IntunePolicies/AzureAD_Group_MEM_Windows_workstations.tf

data "azuread_client_config" "current" {}

resource "azuread_group" "mem_windows_devices" {
  display_name     = "MEM - Devices - All Windows Computers"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
  types            = ["DynamicMembership"]

  dynamic_membership {
    enabled = true
    rule    = "(device.deviceOSVersion -startsWith \"10.0\") and (device.deviceOSType -eq \"Windows\")"
  }
}

data "azuread_group" "mem_windows_devices" {
    depends_on = [azuread_group.mem_windows_devices]
    display_name     = "MEM - Devices - All Windows Computers"
}