Creating Azure AD Groups based on Intune device properties using Azure Automation and MS Graph


This stems from what I’ve seen a fair amount of people over on Reddit & Twitter asking about how to solve, the problem is usually along the lines of: “How can I create a user group for all devices that has X app installed?” or “How can I create a group for all users with an Intune device?” and sometimes you can just use an Dynamic Query but then sometimes the query options just isn’t there. So then do we give up and try to find a work around? Add users or devices manually? Of course not. With MS Graph and Azure Automation only Bill’s dreams are the limit

So the solutions I will provide will act as a guideline, you should be able to exchange the properties for whatever fits your needs but in this post I will create a group for one specific purpose and then you can change that to whatever


I’ve repeated this for almost every post so far on this blog and I’m going to continue to do it when its applicable: there are multiple ways to go about solving an issue and and I’m by no way saying this is the best way to go about it. But I will say this is a quick and easy way to do accomplish your own “dynamic” groups based on whatever properties you want that requires little maintenance. I think there are a few possible solutions to this amongst the EMS bloggers but I’ve not seen one that I can recall

Our goal is to add and remove users to a group based on if they are a primary user for an Intune device (Again this will serve as an example, you can later use the same template to fiddle to your needs, also feel free to comment if you need help)

So to explain what we’re going to do to achieve our goal; We’re going to utilize MS Graph & an Azure Automation account along with an Enterprise Application. The Automation account will run a script on set intervals, depending on how often you want to update you group, and the script will connect to MS Graph using the Enterprise Application to authenticate and then query for the properties we want and then update the Azure AD Group

My last post didn’t contain a lackluster Visio Sketch to visualize the solution so this one surely must:

Automation Account is triggered on a defined time interval, it authenticates to MS Graph using the Enterprise Application and queries Intune for the properties needed and then updates the Azure AD Group based on result

What we need

  • An Enterprise Application
    • We need to be able to authenticate to MS Graph and the correct API calls
  • An Azure AD Group
    • This is the group we want to maintain and populate with our Intune Primary Users
  • A Script
    • The script will be responsible for updating the Azure AD group
  • An Azure Automation Account
    • This is where we run the script that updates the Azure AD group

See, only a few steps to get going!

Enterprise Application

Firstly we need the Enterprise application, this will be used to authenticate against MS Graph for Intune & Azure AD in order to get our properties and update our membership list

  1. Open Azure AD
  2. Navigate to App registrations
  3. Select New registration
  4. Select Accounts in this organizational directory only
  5. Select a fitting Name for your application, I chose “IntuneGroups” but it doesn’t matter
  6. Register

When the Application is finished creating we need to make Note of the Application ID and the Tenant ID visible on the Overview tab

Application ID and Tenant ID on the Overview tab

Now we need to assign the permissions we need for the Application to be able to read the information from Intune and update memberships in Azure AD. Navigate to the API permissions tab

  1. Select Add a permission
  2. Chose Microsoft Graph
  3. Chose Application permissions
  4. Search User.Read.All
  5. Mark the box for User.Read.All under User
  6. Repeat for permissions: DeviceManagementManagedDevices.Read.All, GroupMember.ReadWrite.All
  7. Add permissions
  8. Review that the correct permissions have been granted then Select Grant admin consent for “Tenant”

Now we just need to create a way for us to authenticate against the Application, navigate to the Certificates & secrets tab

  1. Make sure you have Client secrets highlighted
  2. Select New client secret
  3. Type a descriptive name for the secret and select an expiration, I chose 12 months and entered “IntuneGroups” in the description but it doesn’t matter
  4. Add
  5. Make note of the Value, Secret ID, Description & Expiration date
    1. This will be the only time the Value is visible, after leaving this tab the secret is gone forever
    2. Enter the information in e.g a Password manager solution for safe keeping

Azure AD Group

So now we’re gonna head into Azure AD to create our group which we aim to maintain using our automation.

  1. Open Azure AD
  2. Navigate to the Groups blade
  3. Select New group
  4. Select a fitting Name for your group, I chose “Primary Users for Intune Devices” but it depends on what the purpose of your group will be
  5. Select membership type Assigned
  6. Select Create

After the group is done creating, head on over to it and make record of the Object ID


Now when we have the Azure AD group in place and the Enterprise Application with the correct permissions we can start to look at the script. Before I provide the script I want to get into how the MS Graph calls work in this scenario and what type of information that can be returned and used to create your groups

So first I’m going to load my variables for the Enterprise Application and some functions to be able to gather a Token as well and do Graph Calls. This will allow me to manually execute calls that retrieve information from Intune before we head on to the fully automated solution. That script will look like this:

Okay, so it may seem like a lot of lines for something small, the functions are a bit lengthy, just focus on the Variables at the start and the lines at the end

Running the script will output information for all managed devices in our Intune tenant:

The information available for one Intune object

So now it’s getting interesting. Here we can now see the nice properties of a device in Intune that we might want to work with. Unfortunately some of the information is redacted, but we clearly have an attribute for userID that reflects the primary user of the device. This is the property we would like to gather and put into our Azure AD Group. However, before we head into populating our AzureAD we’re gonna go through the API Call

Doing our API call we utilized these lines:

So we see the Resource URL is what we’re retrieving information from. That dictates the output of our API call, information about the different API calls for Intune and more information can be found on the Docs

Microsoft Docs for List managed devices MS Graph call

If we take a look at the screenshot above, I’ve highlighted some information.

