Create and populate a device group based on user attributes like user department or location
In this post I will share a way to populate a devices entra ID group based on user attributes like department or location property.
The solution
It works as below:
1. Create a dynamic Entra ID group
2. Set dynamic rule based on user department or location
3. An Azure automation runbook (script) is executed
4. The script is scheduled
5. It gets members from a user group
6. It gets id of all users from this group
7. For each user, it gets their devices
8. It adds each device in the group if it not already member
Get script
Click on the below GitHub picture to get the scripts.
You will find:
- Assign_permissions.ps1: script to add permissions to the MI
- Runbook.ps1: the Azure Automation runbook
Creating automation account
Purpose: here we will create the automation account that will be used to run the script.
1. Go to Azure
2. Go to Automation accounts
3. Click on Create
4. Type a name
5. Choose a Subscription, resource group and region
6. Click on Create
Setting Managed Identity
Purpose: the managed identity is used to authenticate to your tenant, this way we don't need to provide credentials.
It allows you to avoid the credentials part.
When you configure the managed identity, a new Azure Enterprise application will be created.
This one will be used to authenticate to our tenant and do API calls.
For that we will proceed as below:
1. Go to your automation account
2. Go to Identity
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
7. When it's configured a new enterprise application will be created with the same name than the automation account
Adding module
Purpose: here we need to add modules to authenticate to Graph and send mail.
Use this part only if you want to send info by mail.
1. Go to your automation account
2. Click on Modules gallery
3. Import the following modules
- Microsoft.Graph.Groups
- Microsoft.Graph.Authentication
- Microsoft.Graph.Users
Creating the group
Here we will create a dynamic groupe based on a specific user property.
We can for instance create a group based on country, city, department...
For that we will proceed as below:
1 . Go to Groups
2. Click on New group
3. Choose Security as group type
4. In Membership type, choose Dynamic user
5. Click on Add dynamic query
6. Go to Property
7. Select the property on which you want to filter
8. In Operator choose Equals
9. In value type value on which you want to filter
Adding group owner
Purpose: we want to add members in a target group meaning we need rights on this group.
For that we will add the managed identity as group owner.
We will proceed as below:
1. Open the Intune portal
2. Go to Groups
3. Go to your group
4. Go to Owner
5. Search the managed identity
6. Select it
Adding permissions
We need the following User.Read.All permission.
To add it we will proceed as below:
1. Edit the Assign_permissions.ps1 script
2. Modify variable $TenantID and $DisplayNameOfMSI
3. Open PowerShell with global admin rights
4. Run the script
Editing the runbook
Group information
Purpose: here we will modify the runbook script to adapt it to our needs regarding both user and device groups.
We will proceed as below:
1. Edit the Runbook.ps1 script
2. Modify the following variables:
$Users_Group = "" # ID of the users group
$Devices_Target_Group_Id = "" # ID of the target group
Creating the Runbook
We will proceed as below:
1. Click on Create a runbook
2. Type a name
3. In Runbook type, select PowerShell
4. Click on Create
5. Click on Edit on the runbook
6. copy the Runbook.ps1 script content
7. Click on Save
8. Click on Publish
Enregistrer un commentaire