Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft Intune Cookbook

You're reading from   Microsoft Intune Cookbook Over 75 recipes for configuring, managing, and automating your identities, apps, and endpoint devices

Arrow left icon
Product type Paperback
Published in Jan 2024
Publisher Packt
ISBN-13 9781805126546
Length 574 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Andrew Taylor Andrew Taylor
Author Profile Icon Andrew Taylor
Andrew Taylor
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Chapter 1: Getting Started with Microsoft Intune FREE CHAPTER 2. Chapter 2: Configuring Your New Tenant for Windows Devices 3. Chapter 3: Securing Your Windows Devices with Security Policies 4. Chapter 4: Setting Up Enrollment and Updates for Windows 5. Chapter 5: Android Device Management 6. Chapter 6: iOS Device Management 7. Chapter 7: macOS Device Management 8. Chapter 8: Setting Up Your Compliance Policies 9. Chapter 9: Monitoring Your New Environment 10. Chapter 10: Looking at Reporting 11. Chapter 11: Packaging Your Windows Applications 12. Chapter 12: PowerShell Scripting across Intune 13. Chapter 13: Tenant Administration 14. Chapter 14: Looking at Intune Suite 15. Index 16. Other Books You May Enjoy

Creating Entra ID dynamic groups

In this recipe, we will configure Entra ID dynamic groups, where we can configure a group to automatically populate based on specified criteria. This example will cover both user and device-based queries.

Getting ready

First, load the Entra portal, expand Groups, and click on All groups (you can also access groups within the Intune portal, which loads the same window).

How to do it…

Dynamic groups are automated; you set a membership rule (the user is a member of a particular location, device prefix, and so on), and then Entra ID reviews the rules on a schedule and adds/removes members accordingly. It is worth noting that there can be a delay while Entra queries the membership rules to populate the group membership.

For this example, we will create one Office user group and one Autopilot device dynamic group that we can use later on.

The user group will collect any users with an Office Business license (not the Enterprise ones), while the device group will collect all of your Autopilot devices; we will cover this in more detail in Chapter 4.

Creating a dynamic Office user group

Follow these steps to create a dynamic group containing only licensed Office users:

  1. Starting with the user group, click New Group and enter the basic details:
    1. Group type: Security.
    2. Enter Group name and Group description details.
    3. Change the membership type to Dynamic User.
  2. You will notice that we have to create a dynamic query. So, click Add dynamic query. This will take you to the Configure Rules interface and is where you can view the properties available and set them accordingly. If you already know the query, you can add it directly into the Rule syntax window.

    To detect Office users, we are going to check the user assigned plans:

    1. For Property, select assignedPlans.
    2. Set Operator to Any.
    3. The Value needs to be(assignedPlan.servicePlanId -eq "43de0ff5-c92c-492b-9116-175376d08c38" -and assignedPlan.capabilityStatus -eq "Enabled")).
    4. It should look like this in the syntax (sometimes, you may need to edit it to add the final closing brackets):
Figure 1.8 –  Entra ID – new dynamic rule result

Figure 1.8 – Entra ID – new dynamic rule result

  1. Now, click the Validate Rules button.
  2. Add a user who has an Office license assigned and click Select.
  3. Then, click Validate. Here, you can see I have only assigned the license to one of my two users:
Figure 1.9 – User validation results

Figure 1.9 – User validation results

With that, we have created a dynamic user group for users with an Office license.

To find the servicePlanId value for individual products, you can use a downloadable CSV from the Microsoft site. You can use this to create any other dynamic groups: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-reference.

Creating a dynamic Autopilot device group

When we create our Autopilot profile later, in Chapter 4, we will configure it to automatically pick up all users/devices. However, in a pilot or Proof of Concept (PoC), we may only want to target those devices enrolled in Autopilot. For this, we can query the device’s ZTID, which is added when we import it (covered in Chapter 4).

Follow this process to create our dynamic grou:.

  1. Create a New Group value in Entra ID, but this time, pick Dynamic Device as the membership type. Set Group type to Security. Then, add the Group name and Group description values. Finally, click Add dynamic query.
  2. This one is slightly more straightforward. Set Property to devicePhysicalIds, Operator to Any, and Value to (_ -startsWith "[ZTDid]:
Figure 1.10 – Dynamic rule creator

Figure 1.10 – Dynamic rule creator

  1. It should look like this (sometimes, you may need to edit it to add the final closing brackets). Click OK on this screen:
Figure 1.11– Dynamic device query

Figure 1.11– Dynamic device query

We do not need to validate this one as we do not have a device enrolled yet anyway.

  1. Now, click Save, then Create on the following screen.

With that, we have created our dynamic Autopilot devices group so that it is ready to enroll devices in Chapter 4.

Automating it

This script will demonstrate how we can use Graph and PowerShell to create both of our dynamic groups, demonstrating the different queries.

Dynamic Office user group

This is similar to a static group, except we must add an extra line for the dynamic rule:

  1. Set the necessary variables:
    $groupname = "TestGroup123"
    $groupdescription = "TestGroupDescription"
    $membershiprule = '(user.assignedPlans -any (assignedPlan.servicePlanId -eq \"43de0ff5-c92c-492b-9116-175376d08c38\" -and assignedPlan.capabilityStatus -eq \"Enabled\"))'
    $groupnickname = ($groupname -replace '[^a-zA-Z0-9]', '').ToLower()

Important note

We have single quotes around the rule because we are using double quotes in the rule and also escaping the double quotes.

  1. Now, give it a URL:
    $url = "https://graph.microsoft.com/beta/groups"
    Populate the JSON
    $json = @"
    {
        "description": "$groupdescription",
        "displayName": "$groupname",
        "groupTypes": [
            "DynamicMembership"
        ],
        "mailEnabled": false,
        "mailNickname": "$groupnickname",
        "membershipRule": "$membershiprule",
        "membershipRuleProcessingState": "On",
        "securityEnabled": true
    }
    "@

    Finally, submit our Graph request:

    Invoke-MgGraphRequest -Uri $url -Method Post -Body $json -ContentType "application/json"

This script will create a dynamic group for users who have an active Office license based on the SKU and license properties.

Dynamic Autopilot device group

This is the same as the user group but with a different rule. The Graph backend does not differentiate between user and device groups.

We can now create a PowerShell script to create a dynamic group:

  1. Set the necessary variables:
    $groupname = "TestGroup123"
    $groupdescription = "TestGroupDescription"
  2. Set the mail nickname:
    $groupnickname = ($groupname -replace '[^a-zA-Z0-9]', '').ToLower()
  3. Set the membership rule:
    $membershiprule = '(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))'
  4. Set the URL:
    $url = "https://graph.microsoft.com/beta/groups"
  5. Populate the JSON:
    $json = @"
    {
        "description": "$groupdescription",
        "displayName": "$groupname",
        "groupTypes": [
            "DynamicMembership"
        ],
        "mailEnabled": false,
        "mailNickname": "$groupnickname",
        "membershipRule": $membershiprule,
        "membershipRuleProcessingState": "On",
        "securityEnabled": true
    }
    "@
  6. Finally, submit our Graph request:
    Invoke-MgGraphRequest -Uri $url -Method Post -Body $json -ContentType "application/json"

We now have a script for creating our dynamic Autopilot group.

You have been reading a chapter from
Microsoft Intune Cookbook
Published in: Jan 2024
Publisher: Packt
ISBN-13: 9781805126546
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image