Create AAD Dynamic SG based on region or subnet

Arif Usman 421 Reputation points

My company is totally based on Cloud Azure, which means there is nothing On Premise.
We have few other physical sites, for examples HQ Denver, Florida site, KC Site, Las Vegas site ETC. Each sites have different private Subnets.

Is there way to create a Dynamic SG for devices?

What am i looking for SG so i can use applications deployment per region. if region one only needs following applications, i can create assignment for that region in Intune. Plus, for inventory purpose too.

thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,424 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 95,081 Reputation points MVP

    You can create dynamic membership groups with device objects by leveraging the set of attributes listed here:
    Region/location is not available, but you can prefix the device name with the site, etc.

  2. AmanpreetSingh-MSFT 56,306 Reputation points

    Hi @Arif Usman • Thank you for reaching out.

    In the case of a cloud-only environment, the Dynamic Security Groups in Azure AD can contain only the devices which are Azure AD Registered or Azure AD joined or both, based on the value(s) set for the devices' attributes.

    If there is no such attribute available that you want to use in your Dynamic group query, you may consider creating the extension attribute(s) for the devices and assigning appropriate values that can be used in the custom query of the dynamic groups. Below are the example graph calls that you can use to extend Azure AD schema with custom attributes for your Azure AD devices.

    To create custom/extension attribute:




    "name": "DeviceSubnet",  
    "dataType": "String",  
    "targetObjects": ["Device"]  

    To assign value to custom attribute:




        "extension_GUID_DeviceSubnet": "192.168.100.x"  

    You can then create a dynamic group using a membership rule similar to the one highlighted below:



    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.