Managing a fleet of devices in a dynamic IT environment demands efficient automation strategies. This blog post introduces a PowerShell script, specifically designed to automate the process of setting group tags for Windows Autopilot device identities in Microsoft Intune, when run as a Runbook in Azure Automation.

Script Overview

The script serves as an example of how to automate the assignment of group tags to Windows Autopilot device identities in Microsoft Intune. It’s important to note that in this example, the script sets a specific, predefined group tag (e.g., “CMW”). In a real-world production environment, you would likely have multiple group tags. The script can be modified to accommodate such scenarios, assigning different tags based on your organization’s specific requirements and logic.

The Role of Azure Automation

Azure Automation provides a cloud-based service for consistent automation across Azure and non-Azure environments. Running this script as an Azure Runbook enables automation without the need for local script execution.

Prerequisites

  1. Azure Automation Account: An Azure Automation account is needed for setting up the Runbook.
  2. Permissions: The script requires DeviceManagementServiceConfig.ReadWrite.All permission in Microsoft Graph.
  3. Managed Identity: For secure access to the Microsoft Graph API, a managed identity must be configured in Azure.

Key Features of the Script

  1. Access Token Retrieval: The script starts by obtaining an access token from Microsoft Graph.
  2. Autopilot Devices Retrieval: It fetches the list of Windows Autopilot device identities.
  3. Group Tag Assignment: The script assigns a specific group tag to each device that lacks one. This is an example setting and should be adapted to match different tags as needed in production environments.
  4. Error Management: Exception handling is integrated to manage potential errors.

Deploying as an Azure Runbook

  1. Import and Configuration: Import the PowerShell script into your Azure Automation account and configure the managed identity.
  2. Update Group Tag: Update the $autopilotDeviceGroupTag variable to a group tag that you want to use.
  3. Testing and Publishing: Ensure the Runbook functions correctly by testing it in Azure, then publish it.
PowerShell
<#
.SYNOPSIS
Sets the group tag for Windows Autopilot device identities in Microsoft Intune.

.DESCRIPTION
This script obtains an access token for Microsoft Graph via the managed identity and then uses the token to make a call to the Microsoft Graph API to retrieve a list of Windows Autopilot device identities. For each device, if the group tag is empty, it adds a group tag to the device by making another call to the Microsoft Graph API.

.PARAMETER None

.EXAMPLE
SetAutopilotGroupTag.ps1

.NOTES
Requires DeviceManagementServiceConfig.ReadWrite.All permission in Microsoft Graph.
#>

# Obtain AccessToken for Microsoft Graph via the managed identity
try {
    $ResourceURL = "https://graph.microsoft.com/" 
    $Response = [System.Text.Encoding]::Default.GetString((Invoke-WebRequest -UseBasicParsing -Uri "$($env:IDENTITY_ENDPOINT)?resource=$resourceURL" -Method 'GET' -Headers @{'X-IDENTITY-HEADER' = "$env:IDENTITY_HEADER"; 'Metadata' = 'True' }).RawContentStream.ToArray()) | ConvertFrom-Json 

    # Construct AuthHeader
    $AuthHeader = @{
        'Content-Type'  = 'application/json'
        'Authorization' = "Bearer " + $Response.access_token
    }
}
catch {
    throw "An error occurred while obtaining the access token: $_"
}

try {
    $Headers = $AuthHeader
    $Headers["ConsistencyLevel"] = "eventual"
    $Headers["content-type"] = "application/json"

    # Do the call. Requires DeviceManagementServiceConfig.ReadWrite.All permission in Microsoft Graph
    $autopilotDevices = Invoke-RestMethod -Method Get -Headers $Headers -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities" -ContentType "application/json"

    foreach ($autopilotDevice in $autopilotDevices) {
        if ($autopilotDevice.grouptag -eq "") {
            Write-Output "Matched, adding group tag to $($autopilotDevice.serialNumber)"
            $autopilotDeviceGroupTag = "TAG"
            $requestBody = @"
        {
            "groupTag": "$($autopilotDeviceGroupTag)"
        }
"@

            Invoke-RestMethod -Method POST -Headers $Headers -Content $requestBody -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$($autopilotDevice.id)/UpdateDeviceProperties" 
        }
        else {
            # write-output "Skipping to set Grouptag" 
        }
    }
}
catch {
    throw "An error occurred: $_"
}

Runbook Execution

  • The Runbook can be executed manually or scheduled to run automatically, offering regular, hands-off updates to device group tags.

Conclusion

This PowerShell script, as an Azure Runbook, automates the task of setting group tags for Windows Autopilot device identities in Microsoft Intune. It’s a powerful example of how Azure Automation can be used to streamline device management tasks, enhancing efficiency in IT operations. Remember, in production environments, adapt the script to handle multiple group tags as per your organizational needs.

Note

Always test automation scripts in a controlled environment before deploying them in production. The script is intended for users with the necessary access rights within their organization’s Azure and Microsoft Graph environments.

Leave a Reply