Implement a way to manually initiate dynamic device group membership evaluations
Currently, there is no SLA/timeframe on when dynamic AAD device groups evaluate memberships.
Here is the recommended troubleshooting steps for these groups not populating, straight from the Azure portal:
"Please allow time for the group to populate. Depending on the size of your tenant, the group may take up to 24 hours for populating for the first time or after a rule change."
If admins are using dynamic AAD device groups for any sort of application deployment or policy targeting, waiting up to 24 hours may not be reasonable. It would be very helpful if there was a way to kick off a manual group evaluation, or at least provide a consistent timeframe/SLA where admins can expect to see their devices populate into the group.
I have seen devices get added in minutes, or up to close to 24 hours. There does not seem to be any consistency on when these devices get populated into the group.
Thank you for your feedback. This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.
In the interim, we’ve added the ability to view the processing status for the dynamic membership rule of a group in the Azure Admin portal. This is not providing an SLA for the rule evaluation, however, it does provide information including that the processing is complete.
Bob D commented
It's absurd that a bad policy change cannot take effect until midnight, come in the next morning, have all your devices "non-compliant" and then have to wait until midnight again for it to be fixed. This needs to be addressed.
The product team is working on improving dynamic group performance, which will help address this issue.
Justin Kearney commented
At least give us a Powershell command we can use to initiate an evaluation.
Michael Zurawski commented
I would rather just have an SLA around these dynamic ADD device groups where it's added immediately. As our employees register for the Company Portal they can't wait 24hrs before the app or wifi policies are applied. Dynamic groups should be asap.