Automatically add device to Entra ID group at the end of MECM Task Sequence

In this post I will show you a script allowing you to automatically add a device into an Entra ID group at the end of a MECM Task Sequence.

The solution

The solution results in few steps:

- Use Azure Automation runbook

- Add a PowerShell script step in TS

- Script sends device to the runbook

- The runbook adds device in Entra ID group

Get the script

Click on the below GitHub picture to get the script

Azure Automation account

Creating the account

1. Go to the Azure portal

3. Go to Automation accounts

4. Click on Create

5. Type a name

6. Choose a Subscription, resource group and region

7. Click on Create

Set Managed Identity

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

7. Go to the Azure portal

8. Go to Enterprise applications

9. Filter on Managed identity

10. You will find an app with the name of your automation account

Adding permissions

Once the Managed Identity has been configured a new Enterprise application will be created.

Then you need to add permissions to be able to actions.

Required permissions is: DeviceManagementManagedDevices.Read.All

To add this permission you will need to use PowerShell, it can't be done through the portal.

For that use the script Assign_permission.ps1 on my GitHub repo.

You just need to fill below variables:

- $TenantID: your tenant ID

- $DisplayNameOfMSI: name of your automation account

Creating a Runbook

1. Go to your Automation accounts

2. Go to Runbooks

3. Click on Create a runbook

4. Type a name

5. In Runbook type, select PowerShell

6. Click on Create

7. Choose one of the PS1 file

8 Click on Edit on the runbook

9. Copy script content

10. Click on Publish

11. Click on Yes

Adding the webhook

1. Go to Resources > Webhooks

2. Click Add webhook

3. Click on Create a new webhook

4. Type a name

5. Copy the URL now for later

6. Click on OK

7. Click on Parameters and run settings

8. Click on OK then Create

Add group owner

1. Go to your group

2. Go to Owners

3. Go to Add owners

4. Select your automation account name

Implement in Task Sequence

The first step is to add one TS variables:

- TS_Automation_Webhook: url of the runbook webhook

We will proceed as below:

1. Go to the beginning of the TS

2. Clik on Add > General > Set Dynamic Variables

3. Click on Add Variable

4. Click on Custom variable

5. Type TS_Automation_Webhook

6. Check Do not display the value

7. Confirm the value with the variable

The second step is to add the PowerShell step that will send Entra ID group to the runbook.

Go a the end of you TS, then:

1. Click on Add > General > Run PowerShell script

2. Select Enter a PowerShell script

3. Click on Edit script

4. Copy script from here

5. In PowerShell execution policy, select Bypass

7. Go to Options

8. Click on Add conditions

9. Choose Task Sequence variable

10. In Variable, type TS_Automation_Webhook

11. In Contition choose exists