All / Intune / Powershell

Automatically create assignment groups when a app is created

jannikreinhard1 Comment

When creating a new app in MEM and not assigning it to AllUser/AllDevices this is always some work to create own group for available/required and uninstall assignments for each app. You know I love automation. To save time and automate this work I will describe in this blog how you can create a runbook that takes this work completely over.

Create a App Registration

  • Search for Azure Active Directory
  • Select App registration
  • Select +New registration
  • Enter a Name and click Register
  • Click API permissions and +Add a permission
  • Select Microsoft Graph
  • Select Application permissions
  • Search for DeviceManagementApps.ReadWrite.All and Group.Create
  • Click Grant admin consent for *** and approve with Yes
  • Select Certificates & secrets and click +New client secret
  • Enter a Description and select a Expires time
  • Click Add
  • Copy and save the Value and the Secret ID

Create Automation Account

  • Search for Automation Accounts
  • Click + Create
  • Select a Subscription and a Resource group
  • Enter and account name and select a Region
  • Click Next
  • Click Next
  • Click Next -> Next -> Create

Create the Runbook

  • Open the Automation Account
  • Navigate to Variables and click + Add a variable
  • Add the Secret Value and the App ID as Variable
  • Select Runbooks
  • Click + Create a runbook
  • Enter a Name
  • Select PowerShell as Runbook type
  • Select 5.1 as Runtime version
  • Click Create
  • Save and test the script
  • Click Publish
  • Navigate to Schedules and click + Add a schedule

  • Click Link to schedule and add the created schedule

Conclusion

I think this automation can save a lot of work in everyday life if not every app is automatically made available to everyone but this is done via manual assignments, you have saved the entire work of creating the associated groups. With Power Automate, you have countless possibilities to extend this for example, to fill these groups with devices or user based on CMDB data, or what is also possible is that for each app you can also attach AllUsers/AllDevices as available. The script can of course be adapted as required to change for example, the group name composition.

Stay healthy, Cheers
Jannik

One thought on “Automatically create assignment groups when a app is created

Comments are closed.