azure AD

You’ve probably created a dynamic Azure AD group for your Autopilot devices – but what does that ZTDID string even mean? Do you have to use that query? In this blog post we’ll explore the mystical Microsoft Graph to figure out what else we can configure.

Quick summary: The Microsoft Graph is a developer platform that connects the backend of M365 services. That includes Intune, Azure AD, Office, and much more. If you’d like to learn more I highly recommend looking at the Graph docs page: https://docs.microsoft.com/en-us/graph/overview

Now that we know what it is, lets take a look at the Microsoft Graph Explorer.

Here, you can use the built in sample account to explore the various information that the Graph API has stored. Don’t know how to code? No problem! Run the default command without /me/ to see a list of other available options.

Or instead of exploring, you can use the Graph docs to find out the url’s we want to query. Here’s a link to the Intune Graph Docs (or the general Graph API Reference).

If you run the url with /devices/ appended you may be disappointed to see that nothing comes up. That’s only because, well, there’s no devices stored in the sample tenant’s Microsoft Graph.

No big deal – let’s log in to our own tenant and try it out. Here, I get a list of every device I have in Azure AD:

Let’s look at two devices in particular. Can you guess which has a hardware hash uploaded to Autopilot?

If you guessed Device #2, that was correct! I mentioned it earlier, but let’s take a deeper look at the Autopilot Dynamic device query:

 (device.devicePhysicalIDs -any _ -contains "[ZTDId]") 

Compare the query to the Graph device url output. The query is saying that under a device’s physicalIDs, we’re looking for any property that contains [ZTDID]. The reason this works is because the ZTDID property is only created as part of uploading the hardware hash to Autopilot. In the 2 example devices above, notice that only the second one has a ZTDID property value.

So how can we create our own Dynamic Device rule? In the Microsoft Endpoint Manager portal, click on Groups > New Group:

Then select either Dynamic Device or Dynamic User. I’m looking up device properties in the Graph explorer, so I’ve selected Dynamic Device. If you click on the Dynamic device members button, you’ll be shown:

Notice that if you click on the property dropdown, there will be a list that almost matches our Graph data.

Cool right? So to actually match these up, you do have to make some logical leaps. For example, we can safely assume that deviceOSVersion will equal operatingSystemVersion. But now we have both sides of the equation – the properties we can use to create dynamic rules, and the actual value of those properties in our tenant.

As an example, I want to create a rule for my device above. Let’s say we want to find all the other devices that are Virtual Machines (shown under “model”). To do this, all I have to do is select the deviceModel dropdown, and equals, the value Virtual Machine (since that’s what the exactl property value is in Microsoft Graph).

Once you save the group, it’s done! In a few seconds we’ll have a group that shows all my virtual machines:

If you’d like to explore the Dynamic Group syntax even further, take a look at this docs page: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices

If you’ve had trouble with dynamic device groups returning the devices you’re actually looking for, I hope this helps. Happy configuring!