Add Azure AD Users and Groups to Local Groups with Intune
All / Intune / Windows

Add Microsoft Entra ID Users and Groups to Local Groups with Intune

jannikreinhard

In this blog we will look at how you can add Microsoft Entra ID (formerly Azure AD) groups or users to a local group using Intune and custom profiles.

First, we create a Microsoft Entra ID group and add some members to that group.

  • Open the Intune admin center
  • Click Groups -> + New group
  • Select Security as Group type and enter a Group name
  • Add some user to the group under the Members sections
  • Click Create
Intune custom profile adding Azure AD group to local group

Next we need to read out the Group SID. To do this we need first the ObjectID from the group. You can find this ID in the properties of the group.

Microsoft Endpoint Manager custom profile for local group membership

Using the graph explorer to convert the ObjectID to the SID. Add the following URL followed by the group Object ID:

https://graph.microsoft.com/v1.0/groups/1ad111aa1-a1aa-1a11-1111-a11111a11a111
  • Run the query with the Run query button
  • In the results you can find the securityIdentifier
Azure AD group added to local group

Now we create a custom configuration profile to sync the Microsoft Entra ID group with the local group. For broader endpoint management tasks like patching, reporting, and elevation, you can also check out Right Click Tools for SCCM & Intune.

  • Open the Intune admin center
  • Navigate to Devices -> Configuration Profile
  • Click + Create profile
  • Select Windows 10 and later as Platform
  • Select Template -> Custom as Profile type
  • Click Create
Azure AD group added to local group
  • Enter a Name
  • Click Next
Azure AD group added to a local group
  • Click Add
  • Enter the following information:
  • Name: AddAdGroupToLocalGroup
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
  • Data Type: String
  • Value:
<groupmembership>
	<accessgroup desc = "LoginUsers">
		<member name = "S-1-12-1-1111111111-1111111111-11111111111-111111111" />
	</accessgroup>
</groupmembership>
  • <accessgroup desc>:  Add the local group name.
  • <member name>: Add the Group SID we found above, or the user name of a local user, or a Microsoft Entra ID user SID (you can also add multiple lines).
Add Azure AD Users and Groups to Local Groups with Intune
  • Assign the policy to a group
  • Click Next
Add Azure AD Users and Groups to Local Groups with Intune
  • Click Next
  • Click Create

If we look at the local group, we see that the Microsoft Entra ID group is a member.

Add Azure AD Users and Groups to Local Groups with Intune

The way is a bit cumbersome but it works. Unfortunately there is no proper configuration policy for this. If you work a lot with Intune groups, you might also like my post about converting device groups to user groups via Graph API. Thank you for reading this blog post.

Stay healthy, Cheers
Jannik