Add bulk devices to the Azure AD security groups for Intune deployments

I was recently involved in a task to have the Intune deployments targeted to multiple groups (Pre pilot, pilot, and prod). Each phase has a large set of devices from various regions and they all have different naming conventions too.

All the devices are hybrid Azure AD joined. The list of devices from each phase is available (static) but how do we add these devices to the Azure AD security groups?

Creating the dynamic Azure AD security groups does work when you want to add the devices with specific criteria such as naming, OS or country, or any other set of attributes that are available for dynamic query but in my case, the list is static (picked a few from different regions).

So I cannot use the dynamic query-based and it must be a static Azure AD security group.

Once you have the list of devices (hostnames), you can go to the Azure AD/MEM portal, search for Azure AD security group, click members and add the devices but this manual method is OK for a few devices (<10) and not for 100+ devices.

In this blog post, we will see how to add bulk devices to the Azure AD security groups using PowerShell and using Azure AD portal.

First, let's talk about the GUI method using Azure AD portal.

In the Azure AD portal, security group (that you wish to add the devices to), click members, and you will see an option to import members.

image

image

You will asked to download a template where you will need to input the device information.

image

Once the template is downloaded,  open the CSV file, you will see that the template asks for device object ID but not device names.

image

We have the device names and not the device object ID information.

How to get the device object information using the device names?

The easier way (only) is to use scripting (PowerShell). we will create a PowerShell script to read the device names and get the corresponding object ID details that we can use to input to the template and upload the details.

Get-AzureADDevice -SearchString cmcb-w10-01

image

image

image

As you can see above, the device (CMCB-w10-01) has 2 objectID and this is due to device registration and hybrid Azure AD Joined (device trust).

You can download the PowerShell script from GitHub repository.

The script needs an input (txt) file with a list of all device names.

Run the script, it will check the azure AD module and connect to Azure AD, get the device object Info for each device, and output to CSV file.

image

Script output:

The script will fetch the device object if it found in Azure AD.

image

Now, we have the object ID of the devices. We will now use the template that we downloaded earlier and append the objectID of each device.

Copy the objectID and put it inside the template from 3rd row. Do not touch row 1 and 2.

image

Go to the azure AD portal, import the objects, upload the CSV file, wait for the status.

image

The upload is succeeded.

image

If you want to check the status of each device, click on the file ready.

image

Refresh the group to see the imported devices.

Before:

image

After:

image

if you want to add only the devices that are hybrid azure AD joined and not the Azure AD registered, we can further simply our PowerShell to search with device trust type.

If DeviceTrustType = ServerAd then the device is Hybrid Azure AD joined

If DeviceTrustType = Workplace then the device is Azure AD registered

filter the devices with Hybrid Azure AD joined

Get-AzureADDevice -SearchString cmcb-w10-01 | Where {$_.DeviceTrustType -eq "ServerAd"}

image

To see the count of devices based on the device trust type

Get-AzureADDevice | Group-Object DeviceTrustType | Select-Object Count,Name | Sort-Object Count

image

2nd method using Powershell:

This method requires 2 parameters 1) Azure AD security group name 2) CSV file that contains the device name and object ID’s. For the CSV file, we will still need to use the script to get the objectID of devices.

When you run the script, as usual, it checks for the Azure AD module, and prompts for authentication.

Once authentication is successful, it asks for the Device group name followed by the CSV file.

There will be a log created that track the status of the script.

These devices are already added to the group hence they fail to add.

image

you can download both the scripts from Github and simply further according to your needs.

Hope this helps!

Leave a Reply