Removing WiFi profile errors – Automated Azure AD Group for devices with a wireless network card


Hi! Billy Mays here for Intune! Do you have WiFi profiles with errors that’s just annoying? Then you need Automated Azure AD Groups for devices only with a Wireless Network card! Okey with that awesome Billy Mays sponsored intro your probably really excited for what comes next. So a few weeks ago I did this blog post describing how to create Azure AD Groups using Azure Automation and MS Graph based on Intune devices properties

So I actually got a few messages regarding solving Intune WiFi profiles using this method so I decided I can do a use case for the last post. So this post will not go into all the details since they were covered in the last post, please head there to set up the basics. Hence this will be a shorter post than usual


So I’m not sure how many have this issue or if this perhaps can be solved using Intune Filters? But no matter this will be a neat use case for Azure AD Groups based on Intune Device properties. So once again I’m not going to cover the details for the basic setup here as they are in the last post

So this solution will basically only be the Script that collects the correct device properties and how to set it up in the Azure Automation account. We will use the enterprise application and automation account to collect all devices that register a Wireless Network card and then put them in a Group that will be updated on a regular schedule, then hopefully we will have a WiFi profile without errors

Does your WiFi profiles look like this?

What we need

  • An Enterprise Application  (We’re going to modify the one we have already)
    • We need to be able to authenticate to MS Graph and the correct API calls
  • An Azure AD Group
    • This is the group we want to maintain and populate with devices
  • A Script  (We’re going to modify the one we have already)
    • The script will be responsible for updating the Azure AD group
  • An Azure Automation Account  (We’re going to use the one we have already)
    • This is where we run the script that updates the Azure AD group

Enterprise Application

We’re gonna start of with our existing Enterprise Application, we’re going to make sure we have the permissions on the application that we need. So if you set up the same permissions I did in the last post we’re almost all set but we need to add the ability to read devices as we no longer deal with users, but if not we’re going to go through all permissions needed here

  1. Open Azure AD
  2. Navigate to App registrations
  3. Select the Application you Created previously (Note that there are multiple tabs and that if you can’t find your application select “All Applications” and search for it)
  4. Navigate to the API permissions tab
  5. Select Add a permission
  6. Chose Microsoft Graph
  7. Chose Application permissions
  8. Search Device.Read.All
  9. Mark the box for Device.Read.All under Device
  10. Repeat for permissions: DeviceManagementManagedDevices.Read.All, GroupMember.ReadWrite.All
  11. Add permissions
  12. Review that the correct permissions have been granted then Select Grant admin consent for “Tenant”

Azure AD Group

So now we’re gonna head into Azure AD to create our device group which will hold our devices with Wireless Networkcards

  1. Open Azure AD
  2. Navigate to the Groups blade
  3. Select New group
  4. Select a fitting Name for your group, I chose “WiFi Devices” but it depends on what the purpose of your group will be
  5. Select membership type Assigned
  6. Select Create

After the group is done creating, head on over to it and make record of the Object ID

Get the Object ID as we will use it later for the script


Alright, we have our Azure AD group and the correct permissions on our Enterprise Application we can move forward to the actual script

In the last Post I went through how the API calls to Intune works so I wont do it here, but lets take an image from the last post and look at it:

The information available for one Intune object

As we can se on the object we have a property for wiFimacAddress, this seem like a fitting property to use. So we’re simply going to look at each object, and if the Object has a wiFimacAddress, chances are it’s got a Wireless Network card right? And then put the device into our AzureAD Group

We can then go and assign that group to our Intune Profile and Intune wont try to push out WiFi profiles to devices that’s missing a Wireless Network card, simple and easy

Here is our script that will gather the Devices with a network card and then put into our Azure AD group

Automation Account

Onwards to the next part in our solution, the Automation Account. The Automation Account will add Azure capacity and therefore cost, however, Automation includes 500 minutes of free processing time and we will be able to use those to not add cost depending on how often you want to run your scripts. If you want to know more about costs in Azure feel free to check it out using Azure Calculator

We’re not going to use the Automation account we created in our previous post please head over there if you haven’t got one set up

When the Automation Account is finished creating we can now head into it to Upload our Script & Create our Variables

So first we’re gonna create our Variables for the script, one of the cool things about an Automation Account is you can create variables for your script Outside of the script and then import that variable into any script in your Automation Account. So that’s what we’re gonna start off doing with our Enterprise Application information

  1. Select the blade Variables
  2. Select Add a variable
  3. Now we get to name our Variable, this name must reflect the name of the Variable we import in the script. You can chose differently from what I chose as long as you update those values in the Script.
    1. Enter the name TenantID and the type String and the Value we collected earlier
    2. Enter the name IntuneGroupsApplicationID (or another fitting prefix for your ApplicationID, but if you change this it must be changed in the script as well) variable and the type String and the Value we collected earlier
    3. Enter the name IntuneGroupsAppSecret (or another fitting prefix for your AppSecret, but if you change this it must be changed in the script as well) variable and the type String and the Value we collected earlier, on this Variable chose EncryptedYes

So thats the Enterprise Application variables added, now we just need a variable for the Azure AD Group, we made note of the Object ID earlier

  1. Select Add a variable
  2. Enter the name WiFiDevicesID (or another fitting prefix for your Azure AD Group, but if you change this it must be changed in the script as well) and the type String and the Object ID we collected earlier
Variables in our Automation Account we can fetch into our Script

Now with our Variables done we can head onto uploading the script.

  1. Select the blade Runbooks
  2. Select Create a runbook
  3. Select a fitting Name for your Automation Account, I chose “ManageIntuneGroup-WiFiDevices” but it doesn’t matter
  4. For Runbook type select Powershell and for Runtime version select 5.1 (As the time of writing this 7.1 is still in preview and untested by me but if you want to use 7.1 it will probably work just as well), Enter any description you want then select Create
  5. When faced with the blank canvas we can now paste in our script, we do not need to change anything since the variables that we normally would need to change will be imported from the Automation Account unless you made changes to the Variable names
  6. Save & Publish

So that’s about it, now you can hook it up to a Schedule based on how often you want it to run I suggest running it once every hour for new devices to be added fairly quickly

Trying it out

Trying it out is really simple, you can wait for the first run or you can head to the overview page and hit Start to run it now

Select the blade Jobs in your Automation Account and you should see it as Completed or Running, hopefully not failed. If you enter the Job you can view the logs and see what’s going on. Once you clicked on the Job you can select the All Logs tab and the table shows all the details

After the job is run you should see your Azure AD group getting populated!



As always I would love if anyone comes up with ways to improve this. Since this is just an example of a use case I think the ways to improve & go further upon this are many! I also think there are a lot of great idea that people come up with using a solution like this, creating many different type of groups for different purposes, I’d love if people wanted to share. If there is anyone who wants me to post that solution I can do an update to this. I would be ever so grateful for feedback, comments or ideas how to improve upon this further

Thanks for reading

Leave a Reply