Hi Doan, Thanks for posting.
You can leverage MDM auto enrolment feature to get the the azure AD devices automatically enrolled to Intune. and the same can be controlled over security groups.
Check this tutorial and let me know for any clarifications.
https://learn.microsoft.com/en-us/mem/intune/enrollment/quickstart-setup-auto-enrollment