To make managing devices easier, you can use device categories to automatically add devices to groups based on categories that you define.

This two step process involves creating your categories and then respective dynamic Azure AD groups which ties the entire mechanism togther.

Create Device Categories

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, navigate to Devices > Device Categories.

Select the ‘Create Device Category’ button.

Set a Name and Description.
**Example**
Name: Marketing
Description: Device category for Marketing devices

Select ‘Next’ and keep the default Scope Tag selected.

Select ‘Next’ and then ‘Create.

You will see the Marketing device category appear in the list ready for use.

Create an Azure AD Dynamic Group

Sign in to your Azure portal by browsing to https://portal.azure.com

From the home dashboard, select ‘Azure Active Directory’.

From the left side menu, select ‘Groups’.

Select the ‘New Group’ button.

Complete the required information:

**Example**
Group Type: Security
Group Name: Marketing Devices
Group Description: Group for Marketing devices.
Azure AD roles can be assigned to the group: No
Membership Type: Dynamic Device
Owners: No

Select ‘Add Dynamic Query’

Within the query builder, we configure the query values as below:

Property: deviceCategory
Operator: Equals
Value: Marketing (Friendly name given to your device category in Endpoint Manager)

Clicking away from the query builder, we can see Azure AD automatically translates your configuration values into a Rule Syntax.

The Rule Syntax should look identical to this: (exception of the value between quotation marks is unique to your device category friendly name)

(device.deviceCategory -eq “Your_Device_Category_Name”)

Select the ‘Save’ button to save the dynamic query.

Select the ‘Create’ button to build the Azure AD dynamic group.

Once created, you will see Marketing Devices Azure AD dynamic group appear in the list ready for use.

See in Action

During enrolment to Endpoint Manager, Company Portal app will request the user select a device category from the list provided.

In this example, the Marketing device category is selected in order to demonstrate an Azure AD dynamic group at work.

Once enrolment has been completed, the Azure AD dynamic group triggers an evaluation of the tenant against criteria set in the dynamic rule syntax. If the evaluation finds a device matching the criteria, that device is automatically added as a member of the group.

We can see our iPhone is now a member of the Marketing Devices group.

Create a DEM account

Important – Device Enrolment Manager accounts include their own set of limitations. Reference to Microsoft documentation for an exhaustive list.

Note – A Device Enrolment Manager account must be assigned an Intune license before the account can be added.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com
From the home dashboard, navigate to Devices > Enrol Devices > Device Enrolment Managers.

Select the ‘Add’ button.

Enter the UPN of the Azure AD account to be added as a Device Enrolment Manager, then select the ‘Add’ button.
**Example**
UPN: iOSEnrol@traininguemauthority.onmicrosoft.com

Intune will notify you as to a successful Device Enrolment Manager creation.

You will see the Device Enrolment Account present in the list, ready to enrol devices.

See in Action

To enrol using a DEM account, in this example an iPhone, we follow the standard manual enrolment process.

Once complete, Company Portal app confirms the device is enroled however using a DEM account carries limited capabilities.

Intune (Endpoint Manager) console also confirms the iPhone is enroled, observing iOS Enrol DEM account as the Primary User.

We then assign an active Enterprise Mobility & Security trial license to this account.

Create a Cloud Azure AD user

We shall create an Azure AD user for enrolment testing purposes only. This account will not be granted administrator access to the Azure portal.

From the home dashboard, select ‘Azure Active Directory’.

From the left menu, select Users.

Select ‘All Users’ and then select the ‘New User’ button.

Select the ‘Create User’ option as we are not inviting a guest user into your organisation.

Under Identity, complete the required information:
**Example**
Username: johndoe@johndoe.onmicrosoft.com or a custom domain
Name: John Doe
First Name: John
Last Name: Doe

Under Password, you are offered the choice to have Azure AD generate a password for you or allow you to set a custom password.

For the purpose of this guide, we will select Auto-generate.

Select the ‘Show Password’ toggle to reveal the password.

Groups and Roles are covered later in this training guide.

Under Settings:

Block Sign In: No
Usage Location: Your locale-specific location

Under Job Info, we have the option to set specific information about the Azure AD account owner. We will skip past this section, however, feel free to experiment here.

Select the ‘Create’ button to finish.

You will see the newly created account populate in the All Users pane.

Select the user account to review its details.

Things to note:
User Principal Name (UPN) should match the information provided during account creation.
User Type is set as Member, and not Guest, because the account is part of your organisation.
Object ID is a unique static attribute number assigned to this account.
Source is set as Azure Active Directory because this account originated in and resides in Azure Active Directory and not On-Premise Active Directory.

Assign a license to an Azure AD user account

Under Manage, select ‘Licenses’.

Select the ‘Assignments’ button.

Select ‘Enterprise Mobility + Security E5’.

Review licensing options to ensure the correct set of sub-services is included.

Select the ‘Save’ button.

Once the trial license has been applied to the user, you will see Enterprise Mobility + Security E5 present with an active state.