Loading...

Automatically populate a device group based on a user group using Azure automation

Reply A+ A-


In this post I will share an Azure automation script (runbook) allowing you to automatically populate a device group based on a user group.


Context

You have a group of users for instance one for digitak workplace, one for IT team...

You want to deploy an application, script... only on devices for IT team.

You need a group that will gather all devices for al users from a specific group.

This is where my automation runbook makes the job.


The solution

It works as below:

An Azure automation runbook (script) is executed for instance every 2 days.

It gets members from a user group and get id of all users from this group.

For each user, it gets their devices.

For each device it adds it in the group if it not already member.

Then you will receive a mail with a CSV contaning all devices that have been added.


The notification

See below an overview of the mails notif for new devices added:

See below an overview of the CSV list:


Get script

Click on the below GitHub picture to get the scripts.

You will find:

- Assign_permissions.ps1: script to add permissions to the MI

- Runbook.ps1: the Azure Automation runbook



Creating automation account

Purpose: here we will create the automation account that will be used to run the script.

1. Go to Azure

2. Go to Automation accounts

3. Click on Create

4. Type a name

5. Choose a Subscription, resource group and region

6. Click on Create

7. Click on Go to resource


Setting Managed Identity

Purpose: the managed identity is used to authenticate to your tenant, this way we don't need to provide credentials.

It allows you to avoid the credentials part.

When you configure the managed identity, a new Azure Enterprise application will be created.

This one will be used to authenticate to our tenant and do API calls.


For that we will proceed as below:

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

7. When it's configured a new enterprise application will be created with the same name than the automation account


Adding module

Purpose: here we need to add modules to authenticate to Graph and send  mail.

Use this part only if you want to send info by mail.

1. Go to your automation account

2. Click on Modules gallery

3. Import the following modules

- Microsoft.Graph.Groups

- Microsoft.Graph.Authentication

- Microsoft.Graph.Users


Adding group owner

Purpose: we want to add members in a target group meaning we need rights on this group.

For that we will add the managed identity as group owner.

We will proceed as below:

1. Open the Intune portal

2. Go to Groups

3. Go to your group

4. Go to Owner

5. Search the managed identity

6. Select it


Adding permissions

Purpose: in order to be able to list Azure applications and send mail we need to add permissions to our managed identity.

We need the following permissions:

- Mail.Send

- Group.Read.All

- User.Read.All

- GroupMember.ReadWrite.All


We will proceed as below:

1. Edit the Assign_permissions.ps1 script

2. Modify variable $TenantID and $DisplayNameOfMSI

3. Open PowerShell with global admin rights

4. Run the script


Editing the runbook

Group information

Purpose: here we will modify the runbook script to adapt it to our needs regarding both user and device groups.

We will proceed as below:

1. Edit the Runbook.ps1 script

2. Modify the following variables:

$Users_Group = "" # ID of the users group 

$Devices_Target_Group_Id = "" # ID of the target group


Mail information

Purpose: here we will modify the runbook script to adapt it to our needs regarding the mail notification.

We will proceed as below:

1. Edit the Assign_permissions.ps1 script

2. Modify the following variables:

$Send_Mail = $True # $True or $False

$Send_All_Devices_CSV = $False # $True or $False

$Mail_From = ""

$Mail_To = ""

$CSV_File = "TeamName_Devices_Group_new_members.csv"

$CSV_File_All = "TeamName_Devices_Group_all_members.csv"


* Replace TeamName with the name of the team for which you want to get members


Creating the Runbook

Purpose: here we will create the script that run the KQL query remotely.

1. Click on Create a runbook

2. Type a name

3. In Runbook type, select PowerShell

4. Click on Create

5. Click on Edit on the runbook

6. copy the Runbook.ps1 script content

7. Click on Save

8. Click on Publish

slider 4339254353367651484

Enregistrer un commentaire

Accueil item

Award

Sponsors

Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French


Stats