Create and Fill AAD Group based on an local attributes

Create and Fill an Entra ID Group based on Local Attributes

There is often the need to create an Entra ID group (formerly Azure AD) based on a local registry key or another attribute to make more specific access decisions, to use this group for access rights to an application or many other use cases. Building an AAD group based on local attributes is the perfect way to do exactly that.

In this blog post I will show you how to create an AAD group based on local attributes with the help of Endpoint Analytics and Azure Automation. In my blog I show you how to do this with the example of device manufacturer; of course we already have this info in Intune, but it is just an example of how this works. Of course you can also do this with anything else you can read out on a client.

AAD group based on local attributes

How the AAD group based on local attributes automation works

The value is collected with an Endpoint Analytics Detection script. The collection works by executing a write host.

If we now look at the result of the remediation script with graph we see that the output of the write-host is also displayed (as far as I know this is only displayable with graph).

We query this value with an Azure Automation Runbook and check if there is already a group for this manufacturer; if not, the group will be created. After that, all PCs of the manufacturer are added to the group. This is the core logic that lets us build an AAD group based on local attributes fully automatically.

Deploy a Endpoint Analytics Script to collect the value

First we deploy an Endpoint Analytics script to our clients to get the return value with the device manufacturer. This collected value is the foundation for the AAD group based on local attributes that we will build later.

  • Enter a name and click Next
Create and Fill AAD Group based on an local attributes
  • Upload the Detection script. You can find this small script in my GitHub repository.
  • Click Next > Next
Create and Fill AAD Group based on an local attributes
  • Assign the script to a group
  • Create a schedule. In my case I select daily.
  • Click Next > Create
Create and Fill AAD Group based on an local attributes

Create an App Registration

  • Search for Microsoft Entra ID
  • Select App registration
Create and Fill AAD Group based on an local attributes
  • Select +New registration
  • Enter a Name and click Register
  • Click API permissions and +Add a permission
  • Select Microsoft Graph
  • Select Application permissions
  • Search for DeviceManagementConfiguration.Read.All, Group.Create and GroupMember.ReadWriteAll
  • Create and Fill AAD Group based on an local attributes
  • Create and Fill AAD Group based on an local attributes
  • Create and Fill AAD Group based on an local attributes
  • Click Grant admin consent for *** and approve with Yes
Create and Fill AAD Group based on an local attributes
  • Select Certificates & secrets and click +New client secret
  • Enter a Description and select a Expires time
  • Click Add
  • Copy and save the Value and the Secret ID

Create Automation Account

  • Search for Automation Accounts
  • Click + Create
  • Select a Subscription and a Resource group
  • Enter an account name and select a Region
  • Click Next
Create and Fill AAD Group based on an local attributes
  • Click Next
Create and Fill AAD Group based on an local attributes
  • Click Next -> Next -> Create
Create and Fill AAD Group based on an local attributes

Create the Runbook

  • Open the Automation Account
  • Navigate to Variables and click + Add a variable
Create and Fill AAD Group based on an local attributes
  • Add the Secret Value, TenantId and the App ID as Variable
  • Create and Fill AAD Group based on an local attributes
  • Create and Fill AAD Group based on an local attributes
  • Create and Fill AAD Group based on an local attributes
  • Create and Fill AAD Group based on an local attributes
  • Create and Fill AAD Group based on an local attributes
  • Create and Fill AAD Group based on an local attributes
  • Select Runbooks
  • Click + Create a runbook
  • Enter a Name
  • Select PowerShell as Runbook type
  • Select 5.1 as Runtime version
  • Click Create
  • Insert the script from my GitHub repository
  • Change these variables:
    • $scriptName: name of the Endpoint Analytics script
    • $groupPrefix: prefix for the Microsoft Entra ID group
  • Save and test the script
  • Click Publish
Create and Fill AAD Group based on an local attributes
  • Navigate to Schedules and click + Add a schedule
  • Click Link to schedule and add the created schedule

Conclusion

This script helps to target clients more precisely in the future using local attributes. With an AAD group based on local attributes you can drive dynamic access decisions that would otherwise be impossible. Of course the Manufacturer value is not the best example, as it is already part of the Intune inventory, but it helps to show how the whole mechanism works. If you want to dig deeper into the Graph calls used here, check the official Microsoft Learn documentation, and for more automation ideas have a look at my other Intune automation posts.

Stay healthy, Cheers
Jannik

9 thoughts on “Create and Fill an Entra ID Group based on Local Attributes

  1. […] To see which devices are using a particular monitor or keyboard, it can be very helpful if you can collect this information. In this blog I will show you how to do this with the help of Endpoint Analytics. You can then use this information to assign a driver to these devices or to trigger a hardware replacement. How you can automatically populate a group based on the output of an endpoint analytics script I explained in this blog post. […]

Comments are closed.