Automatically add device to Entra ID group after installing an application
In this post I will show you a way to automatically add a device to an Entra ID group when an application has been installed through a Win32 app.
Context
You have created an application and make it available for all users or devices through the Company portal.
You need to add devices that have installed this app into a specific Entra ID group.
Let's take the below use case:
I did a Win32 application to install Docker Desktop for Windows which and made it available for all users.
I have two remediation scripts:
- Automatically auto update Docker if installed
- Change Docker configuration (like set the automatically check for update to false)
The application is available for all users but I don't want to run my remediataion scripts to all devices.
Indeed I want to run them only on devices that have Docker installed through the Win32 app.
The solution is to create an Entra ID group for devices with Docker installed then assign remediation scripts to this group.
The solution
I use an Azure Automaton runbook (script) and we will then see same way with Azure function in a later post.
I configured a webhook on the runbook.
The webhook allows remote execution of the runbook from PowerShell, meaning from any devices.
In my script (executed through the company portal) I called the runbook by passing some values like the device name meaning the script will take the current device name and send it to the automation runbook.
In the Automation runbook I get the device name that executed the webhook, then I check if the device is managed by Intune.
If yes the runbook can continue.
Last step is to add the device with the specified device name into the group id we want.
The runbook I shared allows you to add a device to a group or remove from a group.
You have an application in the company portal that uses a PowerShell script for installing the app. Once you click on Install, the app will be installed then the device added in the group.
The idea then is to set an uninstall script that will uninstall the app then just run the automation runbook to remove the device from the group.
Get the script
Click on the below GitHub picture to get the script.
Azure Automation account
Creating the account
1. Go to the Azure portal
3. Go to Automation accounts
4. Click on Create
5. Type a name
6. Choose a Subscription, resource group and region
7. Click on Create
Set Managed Identity
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
7. Go to the Azure portal
8. Go to Enterprise applications
9. Filter on Managed identity
10. You will find an app with the name of your automation account
Adding permissions
Once the Managed Identity has been configured a new Enterprise application will be created.
Then you need to add permissions to be able to actions.
Required permissions is: DeviceManagementManagedDevices.Read.All
To add this permission you will need to use PowerShell, it can't be done through the portal.
For that use the script Assign_permission.ps1 on my GitHub repo.
You just need to fill below variables:
- $TenantID: your tenant ID
- $DisplayNameOfMSI: name of your automation account
Creating a Runbook
1. Go to your Automation accounts
2. Go to Runbooks
3. Click on Create a runbook
4. Type a name
5. In Runbook type, select PowerShell
6. Click on Create
7. Choose one of the PS1 file
8 Click on Edit on the runbook
9. Copy script content
10. Click on Publish
11. Click on Yes
Adding the webhook
1. Go on your runbook
2. Click Add webhook
3. Click on Create a new webhook
4. Type a name
5. Copy the URL now
6. Click on OK
7. Click on Parameters and run settings
8. Click on OK
Script to add in your app
See below the code to add in your PowerShell script executed in your Win32 app.
The Variable $Action has two values:
- Add: to add device in the group
- Remove: to remove device from the group
In the $webhookURI variable, type the URL of your webhook.
1 commentaire
Cool solution, thanks for sharing!
I wonder however, could you not execute a runbook against the discovered apps in Intune directly, to populate and update the Entra ID group? Or use the device install status of the app? is there are reason that makes it necessary to trigger the process from the endpoint itself?
Enregistrer un commentaire