Be notified by mail/Teams of Intune license assigned to disabled users accounts using Azure Automation

In this post I will share an Azure Automation script allowing you to send a notif by mail or Teams with the list if users with accounts disabled who still have an Intune licence.

Context

Sometimes when you disabled some users, you forget to delete their accounts after and remove their licences.

Here we want to know which users have their accounts disabled and still have an Intune licence.

Get the script

Click on the below GitHub picture to get the script.

You will find two scripts (more info below):

- Runbook.ps1

- Assign_permissions.ps1

The solution

1. Create an Azure Automation account

2. Add a runbook

3. Get all disabled users accounts

4. Check for all of them if they still have Intune licence

Configuring mail prerequisite

Purpose: in this part we will configure prerequisite to be able to send mail through the runbook.

This part is used only if you want to send a notif on Teams.

Creating Teams webhook

Purpose: in this part, we will create a connector on a Teams channel allowing you to automate ability to send Teams notif.

This part is used only if you want to send a notif on Teams.

For that, we will proceed as below:

1. Go to your channel

2. Click on the ...

3. Click on Connectors

4. Go to Incoming Webhook

5. Type a name

6. Click on Create

7. Copy the Webhook path

Azure Automation account

Creating the account

1. Go to the Azure portal

3. Go to Automation accounts

4. Click on Create

5. Type a name

6. Choose a Subscription

7. Choose the Resource group

8. Choose your region

9. Click on Create

Adding module

Purpose: here we need to add modules to authenticate to Graph and send  mail.

Use this part only if you want to send info by mail.

1. Go to your automation account

2. Click on Modules gallery

3. Import the following modules

Microsoft.Graph.Users.Actions

Microsoft.Graph.Authentication

Adding permissions

Once the Managed Identity has been configured a new Enterprise application will be created.

Then you need to add permissions to be able to actions.

The required permissions is the following: 

- User.Read.All

If you want to send infi by mail you need to add also the below permission:

- Mail.Send

To add this permission you will need to use PowerShell, it can't be done through the portal.

For that use the script Assign_permission.ps1 on my GitHub repo.

You just need to fill below variables:

- $TenantID: your tenant ID

- $DisplayNameOfMSI: name of your automation account

Creating a Runbook

1. Go to your Automation accounts

2. Go to Runbooks

3. Click on Create a runbook

4. Type a name

5. In Runbook type, select PowerShell

6. Click on Create

7. Choose one of the PS1 file

8 Click on Edit on the runbook

9. Copy script content

10. Click on Publish

11. Click on Yes

Configuring the script

Configure the below variables if you wan to send info by mail:

See below an overview of the mail:

Configure the below variables if you wan to send info through a mail:

See below an overview of the Teams notif:

Configure the below variables if you wan to send info through a Teams notif: