I was recently involved in a task to have the Intune deployments targeted to multiple groups (Pre pilot, pilot, and prod). Each phase has a large set of devices from various regions and they all have different naming conventions too.
All the devices are hybrid Azure AD joined. The list of devices from each phase is available (static) but how do we add these devices to the Azure AD security groups?
Creating the dynamic Azure AD security groups does work when you want to add the devices with specific criteria such as naming, OS or country, or any other set of attributes that are available for dynamic query but in my case, the list is static (picked a few from different regions).
So I cannot use the dynamic query-based and it must be a static Azure AD security group.
Once you have the list of devices (hostnames), you can go to the Azure AD/MEM portal, search for Azure AD security group, click members and add the devices but this manual method is OK for a few devices (<10) and not for 100+ devices.
In this blog post, we will see how to add bulk devices to the Azure AD security groups using PowerShell and using Azure AD portal.
First, let's talk about the GUI method using Azure AD portal.
In the Azure AD portal, security group (that you wish to add the devices to), click members, and you will see an option to import members.
You will asked to download a template where you will need to input the device information.
Once the template is downloaded, open the CSV file, you will see that the template asks for device object ID but not device names.
We have the device names and not the device object ID information.
How to get the device object information using the device names?
The easier way (only) is to use scripting (PowerShell). we will create a PowerShell script to read the device names and get the corresponding object ID details that we can use to input to the template and upload the details.
Get-AzureADDevice -SearchString cmcb-w10-01
As you can see above, the device (CMCB-w10-01) has 2 objectID and this is due to device registration and hybrid Azure AD Joined (device trust).
You can download the PowerShell script from GitHub repository.
The script needs an input (txt) file with a list of all device names.
Run the script, it will check the azure AD module and connect to Azure AD, get the device object Info for each device, and output to CSV file.
Script output:
The script will fetch the device object if it found in Azure AD.
Now, we have the object ID of the devices. We will now use the template that we downloaded earlier and append the objectID of each device.
Copy the objectID and put it inside the template from 3rd row. Do not touch row 1 and 2.
Go to the azure AD portal, import the objects, upload the CSV file, wait for the status.
The upload is succeeded.
If you want to check the status of each device, click on the file ready.
Refresh the group to see the imported devices.
Before:
After:
if you want to add only the devices that are hybrid azure AD joined and not the Azure AD registered, we can further simply our PowerShell to search with device trust type.
If DeviceTrustType = ServerAd then the device is Hybrid Azure AD joined
If DeviceTrustType = Workplace then the device is Azure AD registered
filter the devices with Hybrid Azure AD joined
Get-AzureADDevice -SearchString cmcb-w10-01 | Where {$_.DeviceTrustType -eq "ServerAd"}
To see the count of devices based on the device trust type
Get-AzureADDevice | Group-Object DeviceTrustType | Select-Object Count,Name | Sort-Object Count
2nd method using Powershell:
This method requires 2 parameters 1) Azure AD security group name 2) CSV file that contains the device name and object ID’s. For the CSV file, we will still need to use the script to get the objectID of devices.
When you run the script, as usual, it checks for the Azure AD module, and prompts for authentication.
Once authentication is successful, it asks for the Device group name followed by the CSV file.
There will be a log created that track the status of the script.
These devices are already added to the group hence they fail to add.
you can download both the scripts from Github and simply further according to your needs.
Hope this helps!
6 Comments
Hello, please explained the PowerShell script and I am process of upgrading over 10 thousand devices. I needed your help in resolving this issue. Thank you
Hi,
I have uploaded a new/revised powershell script that basically does the following.
1. Input the devices to devices.txt file
2) Run the powershell script, it ask for filename (txt)
3) Process the device list and prompt for security group name.
This method helps you to add the list of devices to the Entra security group.
you can download the script from https://github.com/eskonr/MEMPowered/blob/master/Scripts/Azure%20Active%20Directory/EntraID-AddDevicesToSecurityGroup.zip
Thanks,
Eswar
Thank you for sharing and please what change do I need to make on my side for the script. I created the device list and got this error message below.
Split-Path : Cannot bind argument to parameter 'Path' because it is null.
At line:11 char:25
+ $directory = Split-Path $scriptpath
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Split-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SplitPathCommand
Split-Path : Cannot bind argument to parameter 'Path' because it is null.
At line:14 char:19
+ $dir = Split-Path $scriptpath
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Split-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SplitPathCommand
Unable to retrieve Azure AD tenant details.
WARNING: Install the latest PowerShell module, the Microsoft Graph PowerShell SDK, for new features and improvements! https://aka.ms/graphPSmigration
Unable to connect to Azure AD services.
Hi,
split-Path : Cannot bind argument to parameter 'Path' because it is null. This error due to the script cannot find its script location using the powershell run window. if you are running the script using powershell window, make sure you browse to the script location and run the script from it. if you are using ISE, then make sure you change the directory to the script location for it to identify the script path automatically.
Thanks,
Eswar
Thank you for sharing and what change do I need to make on side. I am getting the below error message below when I run the script.
Split-Path : Cannot bind argument to parameter 'Path' because it is null.
At line:11 char:25
+ $directory = Split-Path $scriptpath
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Split-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SplitPathCommand
Split-Path : Cannot bind argument to parameter 'Path' because it is null.
At line:14 char:19
+ $dir = Split-Path $scriptpath
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Split-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SplitPathCommand
Unable to retrieve Azure AD tenant details.
WARNING: Install the latest PowerShell module, the Microsoft Graph PowerShell SDK, for new features and improvements! https://aka.ms/graphPSmigration
Unable to connect to Azure AD services.
Hi,
split-Path : Cannot bind argument to parameter 'Path' because it is null. This error due to the script cannot find its script location using the powershell run window. if you are running the script using powershell window, make sure you browse to the script location and run the script from it. if you are using ISE, then make sure you change the directory to the script location for it to identify the script path automatically.
Thanks,
Eswar