Use powershell to create Azure AD dynamic security group for Azure AD joined (AADJ) devices only

Recently, we had a requirement from customer, that they wanted to deploy applications /apply device configurations etc. from Intune to Azure AD Joined devices ONLY but not other devices like BYOD intune enrolled devices. (MAM/MDM)

With intune, you can target apps ,device configurations, profiles ,deployments to both user groups OR device groups but not to specific users or device. If you target to user groups ,then it will apply to user irrespective of device join type whether it is intune enrolled (BYOD) or Azure AD join (Corporate device) .

If you perform Azure AD join through auto-pilot then the problem can be fixed by creating Azure AD group (dynamic) and all the devices that you import (hashID) via auto-pilot will be automatically added to this autopilot AAD dynamic security group. This allows you to target all deployments to this group.

But what if user/helpdesk/admin perform Azure AD join manually ? How do we get the devices added to Azure AD group for the deployment?

I tried looking at the Azure AD dynamic query but could not find any attribute that matches with Azure AD joined. This is current limitation at the write of writing this blog post.

In this blog post, we will see how to create AD sec group and get all Azure AD joined devices added to the group for assignments/deployments.

If you want to create security group in Azure AD, we have two types of membership: dynamic or assigned

For Dynamic Device group, we need to use an attribute as a rule to allow the system to evaluate the membership and see if the change would trigger any group adds or removes.

Following are the built-in device property attributes that help to choose .

We need to identify the attribute that stores the information of Azure AD join.

From the powershell ,i found that, DeviceTrustType holds the value for Azure AD join however However , DeviceTrustType attribute is not supported to use in dynamic group membership:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices

So we cannot create dynamic groups to automatically populate Azure AD joined devices .There is an uservoice for this requirement. Please go and vote for it .

The next option(workaround) is to fallback to powershell. With the help of powershell ,we can check the device attribute value  DeviceTrustType and if it is equal “AzureAD Joined”, add it to the group.

What is required to run the powershell script?

1. Created a group for all Azure AD Joined Device (All_AzureAD_device). Membership type: Assigned.

Please note the Object ID of this group: 456abed67-f34a-4931-b8e0-a41f7f8454ba

2. Following is the powershell script to add all Azure AD join devices to group.

<#
Title:Add Azure AD join devices ONLY to AAD group
Author:Eswar Koneti
Date:26-Aug-2019
# Usage:
# =======
# scriptname.ps1 -group ADSECGROUPObjectID
#>

Param(

[Parameter(Mandatory=$true)]
    [string] $groupObjID
) #end param

$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath
$date = (get-date -f dd-MM-yyyy-hhmmss)

#connect to AzureAD module
Connect-AzureAD

#get a list of all device members which are already in AzureAD Group:
$members=Get-AzureADGroupMember -All $true -ObjectId $groupObjID | Where-Object {$_.ObjectType -eq "Device"}

#get a list of all Azure AD joined devices:
$devices=Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "AzureAd"}
if ($Devices)
{
       foreach ($device in $devices)
       {
         #Check if the device is already a member of group AzureADjoin.
         #if not, add it to the group
              if ($members.ObjectId -notcontains $device.ObjectId)
              {
                Add-AzureADGroupMember -ObjectId $groupObjID -RefObjectId $device.ObjectId
              }
       }
}

Save the script and run it with command line as given in the script.scriptname.ps1 -group ADSECGROUPObjectID

Once you have group ready with all Azure AD join devices, you can target the deployments,device configuration,profiles to this group.

Running the script will prompt for Azure AD credentials . If you want to suppress the credentials all the time, then store the credentials in encrypted file and use it with Connect-AzureAD –Credential $credentials.

The below command is used to store your password of Azure AD account (is onetime) to store your password ,unless there is change in the password.

Read-Host -Prompt "Enter your password" -AsSecureString | ConvertFrom-SecureString | Out-File "D:\Scripts\O365\Automation\pw.key"

Once the password is stored in file ,then the following syntax can be used in script to pass the credentials.

$TenantUname = "eswar@apac.eskonr.com"
$TenantPass = cat "D:\Scripts\O365\Automation\pw.key" | ConvertTo-SecureString
$TenantCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $TenantUname, $TenantPass
#connect to AzureAD module
Connect-AzureAD -Credential $TenantCredentials

Please note, This is onetime task however you can create a scheduled task to run every few hours to add AAD Devices to this group until there is a built-in way.

Hope it helps!

Reference:

https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37414642-support-for-azure-dynamic-device-groups-for-groupi