Create and populate a device group based on user attributes like user department or location

In this post I will share a way to populate a devices entra ID group based on user attributes like department or location property.

The solution

It works as below:

1. Create a dynamic Entra ID group

2. Set dynamic rule based on user department or location

3. An Azure automation runbook (script) is executed 

4. The script is scheduled

5. It gets members from a user group 

6. It gets id of all users from this group

7. For each user, it gets their devices

8. It adds each device in the group if it not already member

Get script

Click on the below GitHub picture to get the scripts.

You will find:

- Assign_permissions.ps1: script to add permissions to the MI

- Runbook.ps1: the Azure Automation runbook

Creating automation account

Purpose: here we will create the automation account that will be used to run the script.

1. Go to Azure

2. Go to Automation accounts

3. Click on Create

4. Type a name

5. Choose a Subscription, resource group and region

6. Click on Create

Setting Managed Identity

Purpose: the managed identity is used to authenticate to your tenant, this way we don't need to provide credentials.

It allows you to avoid the credentials part.

When you configure the managed identity, a new Azure Enterprise application will be created.

This one will be used to authenticate to our tenant and do API calls.

For that we will proceed as below:

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

7. When it's configured a new enterprise application will be created with the same name than the automation account

Adding module

Purpose: here we need to add modules to authenticate to Graph and send  mail.

Use this part only if you want to send info by mail.

1. Go to your automation account

2. Click on Modules gallery

3. Import the following modules

- Microsoft.Graph.Groups

- Microsoft.Graph.Authentication

- Microsoft.Graph.Users

Creating the group

Here we will create a dynamic groupe based on a specific user property.

We can for instance create a group based on country, city, department...

For that we will proceed as below:

1 . Go to Groups

2. Click on New group

3. Choose Security as group type

4. In Membership type, choose Dynamic user

5. Click on Add dynamic query

6. Go to Property

7. Select the property on which you want to filter

8. In Operator choose Equals

9. In value type value on which you want to filter

Adding group owner

Purpose: we want to add members in a target group meaning we need rights on this group.

For that we will add the managed identity as group owner.

We will proceed as below:

1. Open the Intune portal

2. Go to Groups

3. Go to your group

4. Go to Owner

5. Search the managed identity

6. Select it

Adding permissions

We need the following User.Read.All permission.

To add it we will proceed as below:

1. Edit the Assign_permissions.ps1 script

2. Modify variable $TenantID and $DisplayNameOfMSI

3. Open PowerShell with global admin rights

4. Run the script

Editing the runbook

Group information

Purpose: here we will modify the runbook script to adapt it to our needs regarding both user and device groups.

We will proceed as below:

1. Edit the Runbook.ps1 script

2. Modify the following variables:

$Users_Group = "" # ID of the users group 

$Devices_Target_Group_Id = "" # ID of the target group

Creating the Runbook

We will proceed as below:

1. Click on Create a runbook

2. Type a name

3. In Runbook type, select PowerShell

4. Click on Create

5. Click on Edit on the runbook

6. copy the Runbook.ps1 script content

7. Click on Save

8. Click on Publish