Close Menu
    Facebook X (Twitter) Instagram
    Tuesday, May 20
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Automation»Use powershell to create Azure AD dynamic security group for Azure AD joined (AADJ) devices only

    Use powershell to create Azure AD dynamic security group for Azure AD joined (AADJ) devices only

    Eswar KonetiBy Eswar KonetiOctober 02, 6:47 pm4 Mins Read Automation 12,071 Views
    Share
    Facebook Twitter LinkedIn Reddit

     

    Recently, we had a requirement from customer, that they wanted to deploy applications /apply device configurations etc. from Intune to Azure AD Joined devices ONLY but not other devices like BYOD intune enrolled devices. (MAM/MDM)

    With intune, you can target apps ,device configurations, profiles ,deployments to both user groups OR device groups but not to specific users or device. If you target to user groups ,then it will apply to user irrespective of device join type whether it is intune enrolled (BYOD) or Azure AD join (Corporate device) .

    If you perform Azure AD join through auto-pilot then the problem can be fixed by creating Azure AD group (dynamic) and all the devices that you import (hashID) via auto-pilot will be automatically added to this autopilot AAD dynamic security group. This allows you to target all deployments to this group.

    But what if user/helpdesk/admin perform Azure AD join manually ? How do we get the devices added to Azure AD group for the deployment?

    I tried looking at the Azure AD dynamic query but could not find any attribute that matches with Azure AD joined. This is current limitation at the write of writing this blog post.

    In this blog post, we will see how to create AD sec group and get all Azure AD joined devices added to the group for assignments/deployments.

    If you want to create security group in Azure AD, we have two types of membership: dynamic or assigned

    For Dynamic Device group, we need to use an attribute as a rule to allow the system to evaluate the membership and see if the change would trigger any group adds or removes.

    Following are the built-in device property attributes that help to choose .

    image

    We need to identify the attribute that stores the information of Azure AD join.

    From the powershell ,i found that, DeviceTrustType holds the value for Azure AD join however However , DeviceTrustType attribute is not supported to use in dynamic group membership:
    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices

    So we cannot create dynamic groups to automatically populate Azure AD joined devices .There is an uservoice for this requirement. Please go and vote for it .

    The next option(workaround) is to fallback to powershell. With the help of powershell ,we can check the device attribute value  DeviceTrustType and if it is equal “AzureAD Joined”, add it to the group.

    What is required to run the powershell script?

    1. Created a group for all Azure AD Joined Device (All_AzureAD_device). Membership type: Assigned.

    image

    Please note the Object ID of this group: 456abed67-f34a-4931-b8e0-a41f7f8454ba

    2. Following is the powershell script to add all Azure AD join devices to group.

    <#
    Title:Add Azure AD join devices ONLY to AAD group
    Author:Eswar Koneti
    Date:26-Aug-2019
    # Usage:
    # =======
    # scriptname.ps1 -group ADSECGROUPObjectID
    #>

    Param(

    [Parameter(Mandatory=$true)]
        [string] $groupObjID
    ) #end param

    $scriptpath = $MyInvocation.MyCommand.Path
    $dir = Split-Path $scriptpath
    $date = (get-date -f dd-MM-yyyy-hhmmss)

    #connect to AzureAD module
    Connect-AzureAD

    #get a list of all device members which are already in AzureAD Group:
    $members=Get-AzureADGroupMember -All $true -ObjectId $groupObjID | Where-Object {$_.ObjectType -eq "Device"}

    #get a list of all Azure AD joined devices:
    $devices=Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "AzureAd"}
    if ($Devices)
    {
           foreach ($device in $devices)
           {
             #Check if the device is already a member of group AzureADjoin.
             #if not, add it to the group
                  if ($members.ObjectId -notcontains $device.ObjectId)
                  {
                    Add-AzureADGroupMember -ObjectId $groupObjID -RefObjectId $device.ObjectId
                  }
           }
    }

    Save the script and run it with command line as given in the script.scriptname.ps1 -group ADSECGROUPObjectID

    Once you have group ready with all Azure AD join devices, you can target the deployments,device configuration,profiles to this group.

    Running the script will prompt for Azure AD credentials . If you want to suppress the credentials all the time, then store the credentials in encrypted file and use it with Connect-AzureAD –Credential $credentials.

    The below command is used to store your password of Azure AD account (is onetime) to store your password ,unless there is change in the password.

    Read-Host -Prompt "Enter your password" -AsSecureString | ConvertFrom-SecureString | Out-File "D:\Scripts\O365\Automation\pw.key"

    Once the password is stored in file ,then the following syntax can be used in script to pass the credentials.

    $TenantUname = "eswar@apac.eskonr.com"
    $TenantPass = cat "D:\Scripts\O365\Automation\pw.key" | ConvertTo-SecureString
    $TenantCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $TenantUname, $TenantPass
    #connect to AzureAD module
    Connect-AzureAD -Credential $TenantCredentials

    Please note, This is onetime task however you can create a scheduled task to run every few hours to add AAD Devices to this group until there is a built-in way.

    Hope it helps!

    Reference:

    https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37414642-support-for-azure-dynamic-device-groups-for-groupi

     

    AAD azure Active Directory Azure AD azure ad joined DeviceTrustType dynamic expression intune office 365 Powershell
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Troubleshooting Windows Hello for Business PIN Reset Issues – Something went wrong

    March 06, 9:48 pm

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    7 Comments

    1. nil on September 19, 2023 11:54 PM

      Hi, is there any way to add an expression to the current dynamic membership rule by using a Powershell script?

      Reply
      • Eswar Koneti on February 10, 2024 11:19 PM

        Hi,
        if you dynamic rule possible using UI, it should possible using the script too.
        what are you trying to achieve? do you have a dynamic rule that you want to get it using powershell?

        Thanks,
        Eswar

        Reply
    2. The Fixer on July 3, 2020 5:44 AM

      This is great! I too have the exact issue with AAD dynamic groups, but for my use case it's with serverAd devices. I've taken this a step further by using Azure Automation to run this on a schedule so that it keeps the group up to date with new devices.

      Found one tiny issue though, you need to use -All $true on the Get-AzureADGroupMember as well, or it will only return a list of 100:
      $members=Get-AzureADGroupMember -All $true -ObjectId $groupObjID | Where-Object {$_.ObjectType -eq "Device"}

      Reply
      • Eswar Koneti on July 8, 2020 12:36 AM

        Thank you for the update.
        I will update the post to return all devices.

        Thanks,
        Eswar

        Reply
    3. Pingback: How to uninstall SCCM client using Intune Win32 app management | Eswar Koneti Blog

    4. Pingback: ICYMI: PowerShell Week of 4-October-2019 | PowerShell.org

      • Eswar Koneti on October 4, 2019 11:22 PM

        Thanks for it.

        Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.