From 3aa00268e5a9061c1e7fe6c2856b175e547d2be9 Mon Sep 17 00:00:00 2001
From: Scott Kissel <32919113+sckissel@users.noreply.github.com>
Date: Thu, 24 Oct 2019 12:01:07 -0500
Subject: [PATCH 1/3] Update groups-dynamic-membership.md

Removed the OrganizationUnit from the table (I had previously added it and commented on the last pull request that it should be removed, my mistake), and also added a more bolder note to the OrganizationalUnit text above the table.
---
 .../users-groups-roles/groups-dynamic-membership.md         | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/articles/active-directory/users-groups-roles/groups-dynamic-membership.md b/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
index 924e7b992cae9..5c32a180325dd 100644
--- a/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
+++ b/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
@@ -354,7 +354,10 @@ The custom property name can be found in the directory by querying a user's prop
 
 ## Rules for devices
 
-You can also create a rule that selects device objects for membership in a group. You can't have both users and devices as group members. The **organizationalUnit** attribute is no longer listed and should not be used. This string is set by Intune in specific cases but is not recognized by Azure AD, so no devices are added to groups based on this attribute.
+You can also create a rule that selects device objects for membership in a group. You can't have both users and devices as group members. 
+
+> [!NOTE]
+> The **organizationalUnit** attribute is no longer listed and should not be used. This string is set by Intune in specific cases but is > not recognized by Azure AD, so no devices are added to groups based on this attribute.
 
 > [!NOTE]
 > systemlabels is a read-only attribute that cannot be set with Intune.
@@ -376,7 +379,6 @@ The following device attributes can be used.
  enrollmentProfileName | Apple Device Enrollment Profile, Device enrollment - Corporate device identifiers (Android - Kiosk), or Windows Autopilot profile name | (device.enrollmentProfileName -eq "DEP iPhones")
  isRooted | true false | (device.isRooted -eq true)
  managementType | MDM (for mobile devices)<br>PC (for computers managed by the Intune PC agent) | (device.managementType -eq "MDM")
- organizationalUnit | a valid on-premises organizational unit (OU) | (device.organizationalUnit -contains "laptop")
  deviceId | a valid Azure AD device ID | (device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d")
  objectId | a valid Azure AD object ID |  (device.objectId -eq 76ad43c9-32c5-45e8-a272-7b58b58f596d")
  devicePhysicalIds | any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID  | (device.devicePhysicalIDs -any _ -contains "[ZTDId]") (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881") (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")

From 74dbb21d237e2cc5241c28b4703a57ff95feb099 Mon Sep 17 00:00:00 2001
From: Scott Kissel <32919113+sckissel@users.noreply.github.com>
Date: Thu, 24 Oct 2019 20:42:56 -0500
Subject: [PATCH 2/3] Update groups-dynamic-membership.md

Added a missing quote I noticed
---
 .../users-groups-roles/groups-dynamic-membership.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/articles/active-directory/users-groups-roles/groups-dynamic-membership.md b/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
index 5c32a180325dd..506ab0d10af08 100644
--- a/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
+++ b/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
@@ -380,7 +380,7 @@ The following device attributes can be used.
  isRooted | true false | (device.isRooted -eq true)
  managementType | MDM (for mobile devices)<br>PC (for computers managed by the Intune PC agent) | (device.managementType -eq "MDM")
  deviceId | a valid Azure AD device ID | (device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d")
- objectId | a valid Azure AD object ID |  (device.objectId -eq 76ad43c9-32c5-45e8-a272-7b58b58f596d")
+ objectId | a valid Azure AD object ID |  (device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d")
  devicePhysicalIds | any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID  | (device.devicePhysicalIDs -any _ -contains "[ZTDId]") (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881") (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")
  systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | (device.systemLabels -contains "M365Managed")
 

From 0ec1fb8546c62bed384ae8a32c69634a59ff7f2b Mon Sep 17 00:00:00 2001
From: Scott Kissel <32919113+sckissel@users.noreply.github.com>
Date: Fri, 25 Oct 2019 17:36:03 -0500
Subject: [PATCH 3/3] Update groups-dynamic-membership.md

Removed extra > sign between IS and Not in sentence "his string is set by Intune in specific cases but is not recognized by Azure AD,"
---
 .../users-groups-roles/groups-dynamic-membership.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/articles/active-directory/users-groups-roles/groups-dynamic-membership.md b/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
index 506ab0d10af08..180afa826c883 100644
--- a/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
+++ b/articles/active-directory/users-groups-roles/groups-dynamic-membership.md
@@ -357,7 +357,7 @@ The custom property name can be found in the directory by querying a user's prop
 You can also create a rule that selects device objects for membership in a group. You can't have both users and devices as group members. 
 
 > [!NOTE]
-> The **organizationalUnit** attribute is no longer listed and should not be used. This string is set by Intune in specific cases but is > not recognized by Azure AD, so no devices are added to groups based on this attribute.
+> The **organizationalUnit** attribute is no longer listed and should not be used. This string is set by Intune in specific cases but is not recognized by Azure AD, so no devices are added to groups based on this attribute.
 
 > [!NOTE]
 > systemlabels is a read-only attribute that cannot be set with Intune.