Loading...

Automatically adding devices to Entra ID group when Autopilot completes with Logic App

Reply A+ A-


In this post we will see how to use Logic App to automatically add a device when Windows Autopilot is successfully completed.


The solution

The automation script will proceed as below:

1. Get all devices from autopilot devices installed last x hours/days

3. Get the appropriate ID

4. Add the device to an Azure AD group using its ID


The idea is just to schedule a script (using Azure Automation) for instance every 4 hours or every day that will check last devices installed successfully with Autopilot, then add devices in a specific Entra ID group.


Creating the Logic App

1. Go to Logic Apps

2. Click on Add

3. Choose a subscription

4. Choose a resource group

5. Type a name

6. Choose a Region

7. Select Consumption

8. Click on Review + Create


Add the Logic App

Get the app

Click on the below GitHub picture to get the JSON code of the Logic app


Add the code

Purpose: here we will add the full JSON code of the Logic App into our created Logic App.

1. Go to Development tools

2. Go to Logic app code view


3. Remove existing content

4. Copy content of the Logic App.json

5. Click on Save



Configure authentication

Purpose: we need now to edit all HTTP step to configure the authentication part.

There are 5 HTTP steps in the Logic App.

HTTP steps are used to query Intune info with Graph API.

See below HTTP steps overview:

- Get last devices installed with Autopilot

- Get devices info from Intune to get

- Get Azure object id for each device

- Check if devices are member of the group

- Add device in the target group


To authenticate allow API calls through the Logic App there are different ways.

You can get info about of to proceed by clicking on the below links:

- Using an Azure app registration

- Using an Azure Key Vault

- Using a system-assigned managed identity

- Using a user-assigned managed identity


We will then proceed as below:

1. Go to Logic app designer

2. Go to each HTTP step

3. Click on Advanced parameters

4. Check Authentication

5. Configure authentication depending of your need



Logic App step by step

Step 1 - Recurrence

Purpose: this step allows you to schedule the execution of the Logic App.


Step 2 - Get last deployment

Purpose: this step allows you to use Graph API to query Autopilot in order to get the latest deployment (last x hours).


The URI to use is the following one:

https://graph.microsoft.com/beta/deviceManagement/autopilotEvents?$filter=microsoft.graph.DeviceManagementAutopilotEvent/deploymentEndDateTime%20ge%20@{addHours(utcNow(),-4)}



Step 3 - Parse JSON content

Purpose: this step allows to get result from the previous HTTP response.

The Parse JSON is a component of Data operations.



Step 4 - Filter on success deployment

Purpose: here we want to filter result from the previous step on deployment with success status.

For that we will filter on the property deploymentstate where value is success.

The Parse JSON is a component of Data operations.



Step 5 - Initialize variable 1

Purpose: here we will initialize a variable that will be used later in the app.

The variable name is GroupCodeStatus and the type is a String.

This variable is used after adding each devices into the specific group.

It will be used to specify if the device has been successfully added or not.

This variable is then configured in the set variable step from the ForEach3.

If the GroupCodeStatus equals to 404 it means that the device has been added.

The initialize variable is a component of Data operations.



Step 6 - Initialize variable 2

Purpose: here we will initialize the variable that will be used to specify the group id in which we want to add devices when Autopilot completes.

This variable should contain the id of thr group.

The variable name is GroupID and the type is a String.

In the Value part just type the ID of the group.



Step 7 - First ForEach

Purpose: here we will to loop into all devices provided before from the filter array, meaning all devices with deployment state equals success.

We get values from the body from the Filter_array step.

The ForEach step is a component of Control.



Step 8 - HTTP call

Purpose: the idea here is to use Graph API to get Intune device info for all devices installed recently. 

We will get all Intune device where devicename (Autopilot property) equals managedDeviceName (Intune property).


The URI path is:

https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=contains(deviceName,'@{items('For_each')?['managedDeviceName']}')



Step 9 - Parse JSON

Purpose: this step allows to get result from the previous HTTP response.

The Parse JSON is a component of Data operations.



Step 10 - Second ForEach

Purpose: here we will to loop into all devices provided before from the filter array, meaning all devices with deployment state equals success.

We get values from the body from the Parse_JSON2 step.

The ForEach step is a component of Control.



Step 11 - HTTP call

Purpose: here we will get info about devices from the Azure side.

We need to get the objectid of devices in order to add them in the group.

In this step we will:

- Get Intune azureADDeviceId for devices from the previous step

- Get info from Azure side for devices where deviceId (Azure property) equals azureADDeviceId (Intune property)


The URI path is:

https://graph.microsoft.com/v1.0/devices?$filter=deviceId eq '@{items('For_each_2')?['azureADDeviceId']}'



Step 12 - Parse JSON

Purpose: this step allows to get result from the previous HTTP response.

The Parse JSON is a component of Data operations.



Step 13 - Third ForEach

Purpose: here we will loop into all Azure devices provided from the previous step and check if device exists in the target group.

We get values from the body from the Parse_JSON3 step.

The ForEach step is a component of Control.



Step 14 - HTTP call

Purpose: here we will loop into all Azure devices provided from the previous step and check if device exists in the target group.


The URI path is:

https://graph.microsoft.com/v1.0/groups/b5e35031-c980-45d2-89be-9267c001a64b/members?$filter=id eq '@{items('For_each_3')?['id']}'



Step 15 - Set variable GroupCodeStatus

Purpose: here we set variable GroupCodeStatus initialized in the step 5.

In the Value part we get the status code from the previous step.

The Set variable is a component of Data operations.



Step 16 - Condition

Purpose: the idea here to check result from the variable GroupCodeStatus.

If variable equals 404, it means the device is not found in the group meaning is not member.

In this case we run an HTTP step.



Step 14 - HTTP call

Purpose: here we add the device in the target group.


slider 8729668723143351951

Enregistrer un commentaire

Accueil item

Award

Sponsors

Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French


Stats