This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.
By: Chris Kunze – Sr. Product Manager | Microsoft Intune
If you're managing a lot of devices, you know how important it is to keep your Microsoft Entra ID dynamic group processing running smoothly and efficiently. To encourage performant dynamic group rules, the ‘contains’ and ‘not Contains’ operators were recently removed (MC705357) from the rule builder’s list of operators. While it’s still possible to use these operators if you edit the rule syntax manually, there is a reason why these operators were removed. Certain properties and operators, such as ‘contains’ and ‘match’, are significantly less efficient in group processing than others. This inefficiency can lead to significant delays in dynamic group processing. You can optimize these rules by using more performant alternatives such as ‘Equals’, ‘Not Equals’, ‘Starts With’, and ‘Not Starts With’.
In addition, some device properties that are available in the creation of a dynamic group and not indexed which also leads to inefficiencies in the processing of the group membership. It’s best to avoid using these properties until they are indexed, if possible. The deviceOwnership and enrollmentProfileName properties have recently been indexed and work is ongoing to index the following properties to improve dynamic group processing efficiency:
- deviceCategory
- deviceManagementAppId
- deviceManufacturer
- deviceModel
- deviceOSType
- deviceOSVersion
- devicePhysicalIds
- deviceTrustType
- isRooted
- managementType
- objectId
- profileType
- systemLabels
Using this guidance, we saw significant improvement in group membership evaluation times in a large customer's production environment.
Here’s a quick example. An organization wants to group all devices that were enrolled with any of these 3 enrollment profiles:
- iOS devices – Teachers
- iOS devices – Students
- iOS devices – Admins
While “device.enrollmentProfileName -contains "iOS devices" works, the rule “device.enrollmentProfileName -startswith "iOS devices" yields the same results but is a much more efficient query.
Evaluating your dynamic group rules with PowerShell
The following is a sample script that you can use to output the displayName, id, and membershipRule for each of the dynamic groups in your organization to a CSV-based file. Using this output, you can quickly list and evaluate the membership rules for all of your Entra ID dynamic groups for inefficiencies and start improving them.
Conclusion
We recommend evaluating your group membership rules to see how you can write them more efficiently. Use ‘Equals’ and ‘Starts With’ wherever possible and avoid using the non-indexed properties listed above if they don’t materially change the membership of the dynamic group. You can learn more about creating efficient rules by reading this documentation: Create simpler, more efficient rules for dynamic groups in Microsoft Entra ID.
We hope this helps to improve the processing of your dynamic group memberships! If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam.