Recently, we had a requirement from customer, that they wanted to deploy applications /apply device configurations etc. from Intune to Azure AD Joined devices ONLY but not other devices like BYOD intune enrolled devices. (MAM/MDM)
With intune, you can target apps ,device configurations, profiles ,deployments to both user groups OR device groups but not to specific users or device. If you target to user groups ,then it will apply to user irrespective of device join type whether it is intune enrolled (BYOD) or Azure AD join (Corporate device) .
If you perform Azure AD join through auto-pilot then the problem can be fixed by creating Azure AD group (dynamic) and all the devices that you import (hashID) via auto-pilot will be automatically added to this autopilot AAD dynamic security group. This allows you to target all deployments to this group.
But what if user/helpdesk/admin perform Azure AD join manually ? How do we get the devices added to Azure AD group for the deployment?
I tried looking at the Azure AD dynamic query but could not find any attribute that matches with Azure AD joined. This is current limitation at the write of writing this blog post.
In this blog post, we will see how to create AD sec group and get all Azure AD joined devices added to the group for assignments/deployments.
If you want to create security group in Azure AD, we have two types of membership: dynamic or assigned
For Dynamic Device group, we need to use an attribute as a rule to allow the system to evaluate the membership and see if the change would trigger any group adds or removes.
Following are the built-in device property attributes that help to choose .
We need to identify the attribute that stores the information of Azure AD join.
From the powershell ,i found that, DeviceTrustType holds the value for Azure AD join however However , DeviceTrustType attribute is not supported to use in dynamic group membership:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices
So we cannot create dynamic groups to automatically populate Azure AD joined devices .There is an uservoice for this requirement. Please go and vote for it .
The next option(workaround) is to fallback to powershell. With the help of powershell ,we can check the device attribute value DeviceTrustType and if it is equal “AzureAD Joined”, add it to the group.
What is required to run the powershell script?
- Created a group for all Azure AD Joined Device (All_AzureAD_device). Membership type: Assigned.
Please note the Object ID of this group: 456abed67-f34a-4931-b8e0-a41f7f8454ba
2. Following is the powershell script to add all Azure AD join devices to group.
<#
Title:Add Azure AD join devices ONLY to AAD group
Author:Eswar Koneti
Date:26-Aug-2019
# Usage:
# =======
# scriptname.ps1 -group ADSECGROUPObjectID
#>Param(
[Parameter(Mandatory=$true)]
[string] $groupObjID
) #end param$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath
$date = (get-date -f dd-MM-yyyy-hhmmss)#connect to AzureAD module
Connect-AzureAD#get a list of all device members which are already in AzureAD Group:
$members=Get-AzureADGroupMember -All $true -ObjectId $groupObjID | Where-Object {$_.ObjectType -eq "Device"}#get a list of all Azure AD joined devices:
$devices=Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "AzureAd"}
if ($Devices)
{
foreach ($device in $devices)
{
#Check if the device is already a member of group AzureADjoin.
#if not, add it to the group
if ($members.ObjectId -notcontains $device.ObjectId)
{
Add-AzureADGroupMember -ObjectId $groupObjID -RefObjectId $device.ObjectId
}
}
}
Save the script and run it with command line as given in the script.scriptname.ps1 -group ADSECGROUPObjectID
Once you have group ready with all Azure AD join devices, you can target the deployments,device configuration,profiles to this group.
Running the script will prompt for Azure AD credentials . If you want to suppress the credentials all the time, then store the credentials in encrypted file and use it with Connect-AzureAD –Credential $credentials.
The below command is used to store your password of Azure AD account (is onetime) to store your password ,unless there is change in the password.
Read-Host -Prompt "Enter your password" -AsSecureString | ConvertFrom-SecureString | Out-File "D:\Scripts\O365\Automation\pw.key"
Once the password is stored in file ,then the following syntax can be used in script to pass the credentials.
$TenantUname = "eswar@apac.eskonr.com"
$TenantPass = cat "D:\Scripts\O365\Automation\pw.key" | ConvertTo-SecureString
$TenantCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $TenantUname, $TenantPass
#connect to AzureAD module
Connect-AzureAD -Credential $TenantCredentials
Please note, This is onetime task however you can create a scheduled task to run every few hours to add AAD Devices to this group until there is a built-in way.
Hope it helps!
Reference:
https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0
This is great! I too have the exact issue with AAD dynamic groups, but for my use case it's with serverAd devices. I've taken this a step further by using Azure Automation to run this on a schedule so that it keeps the group up to date with new devices.
Found one tiny issue though, you need to use -All $true on the Get-AzureADGroupMember as well, or it will only return a list of 100:
$members=Get-AzureADGroupMember -All $true -ObjectId $groupObjID | Where-Object {$_.ObjectType -eq "Device"}
Thank you for the update.
I will update the post to return all devices.
Thanks,
Eswar
Pingback: How to uninstall SCCM client using Intune Win32 app management | Eswar Koneti Blog
Pingback: ICYMI: PowerShell Week of 4-October-2019 | PowerShell.org
Thanks for it.