  • Navigation pane
    • Here we have highlighted on API call, List under Managed device. List as an API call usually retrieves all Object
    • If we go through the navigation pane we can see a lot of other calls such as installed applications and bit locker state and much more!
  • HTTP Request
    • Here we have the actually address we need to call, this represents our ResourceURL in the short script snippet above
  • Prerequisites
    • Here Microsoft tells us what permissions we need to grant our Enterprise Application, if you plan on doing another API call than this, make sure your Permissions are updated as well

Right, now we’ve had a look at what type of information is available, how to retrieve it and how to list it so onwards to our script that will gather the Username for each devices in our API call for all devices and then put into our Azure AD group

Automation Account

Onwards to the next part in our solution, the Automation Account. The Automation Account will add Azure capacity and therefore cost, however, Automation includes 500 minutes of free processing time and we will be able to use those to not add cost depending on how often you want to run your scripts. If you want to know more about costs in Azure feel free to check it out using Azure Calculator

First we’re going to start by creating our Automation Account that will house our script. If you already have an Automation Account feel free to use that and skip this bit

Creating the Automation Account

  1. Start off by searching for Automation Account in Azure
  2. Select Create
  3. Chose a fitting Subscription, Resource Group, and Region
  4. Select a fitting Name for your Automation Account, I chose “IntuneAutomation” but it doesn’t matter
  5. For Managed Identities’ we can uncheck both boxes
  6. Under Networking you can chose whatever supports your infrastructure, recommended to have Private Access but for this instance I chose “Public Access”
  7. Go through the rest of the tabs at your own preference and then Create

When the Automation Account is finished creating we can now head into it to Upload our Script & Create our Variables

So first we’re gonna create our Variables for the script, one of the cool things about an Automation Account is you can create variables for your script Outside of the script and then import that variable into any script in your Automation Account. So that’s what we’re gonna start off doing with our Enterprise Application information

  1. Select the blade Variables
  2. Select Add a variable
  3. Now we get to name our Variable, this name must reflect the name of the Variable we import in the script. You can chose differently from what I chose as long as you update those values in the Script.
    1. Enter the name TenantID and the type String and the Value we collected earlier
    2. Enter the name IntuneGroupsApplicationID (or another fitting prefix for your ApplicationID, but if you change this it must be changed in the script as well) variable and the type String and the Value we collected earlier
    3. Enter the name IntuneGroupsAppSecret (or another fitting prefix for your AppSecret, but if you change this it must be changed in the script as well) variable and the type String and the Value we collected earlier, on this Variable chose EncryptedYes

So thats the Enterprise Application variables added, now we just need a variable for the Azure AD Group, we made note of the Object ID earlier

  1. Select Add a variable
  2. Enter the name PrimaryUsersID (or another fitting prefix for your Azure AD Group, but if you change this it must be changed in the script as well) and the type String and the Object ID we collected earlier
Variables in our Automation Account we can fetch into our Script

Now with our Variables done we can head onto uploading the script.

  1. Select the blade Runbooks
  2. Select Create a runbook
  3. Select a fitting Name for your Automation Account, I chose “ManageIntuneGroup-PrimaryUsers” but it doesn’t matter
  4. For Runbook type select Powershell and for Runtime version select 5.1 (As the time of writing this 7.1 is still in preview and untested by me but if you want to use 7.1 it will probably work just as well), Enter any description you want then select Create
  5. When faced with the blank canvas we can now paste in our script, we do not need to change anything since the variables that we normally would need to change will be imported from the Automation Account unless you made changes to the Variable names
  6. Save & Publish

Okey so we’re almost there. The last piece of the puzzle is to link the script to a schedule. When you saved your script you should be on the overview page of your runbook

Link to Schedule
  1. Select Link to schedule
  2. Select Schedule
  3. Select Add a schedule
  4. Select a fitting Name for your Schedule, I chose “ManageIntuneGroup-PrimaryUsers-1H” but it doesn’t matter
  5. Add a fitting description
  6. Select a start time, preferable now or wait if you want to start at a later date
  7. Select Recurring
  8. Chose how often you want to run it, in this example I chose Recury every 1 hour but it depends on your needs
  9. I chose no expiration, but depends on your needs
  10. Select Create
  11. Select Parameters
  12. Select OK
  13. Select OK again

You should now see that the runbook is linked to a Schedule if you navigate to the Schedule blade

Current Schedules for this runbook

Trying it out

Trying it out is really simple, you can wait for the first run or you can head to the overview page and hit Start to run it now

Select the blade Jobs in your Automation Account and you should see it as Completed or Running, hopefully not failed. If you enter the Job you can view the logs and see what’s going on. Once you clicked on the Job you can select the All Logs tab and the table shows all the details

After the job is run you should see your Azure AD group getting populated!



As always I would love if anyone comes up with ways to improve this. I think the ways to improve upon this are many! I also think there are a lot of great idea that people come up with using a solution like this, creating many different type of groups for different purposes, I’d love if people wanted to share. If there is anyone who wants me to post that solution I can do an update to this. I would be ever so grateful for feedback, comments or ideas how to improve upon this further

Thanks for reading

This Post Has 4 Comments

  1. Anonymous

    I appreciate the detail and accuracy in this article. I was able to follow along but what I’m really looking to accomplish with Intune is a dynamic group based on a registry value (thinking application installed). I’m having trouble seeing how I can adjust this information to have it poll my devices for an installed app/reg key value.

  2. Johnny

    Just a heads up here. This will not give you the primary users but “Enrolled by”.{AZUREADDEVICEID}/registeredOwners

    Will return the primary user and return blank if nothing is set.

  3. Johnny

    How can you add a filter on the script that will only display OperatingSystem Apple or Android?

  4. Johnny

    How can you filter by operating system?

Leave a Reply