Automatically populate a device group based on a user group using Azure automation
In this post I will share an Azure automation script (runbook) allowing you to automatically populate a device group based on a user group.
Context
You have a group of users for instance one for digitak workplace, one for IT team...
You want to deploy an application, script... only on devices for IT team.
You need a group that will gather all devices for al users from a specific group.
This is where my automation runbook makes the job.
The solution
It works as below:
An Azure automation runbook (script) is executed for instance every 2 days.
It gets members from a user group and get id of all users from this group.
For each user, it gets their devices.
For each device it adds it in the group if it not already member.
Then you will receive a mail with a CSV contaning all devices that have been added.
The notification
See below an overview of the mails notif for new devices added:
See below an overview of the CSV list:
Get script
Click on the below GitHub picture to get the scripts.
You will find:
- Assign_permissions.ps1: script to add permissions to the MI
- Runbook.ps1: the Azure Automation runbook
Creating automation account
Purpose: here we will create the automation account that will be used to run the script.
1. Go to Azure
2. Go to Automation accounts
3. Click on Create
4. Type a name
5. Choose a Subscription, resource group and region
6. Click on Create
7. Click on Go to resource
Setting Managed Identity
Purpose: the managed identity is used to authenticate to your tenant, this way we don't need to provide credentials.
It allows you to avoid the credentials part.
When you configure the managed identity, a new Azure Enterprise application will be created.
This one will be used to authenticate to our tenant and do API calls.
For that we will proceed as below:
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
7. When it's configured a new enterprise application will be created with the same name than the automation account
Adding module
Purpose: here we need to add modules to authenticate to Graph and send mail.
Use this part only if you want to send info by mail.
1. Go to your automation account
2. Click on Modules gallery
3. Import the following modules
- Microsoft.Graph.Groups
- Microsoft.Graph.Authentication
- Microsoft.Graph.Users
Adding group owner
Purpose: we want to add members in a target group meaning we need rights on this group.
For that we will add the managed identity as group owner.
We will proceed as below:
1. Open the Intune portal
2. Go to Groups
3. Go to your group
4. Go to Owner
5. Search the managed identity
6. Select it
Adding permissions
Purpose: in order to be able to list Azure applications and send mail we need to add permissions to our managed identity.
We need the following permissions:
- Mail.Send
- Group.Read.All
- User.Read.All
- GroupMember.ReadWrite.All
We will proceed as below:
1. Edit the Assign_permissions.ps1 script
2. Modify variable $TenantID and $DisplayNameOfMSI
3. Open PowerShell with global admin rights
4. Run the script
Editing the runbook
Group information
Purpose: here we will modify the runbook script to adapt it to our needs regarding both user and device groups.
We will proceed as below:
1. Edit the Runbook.ps1 script
2. Modify the following variables:
$Users_Group = "" # ID of the users group
$Devices_Target_Group_Id = "" # ID of the target group
Mail information
Purpose: here we will modify the runbook script to adapt it to our needs regarding the mail notification.
We will proceed as below:
1. Edit the Assign_permissions.ps1 script
2. Modify the following variables:
$Send_Mail = $True # $True or $False
$Send_All_Devices_CSV = $False # $True or $False
$Mail_From = ""
$Mail_To = ""
$CSV_File = "TeamName_Devices_Group_new_members.csv"
$CSV_File_All = "TeamName_Devices_Group_all_members.csv"
* Replace TeamName with the name of the team for which you want to get members
Creating the Runbook
Purpose: here we will create the script that run the KQL query remotely.
1. Click on Create a runbook
2. Type a name
3. In Runbook type, select PowerShell
4. Click on Create
5. Click on Edit on the runbook
6. copy the Runbook.ps1 script content
7. Click on Save
8. Click on Publish
Enregistrer un commentaire