Script – Bulk create common AAD Groups for MSIntune
Hello there, I want to share with you my a script that bulk creates common Azure AD dynamic queries that are used for Intune deployments, I work for a managed service provider and find that I create the same groups over and over again, so I thought I would create a script that automates this. The script currently creates 25 dynamic groups, all of which are documented in this post, the script will prompt you for which section of groups to create, e.g. you may only use Intune for Windows and Autopilot so you can choose NOT to deploy Android and iOS/iPadOS groups, the script also gives you an option to prefix the groups with something like ‘MEM’.
The Script
Click the PowerShell logo below for a link to the latest script on my Github page.
Running the script
The script will:
- Prompt you to sign into AzureAD after installing the AzureADPreview module.
- Prompt you to select which sections of groups to create, prompt for a prefix (recommendation is to use 3 or 4 characters, e.g. MEM).
- If you’ve selected Autopilot, it’ll prompt for a desired group tag.
like so:
Naming Convention
The following naming convention is applied:
<Prefix> – <Platform> – <TypeofGroup> – <Description>
Type of group:
- DU = Dynamic User
- DD = Dynamic Device
Examples:
- MEM-AUTO-DD-ALLDevices = Microsoft Endpoint Manager – Autopilot – Dynamic Device – All Autopilot Devices
- MEM-ALL-DD-BYODOwned = Microsoft Endpoint Manager – All Devices – Dynamic Device – All BYOD Devices
What groups are created?
The script creates 25 groups, but are numbered and sectioned off, I will list them all for completeness.
General MEM Groups
No | Group Name | Description | Dynamic Query |
---|---|---|---|
1 | <Prefix>-ALL-DU-IntuneLicenced | Contains all users licenced for Microsoft Intune | user.assignedPlans -any (assignedPlan.servicePlanId -eq “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -eq “Enabled”) |
2 | <Prefix>-ALL-DD-CorpOwned | Contains all corporate owned devices within MEM | (device.deviceOwnership -eq “Company”) |
3 | <Prefix>-ALL-DD-BYODOwned | Contains all personally owned devices within MEM | (device.deviceOwnership -eq “Personal”) |
Autopilot Groups
No | Group Name | Description | Dynamic Query |
---|---|---|---|
4 | <Prefix>-AUTO-DD-AllDevices | Contains all Autopilot devices within MEM | (device.devicePhysicalIDs -any (_ -contains “[ZTDId]”)) |
5 | <Prefix>-AUTO-DD-<GroupTag>Devices | Contains all Autopilot devices with a group tag of ‘$GroupTag’ within MEM | (device.devicePhysicalIds -any _ -eq “[OrderID]:$GroupTag”) |
6 | <Prefix>-AUTO-DD-AllDevicesExcept<GroupTag> | Contains all Autopilot devices without a group tag of ‘$GroupTag’ within MEM | (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) -and (device.devicePhysicalIDs -notcontains “[OrderID]:$GroupTag”) |
Android Groups
No | Group Name | Description | Dynamic Query |
---|---|---|---|
7 | <Prefix>-AND-DD-AllDevices | Contains all Android devices within MEM | (device.deviceOSType -match “Android”) |
8 | <Prefix>-AND-DD-AllCorpDevices | Contains all corporate owned Android devices within MEM | (device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Company”) |
9 | <Prefix>-AND-DD-AllBYODDevices | Contains all personally owned Android devices within MEM | (device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Personal”) |
10 | <Prefix>-AND-DD-AllEntDevices | Contains all Android Enterprise devices within MEM | (device.deviceOSType -match “AndroidEnterprise”) |
11 | <Prefix>-AND-DD-WPDevices | Contains all Android Work Profile devices within MEM | (device.deviceOSType -eq “AndroidForWork”) and (device.managementType -eq “MDM”) |
12 | <Prefix>-AND-DD-FullMgdDevices | Contains all Android Fully Managed devices within MEM | (device.deviceOSType -eq “AndroidEnterprise”) -and (device.enrollmentProfileName -eq null) |
iOS/iPadOS Groups
No | Group Name | Description | Dynamic Query |
---|---|---|---|
13 | <Prefix>-iPad-DD-AllDevices | Contains all iPad devices within MEM | (device.deviceOSType -eq “iPad”) |
14 | <Prefix>-iPhone-DD-AllDevices | Contains all iPhone devices within MEM | (device.deviceOSType -eq “iPhone”) |
15 | <Prefix>-iPad-DD-AllCorpDevices | Contains all Corporate owned iPad devices within MEM | (device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Company”) |
16 | <Prefix>-iPad-DD-AllBYODDevices | Contains all personally owned iPad devices within MEM | (device.deviceOSType -eq “iPad”) -and (device.deviceOwnership -eq “Personal”) |
17 | <Prefix>-iPhone-DD-AllCorpDevices | Contains all Corporate owned iPhone devices within MEM | (device.deviceOSType -eq “iPhone”) -and (device.deviceOwnership -eq “Company”) |
18 | <Prefix>-iPhone-DD-AllBYODDevices | Contains all personally owned iPhone devices within MEM | (device.deviceOSType -eq “iPhone”) -and (device.deviceOwnership -eq “Personal”) |
macOS Groups
No | Group Name | Description | Dynamic Query |
---|---|---|---|
19 | <Prefix>-Mac-DD-AllDevices | Contains all macOS devices within MEM | (device.deviceOSType -eq “MacMDM”) |
20 | <Prefix>-Mac-DD-AllCorpDevices | Contains all corporate owned macOS devices within MEM | (device.deviceOSType -eq “MacMDM”) -and (device.deviceOwnership -eq “Company”) |
21 | <Prefix>-Mac-DD-AllBYODDevices | Contains all personally owned macOS devices within MEM | (device.deviceOSType -eq “MacMDM”) -and (device.deviceOwnership -eq “Personal”) |
Windows Groups
No | Group Name | Description | Dynamic Query |
---|---|---|---|
22 | <Prefix>-WIN-DD-AllDevices | Contains all Windows devices within MEM | (device.deviceOSType -eq “Windows”) -and (device.managementType -eq “MDM”) |
23 | <Prefix>-WIN-DD-AllW10Devices | Contains all Windows 10 devices within MEM | (device.deviceOSType -eq “Windows”) and (device.deviceOSVersion -contains “10.0.1”) -and (device.managementType -eq “MDM”) |
24 | <Prefix>-WIN-DD-AllW11Devices | Contains all Windows 11 devices within MEM | (device.deviceOSType -eq “Windows”) and (device.deviceOSVersion -contains “10.0.2”) -and (device.managementType -eq “MDM”) |
25 | <Prefix>-WIN-DD-SCCMMgdDevices | Contains all Windows devices managed by ConfigMgr within MEM | (device.deviceManagementAppId -eq “54b943f8-d761-4f8d-951e-9cea1846db5a”) |
That’s all folks, any issues or suggestions let me know! Hope this helps.
Pingback: Endpoint Manager Newsletter – 1st July 2022 – Andrew Taylor