Be notified by mail of users with recent activities without Intune license using Azure Automation

In this post I will share an Azure Automation script allowing you to send a notif by mail with list of users with recent activities and without Intune licence.

Get the script

Click on the below GitHub picture to get the script.

You will find two scripts:

- Runbook.ps1

- Assign_permissions.ps1

The solution

1. Create an Azure Automation account

2. Add a runbook

3. Get all users with activities during last 30 days

4. Check users without Intune licence

Creating the Automation account

1. Go to the Azure portal

3. Go to Automation accounts

4. Click on Create

5. Type a name

6. Choose a Subscription, resource group, region

7. Click on Create

Adding module

Purpose: here we need to add modules to authenticate to Graph and send  mail.

1. Go to your automation account

2. Click on Modules gallery

3. Import the following modules

- Microsoft.Graph.Users.Actions

- Microsoft.Graph.Authentication

Setting Managed Identity

Purpose: the managed identity is used to authenticate to your tenant, this way we don't need to provide credentials.

For that we will proceed as below:

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

7. When it's configured a new enterprise application will be created with the same name than the automation account

Adding permissions

Once the Managed Identity has been configured a new Enterprise application will be created.

Then you need to add permissions to be able to actions.

We will add the following permissions: 

- User.Read.All

- Mail.Send

To add this permission you will need to use PowerShell, it can't be done through the portal.

For that use the script Assign_permission.ps1 on my GitHub repo.

You just need to fill below variables:

- $TenantID: your tenant ID

- $DisplayNameOfMSI: name of your automation account

Configuring the script

Configure the following variables $Mail_From  and $Mail_To.

Configure the variable $Users_Activity_Delay to define the user activity delay (by default 30 days).

Creating a Runbook

1. Go to your Automation accounts

2. Go to Runbooks

3. Click on Create a runbook

4. Type a name

5. In Runbook type, select PowerShell

6. Click on Create

7. Choose one of the PS1 file

8 Click on Edit on the runbook

9. Copy script content

10. Click on Publish

11. Click on Yes