The membership of each device is determined by mapping its "Join type" to the device.deviceTrustType attribute used in the dynamic group rules. Microsoft Entra joined maps to deviceTrustType "AzureAD". Microsoft Entra hybrid joined maps to deviceTrustType "ServerAD". Microsoft Entra registered maps to deviceTrustType "Workplace". Device1: No Device1 is Microsoft Entra hybrid joined, so its deviceTrustType is "ServerAD". It does not match the rule for Group1 ("AzureAD") or Group2 ("Workplace"). Therefore, it is not a member of either group. Device2: No Device2 is Microsoft Entra joined (deviceTrustType is "AzureAD") and its OS is Windows. It matches both conditions for Group1. However, it does not match the rule for Group2 ("Workplace"). Therefore, it is a member of Group1 only, making the statement false. Device3: Yes Device3 is Microsoft Entra registered, so its deviceTrustType is "Workplace". It matches the rule for Group2. It does not match the deviceTrustType rule for Group1 ("AzureAD"). Therefore, it is a member of Group2 only.

Microsoft Entra Documentation: Dynamic membership rules for groups in Microsoft Entra

ID. This official documentation lists the properties available for device rules. Under the

deviceTrustType property, it specifies the possible values: "The trust type of the device. The

possible values are AzureAD, ServerAD (for hybrid joined), or Workplace (for registered)."

URL: https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership