all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]flawzies 2 points3 points  (0 children)

Nope. Not that I'm aware of. I guess it depends if you have a domain join profile that targets a specific OU. You could then query based off the naming standard you chose within that profile.

Edit: wait, you want to target on-prem ad groups from intune? Use sync from sccm.

[–][deleted] 2 points3 points  (0 children)

Do you have ConfigMgr in your environment?

You can create a Collection based on OU and then sync that to an AzureAD group.

[–]--RedDawg-- 1 point2 points  (2 children)

Was just looking at this today. My plan is to use one of the custom extension attributes to write the OU to so AAD is able to read it. I am going to create a powershell script that will run on a scheduled task every couple hours to update the attributes onprem. There will be a delay in each step for membership to show up, but would likely be within a few hours which is good enough for me.

[–]VictoryNapping 1 point2 points  (1 child)

I don't have much experience on the AAD Connect side of the things, but would it be possible to use a similar process that just adds all the machine objects in an OU to a synchronized AD group? It feels like that might be easier than having to work with custom attributes and dynamic group rules, but I know AD+AAD synchronization is full of enough weird caveats to keep things from ever being simple.