diff --git a/articles/active-directory/users-groups-roles/groups-dynamic-membership.md b/articles/active-directory/users-groups-roles/groups-dynamic-membership.md index 924e7b992cae9..180afa826c883 100644 --- a/articles/active-directory/users-groups-roles/groups-dynamic-membership.md +++ b/articles/active-directory/users-groups-roles/groups-dynamic-membership.md @@ -354,7 +354,10 @@ The custom property name can be found in the directory by querying a user's prop ## Rules for devices -You can also create a rule that selects device objects for membership in a group. You can't have both users and devices as group members. The **organizationalUnit** attribute is no longer listed and should not be used. This string is set by Intune in specific cases but is not recognized by Azure AD, so no devices are added to groups based on this attribute. +You can also create a rule that selects device objects for membership in a group. You can't have both users and devices as group members. + +> [!NOTE] +> The **organizationalUnit** attribute is no longer listed and should not be used. This string is set by Intune in specific cases but is not recognized by Azure AD, so no devices are added to groups based on this attribute. > [!NOTE] > systemlabels is a read-only attribute that cannot be set with Intune. @@ -376,9 +379,8 @@ The following device attributes can be used. enrollmentProfileName | Apple Device Enrollment Profile, Device enrollment - Corporate device identifiers (Android - Kiosk), or Windows Autopilot profile name | (device.enrollmentProfileName -eq "DEP iPhones") isRooted | true false | (device.isRooted -eq true) managementType | MDM (for mobile devices)
PC (for computers managed by the Intune PC agent) | (device.managementType -eq "MDM") - organizationalUnit | a valid on-premises organizational unit (OU) | (device.organizationalUnit -contains "laptop") deviceId | a valid Azure AD device ID | (device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d") - objectId | a valid Azure AD object ID | (device.objectId -eq 76ad43c9-32c5-45e8-a272-7b58b58f596d") + objectId | a valid Azure AD object ID | (device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d") devicePhysicalIds | any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID | (device.devicePhysicalIDs -any _ -contains "[ZTDId]") (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881") (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342") systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | (device.systemLabels -contains "M365Managed")