Automatically adding device to Entra ID group through a remediation or platform script
In this post I will show you a way to automatically add a device to Entra ID group from a remediation script.
Context
You want to populate an Entra ID group based on some specific things on your devices.
For instance you devices should have a specific registry key or something else.
Let's take the below use case:
You want to check if the below registry key exists.
If yes you want to add the current device in a specific Entra ID group.
The solution
I use an Azure Automaton runbook (script) coinfigured with a webhook.
The webhook allows remote execution of the runbook from PowerShell.
In my remediation scripts I called the runbook by passing some values like the device name from which the remediation script is running.
In the Automation runbook I get the device name that executed the webhook, then I check if the device is managed by Intune.
If yes the runbook can continue.
Last step is to add the device with the specified device name into the group id we want.
The runbook I shared allows you to add a device to a group.
A remediation script is executed on your devices and check what you need then add the current device in the target group if needed.
Get the script
Click on the below GitHub picture to get the script.
You will find two scripts:
- Detection.ps1: sample of remediation script with registry check
- Runbook.ps1
- Assign_permissions.ps1
Azure Automation account
Creating the account
1. Go to the Azure portal
3. Go to Automation accounts
4. Click on Create
5. Type a name
6. Choose a Subscription, resource group and region
7. Click on Create
Set Managed Identity
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
7. Go to the Azure portal
8. Go to Enterprise applications
9. Filter on Managed identity
10. You will find an app with the name of your automaton account
Adding permissions
Once the Managed Identity has been configured a new Enterprise application is created.
You need then to add permissions
Required permissions is: DeviceManagementManagedDevices.Read.All
To add this permission you must use PowerShell, it can't be done through the portal.
For that use the script Assign_permission.ps1 on my GitHub repo.
You just need to fill below variables:
- $TenantID: your tenant ID
- $DisplayNameOfMSI: name of your automation account
Creating a Runbook
1. Go to your Automation accounts
2. Go to Runbooks
3. Click on Create a runbook
4. Type a name
5. In Runbook type, select PowerShell
6. Click on Create
7. Choose one of the PS1 file
8 Click on Edit on the runbook
9. Copy script content
10. Click on Publish
11. Click on Yes
Adding the webhook
1. Go on your runbook
2. Click Add webhook
3. Click on Create a new webhook
4. Type a name
5. Copy the URL now
6. Click on OK
7. Click on Parameters and run settings
8. Click on OK
The remediation script
The remediation script sample is available on my GitHub, link above.
In the $webhookURI variable, type the URL of your webhook.
3 commentaires
Love this idea, could be useful.
I followed all the steps, at the end it runs the webhook and all, but the output is in error:
Invoke-WebRequest : The remote server returned an error: (403) Forbidden. At line:38 char:28 + ... vice_Info = Invoke-WebRequest -Uri $AzureAD_Device_URL -Method GET -H ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Got any idea what I'm missing? seems permission related but the Enterprise App got it's permission from your script successfully
My bad all works, I did a copy and paste form browser, if I downloaded your .PS1 file it works fine, it was a format issue - all good, it works!!! nice and thanks
Solution looks useful and thank you for sharing :)
There are 3 things that I believe need a bit of attention:
1. You are taking actions in detection file. Isn't this against best practice?
2. I don't quite understand the purpose of using registry key in Detection.ps1 without the remediation part. Can you elaborate a bit more?
3. in Runbook.ps1 you define $Get_Group_Members but don't us it. Is it by purpose?
It looks like you have intended to check if the device is already member of the group and skip action in such case. Maybe worth doublechecking?
Enregistrer un commentaire