Be notified by mail/Teams of Intune license assigned to disabled users accounts using Azure Automation
In this post I will share an Azure Automation script allowing you to send a notif by mail or Teams with the list if users with accounts disabled who still have an Intune licence.
Context
Sometimes when you disabled some users, you forget to delete their accounts after and remove their licences.
Here we want to know which users have their accounts disabled and still have an Intune licence.
Get the script
Click on the below GitHub picture to get the script.
You will find two scripts (more info below):
- Runbook.ps1
- Assign_permissions.ps1
The solution
1. Create an Azure Automation account
2. Add a runbook
3. Get all disabled users accounts
4. Check for all of them if they still have Intune licence
Configuring mail prerequisite
Purpose: in this part we will configure prerequisite to be able to send mail through the runbook.
This part is used only if you want to send a notif on Teams.
Creating Teams webhook
Purpose: in this part, we will create a connector on a Teams channel allowing you to automate ability to send Teams notif.
This part is used only if you want to send a notif on Teams.
For that, we will proceed as below:
1. Go to your channel
2. Click on the ...
3. Click on Connectors
4. Go to Incoming Webhook
5. Type a name
6. Click on Create
7. Copy the Webhook path
Azure Automation account
Creating the account
1. Go to the Azure portal
3. Go to Automation accounts
4. Click on Create
5. Type a name
6. Choose a Subscription
7. Choose the Resource group
8. Choose your region
9. Click on Create
Adding module
Purpose: here we need to add modules to authenticate to Graph and send mail.
Use this part only if you want to send info by mail.
1. Go to your automation account
2. Click on Modules gallery
3. Import the following modules
Microsoft.Graph.Users.Actions
Microsoft.Graph.Authentication
Adding permissions
Once the Managed Identity has been configured a new Enterprise application will be created.
Then you need to add permissions to be able to actions.
The required permissions is the following:
- User.Read.All
If you want to send infi by mail you need to add also the below permission:
- Mail.Send
To add this permission you will need to use PowerShell, it can't be done through the portal.
For that use the script Assign_permission.ps1 on my GitHub repo.
You just need to fill below variables:
- $TenantID: your tenant ID
- $DisplayNameOfMSI: name of your automation account
Creating a Runbook
1. Go to your Automation accounts
2. Go to Runbooks
3. Click on Create a runbook
4. Type a name
5. In Runbook type, select PowerShell
6. Click on Create
7. Choose one of the PS1 file
8 Click on Edit on the runbook
9. Copy script content
10. Click on Publish
11. Click on Yes
Configuring the script
Configure the below variables if you wan to send info by mail:
See below an overview of the mail:
Configure the below variables if you wan to send info through a mail:
See below an overview of the Teams notif:
Configure the below variables if you wan to send info through a Teams notif:
Enregistrer un commentaire