Intune Script To Create Country Device Groups
Many of my customers are large companies with business in many countries. It´s quite common for them to have local IT depatments and helpdesks. Intune has the support for scoping admin access to only devices belonging to a specific scope. But there is a problem when it comes to the scoping. How do we find and tag the devices from a specific country with a scope tag? There are some limitations with Dynamic Groups and Filters in Intune and Azure AD. The amount of attributes to filter on is kind of limited. The only attribute we can use in this case is the category. If they use categories for all countries, the user selects the country at enrollment. And then the device is dynamically added to the country group. But what if the user select wrong country? The device would be placed in the wrong country scope. And what if the company does not want to use categories?
I have written a script that uses Microsoft Graph API to get the owner of each device and add the device to a country group with the same country as the user.
When running scripts with Microsoft Graph API requests, I prefer using an Azure AD Application to authenticate and assign permissions. The application can also be controlled by Conditional Access.
Setup Application for Authentication and Permissions
Create Azure AD Application
The script use application authentication so it can be scheduled as a task and not require an administrator credentials. The script requires the following Microsoft Graph API permissions:
- Sign in and read user profile
- Read Microsoft Intune devices
- Read devices
- Read all groups
- Read all users full profiles
- Read and write all group memberships
Create the Azure App
- Log in to the Azure AD admin console with a Global Administrator login.
- Select Azure Active Directory in the Azure Active Directory Admin Center.
- Go to App Registrations, which is found under Manage.
- Select New Registration at the top of the screen.
- Give the app a suitable name: IntuneGraphCountyGroupAutomation
- Select: Accounts in this organizational directory only (…).
- Under Redirect Uri, select: Public Client/native (mobile & desktop)
and set it to: urn:ietf:wg:oauth:2.0:oob - Click Register.
- You should now end up at Overview
(If it does not show, Go back to App registrations. Select the App created above) - From the Manage menu, select API permissions.
- Select Add a Permission.
- Select Microsoft API´s tab and select Microsoft Graph
- Select Application Permissions
- Select the following permissions:
- User / User.Read.All
- GroupMember / GroupMember.ReadWrite.All
- Groups / Groups.Read.All
- Device / Device.Read.All
- DeviceManagementManagedDevices.Read.All
- Click Add permissions.
- Click Grant admin consent for ….
- Click Yes to Grant permissions.
- Go to Certificates & secrets, which is found under Manage.
- Click the “+ New client secret” button
- Specify Description:
“Secret is used to automate country device groups by script” - Select Expires: 24 Month (depending on your update procedures)
- Click Add Button
- Make sure to copy the secret for use in script (will only be visible now):
- Select Overview.
- Copy The Application (client) ID
Configure Groups and Scopes
For the script to work you’ll need to have all users in a specific country added to a group (can include users in subgroups) and a prepared Azure AD device group for each country to add the devices.
For example.
User group | All-Users-NL |
Device group | All-MDMDevices-NL |
Scope tag | NL |
Get Group IDs
We’ll need the Azure AD group IDs for the groups in the next step. To get a group ID:
- Go to the groups blade in Azure AD
(https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/All Groups)
- Search for your group, open it and copy the object ID
Scope tag to group assignment
After you’ve created the device groups, you need to create/update the scope tag in Intune to tag all devices in the group with the scope tag.
- Navigate to MEM > Tenant Admin > Roles > Scope tags;
- Select the scope tag to edit or create a new one;
- Select the country group to assign it to
Download and Update script
The script is available on my GitHub. Download it here. Update the script with your tenant and app details from the previous setup. The tenant is your tenant name, the client ID is the client ID of the app registration you created and the client secret is the client secret key from the app registration you created.
Update script with group info
There is a hash table at the beginning of the script that maps a user group to the group you want to add the devices to.
For each group you need to duplicate this part:
Now you can run the script manually or schedule it to run on a regular basis.