Automatically add device to Entra ID group at the end of MECM Task Sequence
In this post I will show you a script allowing you to automatically add a device into an Entra ID group at the end of a MECM Task Sequence.
The solution
The solution results in few steps:
- Use Azure Automation runbook
- Add a PowerShell script step in TS
- Script sends device to the runbook
- The runbook adds device in Entra ID group
Get the script
Click on the below GitHub picture to get the script
Azure Automation account
Creating the account
1. Go to the Azure portal
3. Go to Automation accounts
4. Click on Create
5. Type a name
6. Choose a Subscription, resource group and region
7. Click on Create
Set Managed Identity
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
7. Go to the Azure portal
8. Go to Enterprise applications
9. Filter on Managed identity
10. You will find an app with the name of your automation account
Adding permissions
Once the Managed Identity has been configured a new Enterprise application will be created.
Then you need to add permissions to be able to actions.
Required permissions is: DeviceManagementManagedDevices.Read.All
To add this permission you will need to use PowerShell, it can't be done through the portal.
For that use the script Assign_permission.ps1 on my GitHub repo.
You just need to fill below variables:
- $TenantID: your tenant ID
- $DisplayNameOfMSI: name of your automation account
Creating a Runbook
1. Go to your Automation accounts
2. Go to Runbooks
3. Click on Create a runbook
4. Type a name
5. In Runbook type, select PowerShell
6. Click on Create
7. Choose one of the PS1 file
8 Click on Edit on the runbook
9. Copy script content
10. Click on Publish
11. Click on Yes
Adding the webhook
1. Go to Resources > Webhooks
2. Click Add webhook
3. Click on Create a new webhook
4. Type a name
5. Copy the URL now for later
6. Click on OK
7. Click on Parameters and run settings
8. Click on OK then Create
Add group owner
1. Go to your group
2. Go to Owners
3. Go to Add owners
4. Select your automation account name
Implement in Task Sequence
The first step is to add one TS variables:
- TS_Automation_Webhook: url of the runbook webhook
We will proceed as below:
1. Go to the beginning of the TS
2. Clik on Add > General > Set Dynamic Variables
3. Click on Add Variable
4. Click on Custom variable
5. Type TS_Automation_Webhook
6. Check Do not display the value
7. Confirm the value with the variable
The second step is to add the PowerShell step that will send Entra ID group to the runbook.
Go a the end of you TS, then:
1. Click on Add > General > Run PowerShell script
2. Select Enter a PowerShell script
3. Click on Edit script
4. Copy script from here
5. In PowerShell execution policy, select Bypass
7. Go to Options
8. Click on Add conditions
9. Choose Task Sequence variable
10. In Variable, type TS_Automation_Webhook
11. In Contition choose exists
Enregistrer un commentaire