Automatically adding devices to Entra ID group when Autopilot completes with Logic App
In this post we will see how to use Logic App to automatically add a device when Windows Autopilot is successfully completed.
The solution
The automation script will proceed as below:
1. Get all devices from autopilot devices installed last x hours/days
3. Get the appropriate ID
4. Add the device to an Azure AD group using its ID
The idea is just to schedule a script (using Azure Automation) for instance every 4 hours or every day that will check last devices installed successfully with Autopilot, then add devices in a specific Entra ID group.
Creating the Logic App
1. Go to Logic Apps
2. Click on Add
3. Choose a subscription
4. Choose a resource group
5. Type a name
6. Choose a Region
7. Select Consumption
8. Click on Review + Create
Add the Logic App
Get the app
Click on the below GitHub picture to get the JSON code of the Logic app
Add the code
Purpose: here we will add the full JSON code of the Logic App into our created Logic App.
1. Go to Development tools
2. Go to Logic app code view
3. Remove existing content
4. Copy content of the Logic App.json
5. Click on Save
Configure authentication
Purpose: we need now to edit all HTTP step to configure the authentication part.
There are 5 HTTP steps in the Logic App.
HTTP steps are used to query Intune info with Graph API.
See below HTTP steps overview:
- Get last devices installed with Autopilot
- Get devices info from Intune to get
- Get Azure object id for each device
- Check if devices are member of the group
- Add device in the target group
To authenticate allow API calls through the Logic App there are different ways.
You can get info about of to proceed by clicking on the below links:
- Using an Azure app registration
- Using a system-assigned managed identity
- Using a user-assigned managed identity
We will then proceed as below:
1. Go to Logic app designer
2. Go to each HTTP step
3. Click on Advanced parameters
4. Check Authentication
5. Configure authentication depending of your need
Logic App step by step
Step 1 - Recurrence
Purpose: this step allows you to schedule the execution of the Logic App.
Step 2 - Get last deployment
Purpose: this step allows you to use Graph API to query Autopilot in order to get the latest deployment (last x hours).
The URI to use is the following one:
https://graph.microsoft.com/beta/deviceManagement/autopilotEvents?$filter=microsoft.graph.DeviceManagementAutopilotEvent/deploymentEndDateTime%20ge%20@{addHours(utcNow(),-4)}
Step 3 - Parse JSON content
Purpose: this step allows to get result from the previous HTTP response.
The Parse JSON is a component of Data operations.
Step 4 - Filter on success deployment
Purpose: here we want to filter result from the previous step on deployment with success status.
For that we will filter on the property deploymentstate where value is success.
The Parse JSON is a component of Data operations.
Step 5 - Initialize variable 1
Purpose: here we will initialize a variable that will be used later in the app.
The variable name is GroupCodeStatus and the type is a String.
This variable is used after adding each devices into the specific group.
It will be used to specify if the device has been successfully added or not.
This variable is then configured in the set variable step from the ForEach3.
If the GroupCodeStatus equals to 404 it means that the device has been added.
The initialize variable is a component of Data operations.
Step 6 - Initialize variable 2
Purpose: here we will initialize the variable that will be used to specify the group id in which we want to add devices when Autopilot completes.
This variable should contain the id of thr group.
The variable name is GroupID and the type is a String.
In the Value part just type the ID of the group.
Step 7 - First ForEach
Purpose: here we will to loop into all devices provided before from the filter array, meaning all devices with deployment state equals success.
We get values from the body from the Filter_array step.
The ForEach step is a component of Control.
Step 8 - HTTP call
Purpose: the idea here is to use Graph API to get Intune device info for all devices installed recently.
We will get all Intune device where devicename (Autopilot property) equals managedDeviceName (Intune property).
The URI path is:
https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=contains(deviceName,'@{items('For_each')?['managedDeviceName']}')
Step 9 - Parse JSON
Purpose: this step allows to get result from the previous HTTP response.
The Parse JSON is a component of Data operations.
Step 10 - Second ForEach
Purpose: here we will to loop into all devices provided before from the filter array, meaning all devices with deployment state equals success.
We get values from the body from the Parse_JSON2 step.
The ForEach step is a component of Control.
Step 11 - HTTP call
Purpose: here we will get info about devices from the Azure side.
We need to get the objectid of devices in order to add them in the group.
In this step we will:
- Get Intune azureADDeviceId for devices from the previous step
- Get info from Azure side for devices where deviceId (Azure property) equals azureADDeviceId (Intune property)
The URI path is:
https://graph.microsoft.com/v1.0/devices?$filter=deviceId eq '@{items('For_each_2')?['azureADDeviceId']}'
Step 12 - Parse JSON
Purpose: this step allows to get result from the previous HTTP response.
The Parse JSON is a component of Data operations.
Step 13 - Third ForEach
Purpose: here we will loop into all Azure devices provided from the previous step and check if device exists in the target group.
We get values from the body from the Parse_JSON3 step.
The ForEach step is a component of Control.
Step 14 - HTTP call
Purpose: here we will loop into all Azure devices provided from the previous step and check if device exists in the target group.
The URI path is:
https://graph.microsoft.com/v1.0/groups/b5e35031-c980-45d2-89be-9267c001a64b/members?$filter=id eq '@{items('For_each_3')?['id']}'
Step 15 - Set variable GroupCodeStatus
Purpose: here we set variable GroupCodeStatus initialized in the step 5.
In the Value part we get the status code from the previous step.
The Set variable is a component of Data operations.
Step 16 - Condition
Purpose: the idea here to check result from the variable GroupCodeStatus.
If variable equals 404, it means the device is not found in the group meaning is not member.
In this case we run an HTTP step.
Step 14 - HTTP call
Purpose: here we add the device in the target group.
Enregistrer un commentaire