Sync Azure AD Group with Kiosk Config Profile

I have already described in a previous blog how to deploy a device as a kiosk device using Intune. This actually works really well. There is only one small thing that is really inconvenient. If Azure AD user or group is selected as logon type (only specific users are allowed to logon on this devices), this policy must not only be assigned to a group, but also the allowed user must be defined in the profile. The option also allows to add AAD users and groups and the SIDs of these objects are also written to the local group but Windows cannot resolve the AAD groups (bug or feature?). The resolution of whether the user who is trying to log in is in one of the groups is done by Windows via Graph when MFA is disabled. it will also work. But if MFA is enabled windows fails to get the token. In this blog I want to show you how you can easily work around this by syncing an Azure AD group with this configuration profile.

Create a App Registration

  • Search for Azure Active Directory
  • Select App registration
  • Select +New registration
  • Enter a Name and click Register
  • Click API permissions and +Add a permission
  • Select Microsoft Graph
  • Select Application permissions
  • Search for DeviceManagementManagedDevices.Read.All and GroupMember.Read.All
  • Click Grant admin consent for *** and approve with Yes
  • Select Certificates & secrets and click +New client secret
  • Enter a Description and select a Expires time
  • Click Add
  • Copy and save the Value and the Secret ID

Create Automation Account

  • Search for Automation Accounts
  • Click + Create
  • Select a Subscription and a Resource group
  • Enter and account name and select a Region
  • Click Next
  • Click Next
  • Click Next -> Next -> Create

Create the Runbook

  • Open the Automation Account
  • Navigate to Variables and click + Add a variable
  • Add the Secret Value and the App ID as Variable
  • Select Runbooks
  • Click + Create a runbook
  • Enter a Name
  • Select PowerShell as Runbook type
  • Select 5.1 as Runtime version
  • Click Create
  • Save and test the script
  • Click Publish
  • Navigate to Schedules and click + Add a schedule
  • Click Link to schedule and add the created schedule


Azure automation is a very cool service to automate tasks in Intune/Azure via a script. I hope I could explain you with this blog how Azure automation works and help you how to sync an AAD group with a kiosk policy and not have to add the users manually every time.

Stay healthy, Cheers