Add Azure AD user and group into a local group

In this blog we will look at how you can add an azure ad groups or users to a local group using Intune and custom profiles.

Frist, we create an AzureAd group, and add some members to that group.

  • Open the MEM Portal
  • Click Groups -> + New group
  • Select Security as Group type and enter a Group name
  • Add some user to the group under the Members sections
  • Click Create

Next we need to read out the Group SID. To do this we need first the ObjectID from the group. You can find this ID in the properties of the group.

Using the graph explorer to convert the ObjectID to the SID. Add the following URL followed by the group Object ID:
  • Run the query with the Run query button
  • In the results you can find the securityIdentifier

Now we create a custom configuration profile to sync the Azure AD group with the local group.

  • Open the MEM Portal
  • Navigate to Devices -> Configuration Profile
  • Click + Create profile
  • Select Windows 10 and later as Platform
  • Select Template -> Custom as Profile type
  • Click Create
  • Enter a Name
  • Click Next
  • Click Add
  • Enter the following informations:
  • Name: AddAdGroupToLocalGroup
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
  • Data Type: String
  • Value:
	<accessgroup desc = "LoginUsers">
		<member name = "S-1-12-1-1111111111-1111111111-11111111111-111111111" />
  • <accessgroup desc>:  Add the local group name.
  • <member name>: Add the Group SID we found out above or the user name of an local user or an azure ad user sid (You can also add multiple lines)
  • Assign the policy to a group
  • Click Next
  • Click Next
  • Click Create

If we look at the group local we see that the AzureAD group is a member.

The way is a bit cumbersome but it works. Unfortunately there is no proper configuration policy for this. Thank you for reading this blog post.

Stay healthy, Cheers