Loading...

Automatically add device to Entra ID group at the end of MECM Task Sequence

Reply A+ A-


In this post I will show you a script allowing you to automatically add a device into an Entra ID group at the end of a MECM Task Sequence.


The solution

The solution results in few steps:

- Use Azure Automation runbook

- Add a PowerShell script step in TS

- Script sends device to the runbook

- The runbook adds device in Entra ID group


Get the script

Click on the below GitHub picture to get the script



Azure Automation account

Creating the account

1. Go to the Azure portal

3. Go to Automation accounts

4. Click on Create

5. Type a name

6. Choose a Subscription, resource group and region

7. Click on Create


Set Managed Identity

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

7. Go to the Azure portal

8. Go to Enterprise applications

9. Filter on Managed identity

10. You will find an app with the name of your automation account


Adding permissions

Once the Managed Identity has been configured a new Enterprise application will be created.

Then you need to add permissions to be able to actions.

Required permissions is: DeviceManagementManagedDevices.Read.All

To add this permission you will need to use PowerShell, it can't be done through the portal.

For that use the script Assign_permission.ps1 on my GitHub repo.


You just need to fill below variables:

- $TenantID: your tenant ID

- $DisplayNameOfMSI: name of your automation account


Creating a Runbook

1. Go to your Automation accounts

2. Go to Runbooks

3. Click on Create a runbook

4. Type a name

5. In Runbook type, select PowerShell

6. Click on Create

7. Choose one of the PS1 file

8 Click on Edit on the runbook

9. Copy script content

10. Click on Publish

11. Click on Yes



Adding the webhook

1. Go to Resources > Webhooks


2. Click Add webhook


3. Click on Create a new webhook


4. Type a name


5. Copy the URL now for later

6. Click on OK

7. Click on Parameters and run settings


8. Click on OK then Create


Add group owner

1. Go to your group

2. Go to Owners

3. Go to Add owners

4. Select your automation account name


Implement in Task Sequence

The first step is to add one TS variables:

- TS_Automation_Webhook: url of the runbook webhook


We will proceed as below:

1. Go to the beginning of the TS

2. Clik on Add > General > Set Dynamic Variables

3. Click on Add Variable

4. Click on Custom variable


5. Type TS_Automation_Webhook

6. Check Do not display the value

7. Confirm the value with the variable


The second step is to add the PowerShell step that will send Entra ID group to the runbook.

Go a the end of you TS, then:

1. Click on Add > General > Run PowerShell script


2. Select Enter a PowerShell script

3. Click on Edit script

4. Copy script from here


5. In PowerShell execution policy, select Bypass

7. Go to Options

8. Click on Add conditions

9. Choose Task Sequence variable

10. In Variable, type TS_Automation_Webhook

11. In Contition choose exists

Task Sequence 7687599596202774767

Enregistrer un commentaire

Accueil item

Award

Sponsors

Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French


Stats