How to make Azure AD Device Group based On-Prem AD user group.

Our Quest: Take an on-prem AD user group, take their devices listed in Intune and shove them into an AAD device group.

Answer:
Normally, SCCM does this better via Primary Users collection query, but hey, we’re in Microsoft Intune now, Baby!
Oh okay, hold on a sec, you need a few things:

  1. Azure AD Powershell Module

  2. Microsoft Graph API

  3. Setup your consents.. umm like link a few neighboring bloggers. They do a good job at this.
    (https://www.petervanderwoude.nl/post/use-powershell-and-microsoft-graph-to-access-data-in-microsoft-intune/)


Okay, so now you need to import your Azure AD Powershell Module. This right here is optional because we are actually using v1 (production version of Graph API) but we do need to connect to MSGraph.

# this is to connect to MSGraph

If ((Get-MSGraphEnvironment).SchemaVersion -ne "beta")

{

$null = Update-MSGraphEnvironment -SchemaVersion beta

}

$Graph = Connect-MSGraph

Next, we need import the Graph API.. now this is up to you. but here’s how I did it.

# this is to connect to azure-ad
Connect-AzureAD

Now.. learn and make sure you know how to browse around the Graph API..
Graph Explorer - Microsoft Graph

Microsoft Graph REST API v1.0 reference - Microsoft Graph v1.0 | Microsoft Docs

Okay next is grabbing all of the member’s objectID from the on-Prem AD group.

$gADMember = (Get-AzureADGroup -Filter "DisplayName eq 'myADGroup'" -All $true | Get-AzureADGroupMember -All $true)

$gADMemberIDs = $gADMember.ObjectID

Next, well take the ObjectIDs and use them to get their ManagedDevices using GraphAPI.

#this will get the azure ad device and device name

$ManagedDevices = foreach ($gADMemberID in $gADMemberIDs)

{

$URI = "https://graph.microsoft.com/v1.0/users/$gADMemberID/manageddevices"

$graphOutput = Invoke-MSGraphRequest -HttpMethod GET -Url $URI


#we only want Windows Devices here, but you can certainly remove the where-object or create your own logic here.
$AADDeviceIDs = ($graphOutput.value | Where-Object {$_.OperatingSystem -eq "Windows"} | select azureADDeviceID, deviceName)
$AADDeviceIDs }
foreach ($x0 in $ManagedDevices) {
$name= $x0.deviceName
$id= $x0.azureADDeviceId

#Adding Devices to the Azure AD Group
$devices = (Get-AzureADDevice -Filter "(DisplayName eq '$name')" | Where-Object {$_.DeviceID -eq "$id"}).objectID

if ($Devices)

{

foreach ($device in $devices)

{

Add-AzureADGroupMember -ObjectId $groupObjID -RefObjectId $device

}

}
}

My Powershell skills aren’t as fancy as but they work.
Next is getting this automated using a service account instead of my account, but that’s for another time.

Thank you All, Hope this works, Reach out to me if you have any feedback or question!

Previous
Previous

Unblock QR Code Reader (iOS) in Intune MDM

Next
Next

Modifying Local Administrators: Autopilot Edition