Enhanced Dynamic Device Grouping in Microsoft Entra

Avatar
Naresh Alluri

verview

We are requesting enhancements to Microsoft Entra dynamic group capabilities to align more closely with the flexibility and granularity historically available in Configuration Manager (ConfigMgr) collections.

Today, Entra dynamic groups are too limited for enterprise-scale device targeting, which creates operational inefficiencies and prevents customers from fully transitioning away from legacy ConfigMgr-based grouping.

Problem Statement

In Configuration Manager, device collections allow highly granular grouping using:

  • Complex WQL queries
  • Multi-attribute logic
  • Relationships between inventory classes
  • Inclusion/exclusion rules at scale

In contrast, Microsoft Entra dynamic groups are limited to:

  • Basic property-based rules
  • A restricted set of device/user attributes
  • Limited logical operators
  • No ability to reference extended inventory or relationships

This gap creates challenges for:

  • Device targeting (apps, policies, scripts)
  • Phased deployments
  • Ring-based rollout strategies
  • Exception handling and device segmentation

As a result, many organizations must:

  • Maintain ConfigMgr solely for collections
  • Build manual workarounds (scripts, tagging, filters)
  • Accept reduced targeting precision

Key Limitations

1. Limited Attribute Set

  • Cannot leverage extended hardware/software inventory (e.g., BIOS version, firmware state, installed apps, driver versions)
  • No ability to query custom device properties collected via Intune

2. Basic Query Logic

  • Missing advanced operators (joins, nested logic beyond basic AND/OR)
  • No support for reusable query components or modular logic

3. No Relationship-Based Queries

  • Cannot group devices based on:
    • User-device affinity
    • Primary user attributes
    • Membership in other groups (beyond basic inclusion/exclusion)

4. Static Rule Evaluation

  • Limited near-real-time evaluation
  • No control over evaluation frequency or prioritization

5. Operational Gaps vs ConfigMgr

  • No equivalent to:
    • Query-based collections using WQL
    • Incremental updates with complex triggers
    • Direct rule vs query rule blending
    • Maintenance window alignment with targeting

Requested Enhancements

1. Expanded Device Attribute Support

Enable dynamic groups to utilize:

  • Intune inventory data (apps, updates, compliance signals)
  • Hardware/firmware attributes (BIOS, TPM, Secure Boot)
  • Custom attributes (Graph extensions, tagging)

2. Advanced Query Language Support

Introduce a more powerful query capability, such as:

  • Extended rule syntax (nested logic, condition grouping)
  • Support for query-based expressions similar to WQL or KQL-lite
  • Ability to reference multiple attributes in complex conditions

Example use case:

 

Plain Text

(Device.OSVersion >= "10.0.22621") AND
(Device.Manufacturer == "Lenovo") AND
(Device.BIOSVersion < "N3HET70W") AND
(Device.PrimaryUser.Department == "Finance")

 

3. Cross-Object Targeting

Enable queries that combine:

  • Device + User attributes
  • Group membership references
  • Relationship-based targeting (e.g., devices where primary user is in X group)

4. Custom Tagging / Metadata Support

  • Allow administrators to define and assign custom tags to devices
  • Enable dynamic group rules based on those tags
  • Provide API support for automation workflows

5. Improved Evaluation and Performance Controls

  • Near real-time dynamic group updates
  • Visibility into rule processing status
  • Ability to prioritize or stage evaluation for large environments

6. Better Parity with ConfigMgr Collections

Introduce functionality similar to:

  • Include/Exclude rule layering
  • Query reuse across multiple groups
  • Hybrid grouping scenarios (static + dynamic combined more flexibly)

Business Impact

Enhancing dynamic group capabilities would:

✅ Reduce dependency on ConfigMgr
✅ Enable full cloud-native device management
✅ Improve targeting precision for deployments
✅ Accelerate patching, compliance, and remediation workflows
✅ Reduce administrative overhead and manual workarounds
✅ Improve user experience through more accurate policy/application targeting

Real-World Use Cases

  • Target devices missing specific BIOS or Secure Boot updates
  • Deploy firmware updates to only affected hardware models
  • Create rollout rings based on device + user attributes
  • Exclude critical systems dynamically from risky deployments
  • Target devices based on installed software versions

Summary

Dynamic groups in Entra are a critical foundation for modern endpoint management, but current limitations prevent enterprise customers from achieving the same level of control and precision available in ConfigMgr.

Closing this gap is essential to:

  • Support full transition to cloud-native management
  • Enable advanced automation scenarios
  • Meet enterprise-scale operational requirements
0

Comments (0 comments)

Please sign in to leave a comment.