One of my favourite everyday features in Azure Active Directory (AAD) has to be the Validate Rules options of dynamic group memberships, at the time of writing this is in preview. You’ll see this as a separate tab in the Dynamic membership rules section of AAD. I’m writing this as I think it’s easily missed and I know customers I’ve worked with didn’t know it was there.

As someone who’s spent years in Configuration Manager creating collection queries, updating the collection and crossing fingers this is a nice feature to make an instant check of your AAD rules to ensure they’re valid before you go ahead and assign stuff to it.

Once we’ve defined our dynamic rule membership, we can quickly take one sample device from our environment and check that it matches the criteria we have set.

Example in question here. I created a dynamic group for iOS devices and used a simple rule

(device.deviceOSType -eq "iOS")

The device I have enrolled in this example is an iPod which theoretically is also using iOS as the operating system. I can go select that device from my device list and the results are shown almost instantly. In the example, we can see it actually doesn’t match the rule I’ve set.

When we select View details I can see why

The rule is looking for “iOS” as the OSType and this particular device is reporting as “IPod” shown in the UI by the value in the square brackets [ ]. So in this case the device will never be a member of the group as it simply doesn’t match.

We quickly make a rule amendment by adding an OR condition to capture “IPod” in addition to iOS and we can check again.

That whole process takes minutes if not seconds if you have an existing device you can test with.

This is all just a simple example but some of these rules can start to feel complicated and I think it’s prudent to use this for EVERY dynamic group you create, even if you’re confident this should be a mandatory check as it’s minimal effort for maximum gain. Enjoy!

/Peter