How to create device based Azure AD group with OSType and OSVersion using powershell for intune

Friend of mine had asked for help to create device based dynamic group with deviceOSType=iOS ,and deviceOSversion less than 12.4.1. The reason for this group was to limit anything below iOS 12.4.1 for iPhone devices and MDM managed devices only to have a collection. So that ,we can exclude them from VPN to restrict users from internal resources.  This is because of vulnerability issues on lower version (12.4.1) as per Apple blogs.

First when i read this request ,i thought this can be achieved with dynamic group membership rules available from Azure AD and i have shared the Microsoft Docs link to read more about it . https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

While i shared this link to friend,i have also started looking at this request using dynamic group membership rules in my lab . From Microsoft Docs ,we can make use of deviceOSType and deviceOSVersion attributes for this however there is no expression for less than or greater than .

At the time of writing this blog post, the following expression operators are supported.

From this list ,i cannot find deviceOS version less than or greater than. I cannot find any expression closer to the request asked for.

image

The next possible option is to look at the PowerShell. Though this is onetime solution and not a dynamic membership query but you can run the script often if you need.

Instead of PowerShell ,you can also use regex which is dynamic query to get the devices with same requirement. Thanks to Olav for the heads-up on this regex

Example to get all windows 10 build 1803 and newer. you an use something like this: device.deviceOSVersion -match "[10][.][0][.]1713[4-9]|171[4-9]\d|17[2-9]\d{2}|1[8-9]\d{3}|[2-9]\d{4}|\d{6,}" .Though it is not straight forward but it does your job with dynamic query .

Powershell does provide the flexibility to create anything you want from the available information in the tenant.Azure AD has all the information necessary for us to create powershell script.

The script contains only 2 Azure AD powershell cmdlets Get-AzureADDevice and Add-AzureADGroupMember.

I had few PowerShell scripts that i often use for office365 ,Azure AD and intune so i started taking bits and pieces from them and come up with a PowerShell script.

First i started writing powershell script to identity devices with deviceOSType=iOS ,and deviceOSversion less than 12.4.1 .if found, add it to Azure AD group.This works fine, but later realized ,it would be good option to export the list to CSV for reference.

The script export the list of devices that match the criteria with device information like device name, device type,incompliant, ismanaged,lastlogontimestamp,UserPrincipalName etc.

This script will only fetch the devices which are enrolled to intune (MDM) but not Azure AD registered (MAM only). The reason for this is ,DeviceOSType -eq "IPhone".

In my observation, for intune enrolled devices ,DeviceOSType -eq "IPhone".For MAM registered devices (Azure AD registered),DeviceOSType -eq "iOS" .For iPAD ,it always show as iPAD irrespective of MDM or MAM.

Download the powershell script from Technet Gallary .

Before you run the script, you need to key in Azure AD group object ID into the script so that the devices will be added to Azure AD group.

Login to Azure AD portal, create Azure AD group with membership type =Assigned .Once the group is created, you can click on the group ,go to overview to get object ID.

If you already created group ,get the object ID.

image

Now edit the powershell script ,key in the group object ID for $AADGroupID="KeyinAzureADGroup ID here"

Save the script and run it.

Note: You need to install Azure AD powershell module on the computer where you run the script from.

When you run the script, it look for azure AD powershell module, if installed then it prompt for credential and execute the script.

The script may take few min depends on the number of devices in the tenant . When i ran the script ,it took 5-8 min to fetch 4500 objects into CSV file with file size around 800KB.

you can customize the script to remove unwanted things as per your needs.

Hope you find this useful!

One Response to "How to create device based Azure AD group with OSType and OSVersion using powershell for intune"

Post Comment