Automatic assignment groups are useful when app deployment should stay consistent without manually creating a new Microsoft Entra group every time an Intune app is added. The pattern works best when group names, app names, and assignment intent follow the same convention.
In production tenants I recommend validating the group creation flow with one pilot application first. Check the created group, verify the Intune assignment, and document the naming rule before you let automation create groups for a larger application catalogue.
When creating a new app in the Intune admin center and not assigning it to AllUsers/AllDevices, this is always some work to create your own group for available/required and uninstall assignments for each app. You know I love automation. To save time and automate this work I will describe in this blog how you can create a runbook that takes this work completely over.
Create an App Registration
- Search for Microsoft Entra ID
- Select App registration
- Select +New registration
- Enter a Name and click Register
- Click API permissions and +Add a permission
- Select Microsoft Graph
- Select Application permissions
- Search for DeviceManagementApps.ReadWrite.All and Group.Create
- Click Grant admin consent for *** and approve with Yes
- Select Certificates & secrets and click +New client secret
- Enter a Description and select a Expires time
- Click Add
- Copy and save the Value and the Secret ID
Create Automation Account
- Search for Automation Accounts
- Click + Create
- Select a Subscription and a Resource group
- Enter an account name and select a Region
- Click Next
- Click Next
- Click Next -> Next -> Create
Create the Runbook
- Open the Automation Account
- Navigate to Variables and click + Add a variable
- Add the Secret Value and the App ID as Variable
- Select Runbooks
- Click + Create a runbook
- Enter a Name
- Select PowerShell as Runbook type
- Select 5.1 as Runtime version
- Click Create
- Insert the Script from my Github repository
- Enter the group Prefix
- Save and test the script
- Click Publish
- Navigate to Schedules and click + Add a schedule
- Click Link to schedule and add the created schedule
Conclusion
I think this automation can save a lot of work in everyday life if not every app is automatically made available to everyone but this is done via manual assignments, you have saved the entire work of creating the associated groups. With Power Automate, you have countless possibilities to extend this for example, to fill these groups with devices or users based on CMDB data, or what is also possible is that for each app you can also attach AllUsers/AllDevices as available. The script can of course be adapted as required to change for example, the group name composition. For more ideas around app handling, check out Easy and Effective App Management in Intune. For the latest iteration, have a look at my new version of the Intune group assignment script.
Stay healthy, Cheers
Jannik