There is often the need to create an AAD group based on a local registry key or another attribute to make more specific accesses, to use this group for access rights to an application or many other usecases. How you can do this with the help of endpoint analytics and azure automation I will show you in this blog post. In my blog I show you how to do this with the example of device manufacture for sure we already have this info in Intune but it is an example how this work. Of course you can also do this with anything else you can read out on a client.
How does it work
The value is collected with an Endpoint Analytics Detection script. The collection works by executing a write host.
If we now look at the result of the remediation script with graph we see that the output of the write-host is also displayed (as far as I know this is only displayable with graph).
We query this value with an Azure Automation Runbook and check if there is already a group for this manufacture if not the group will be created. After that all PCs of the manufacturer are added to the group.
Deploy a Endpoint Analytics Script to collect the value
First we deploy an endpoint analytics script to our clients to get the return value from the clients with the device manufacture
- Open Endpoint Analytics
- Click + Create script package
- Enter a name and click Next
- Upload the Detection script. You can find this smal script in my GitHub repository.
- Click Next > Next
- Assign the script to a group
- Create a schedule. In my case I select daily.
- Click Next > Create
Create a App Registration
- Search for Azure Active Directory
- Select App registration
- Select +New registration
- Enter a Name and click Register
- Click API permissions and +Add a permission
- Select Microsoft Graph
- Select Application permissions
- Search for DeviceManagementConfiguration.Read.All, Group.Create and GroupMember.ReadWriteAll
- Click Grant admin consent for *** and approve with Yes
- Select Certificates & secrets and click +New client secret
- Enter a Description and select a Expires time
- Click Add
- Copy and save the Value and the Secret ID
Create Automation Account
- Search for Automation Accounts
- Click + Create
- Select a Subscription and a Resource group
- Enter and account name and select a Region
- Click Next
- Click Next
- Click Next -> Next -> Create
Create the Runbook
- Open the Automation Account
- Navigate to Variables and click + Add a variable
- Add the Secret Value, TenantId and the App ID as Variable
- Select Runbooks
- Click + Create a runbook
- Enter a Name
- Select PowerShell as Runbook type
- Select 5.1 as Runtime version
- Click Create
- Insert the Script from my Github repository
- Change this to variables:
- $scriptName: name of the endpoint analytics script
- $groupPrefix: prefix for the AAD group
- Save and test the script
- Click Publish
- Navigate to Schedules and click + Add a schedule
- Click Link to schedule and add the created schedule
Conclusion
This script helps to target whites more precisely in the future using local attributes. Of course the Manufacture value is not the best example as it is already part of the Intune inventory but it helps to show how the whole mechanism works.
Stay healthy, Cheers
Jannik
Modern Device Management 
Where does it store the data?
Im curious why it wouldn’t be easier to store advanced inventory for your machines in Log Analytics and using something like the following to populate a table.
https://msendpointmgr.com/2021/04/12/enhance-intune-inventory-data-with-proactive-remediations-and-log-analytics/
LikeLike
This is also an nice way to collect inventory but this has an big disadvantage. You have to add the log analytic key in the script. When you run endpoint analytics script you can see the code in the log file. With this key you have the possibility to flood the Loganalytics workspace.
LikeLike
[…] https://jannikreinhard.com/2022/08/28/create-and-fill-aad-group-based-on-an-local-attributes/ […]
LikeLike
Nice idea 🙂
With large device numbers you could speed things up a bit by using a PATCH request to add up to 20 members to a group at once, and fallback to an individual POST if needed.
LikeLike
[…] output is an JSON string. You can use this solution described in the “Create and Fill AAD Group based on an local attributes” blog post how you can fill a AAD group based on this result. If you need support by adapting […]
LikeLike
[…] To see which devices are using a particular monitor or keyboard, it can be very helpful if you can collect this information. In this blog I will show you how to do this with the help of Endpoint Analytics. You can then use this information to assign a driver to these devices or to trigger a hardware replacement. How you can automatically populate a group based on the output of an endpoint analytics script I explained in this blog post. […]
LikeLike
Great workaround. This is a feature that would be beneficial to have built in to Intune.
Additionally it would be nice to have a way to move a device from one existing AAD group to another existing AAD group based on local attributes. Example if device have currently settings X in use and then these got switched to something else that you want to track. In this type of case device should not be part of two or more specific AAD groups at the same time.
Is this something you have test? Do you have a script for it?
LikeLike
Hey Jouni, this should not be an big deal only a small adaption of the automation scrip. If you need support let me know. I am happy to help you
LikeLike
[…] Create and Fill AAD Group based on an local attributes […]
LikeLike