Synchronizing an Azure AD group with a kiosk configuration profile is mainly about keeping the assignment target reliable. The group should clearly describe the kiosk scenario, the device ownership model, and the configuration profile it belongs to.
Before using the approach in production, validate the group membership, profile assignment, and device check-in behavior on a small number of test devices. This makes it easier to separate assignment problems from kiosk shell or application configuration problems.
I have already described in a previous blog how to deploy a device as a kiosk device using Intune. This actually works really well. There is only one small thing that is really inconvenient. If a Microsoft Entra ID (formerly Azure AD) user or group is selected as the logon type (only specific users are allowed to log on to these devices), this policy must not only be assigned to a group, but the allowed users must also be defined in the profile. The option also allows you to add Microsoft Entra ID users and groups, and the SIDs of these objects are written to the local group, but Windows cannot resolve the Microsoft Entra ID groups (bug or feature?). The resolution of whether the user who is trying to log in is a member of one of the groups is done by Windows via Graph; when MFA is disabled, it works. But if MFA is enabled, Windows fails to get the token. In this blog I want to show you how you can easily work around this by syncing a Microsoft Entra ID group with this configuration profile.
Create a App Registration
- Search for Microsoft Entra ID
- Select App registration
- Select +New registration
- Enter a Name and click Register
- Click API permissions and +Add a permission
- Select Microsoft Graph
- Select Application permissions
- Search for DeviceManagementManagedDevices.Read.All and GroupMember.Read.All
- Click Grant admin consent for *** and approve with Yes
- Select Certificates & secrets and click +New client secret
- Enter a Description and select a Expires time
- Click Add
- Copy and save the Value and the Secret ID
Create Automation Account
- Search for Automation Accounts
- Click + Create
- Select a Subscription and a Resource group
- Enter an account name and select a Region
- Click Next
- Click Next
- Click Next -> Next -> Create
Create the Runbook
- Open the Automation Account
- Navigate to Variables and click + Add a variable
- Add the Secret Value and the App ID as Variable
- Select Runbooks
- Click + Create a runbook
- Enter a Name
- Select PowerShell as Runbook type
- Select 5.1 as Runtime version
- Click Create
- Insert the Script from my Github repository
- Enter the profileId and groupId
- Save and test the script
- Click Publish
- Navigate to Schedules and click + Add a schedule
- Click Link to schedule and add the created schedule
Conclusion
Azure Automation is a very cool service for automating tasks in Intune/Azure via a script. I hope this blog explained how Azure Automation works and helped you sync a Microsoft Entra ID group with a kiosk policy without having to add users manually every time.
Stay healthy, Cheers
Jannik