User driven Device Group Membership

Today I want you present my solution to allow your end-users to add their device to an AzureAD Group on their own. We are using something like this, to allow our users to select which devices should for example receive the Windows 11 Upgrade earlier then others, but I think there are way more possible use cases.

First we start with the Azure AD Group where the device should be added or removed by the end-users:

Once the Group is created we need to copy the ObjectID, we will need it later.

In the next step we will create the Backend for this. We will again use a Azure Azuomation Powershell based Runbook to do the Opt-In / Opt-out.
Let’s start with the Automation Account itself, we can simply add it to a existing Azure AD Subscription from the Azure Marketplace:

Once the Deployment is finished, we can add the needed Script to a new Runbook. You can find the Script in my Github Repo: Scripts/Runbook.ps1 at main · mmeierm/Scripts (github.com) Just replace the GroupID that we saved before and copy the script to the new Runbook

After we have saved the Script, we can publish it and create a Webhook, that we can use for our Client Script afterwards. Make sure to save the Webhook URL in this process, as you can view it again afterwards

Once we have created the Runbook, we can assign the needed Permissions to the System Managed Identity. Just replace the ID from the Identity Tab of the Automation Account in the Script.

You can find the needed Script to assign the Permissions here: Scripts/AddPermissions.ps1 at main · mmeierm/Scripts (github.com)

Once this is done we can have a look at the Client Side of things. I create a little Powershell UI that you can deploy to your users via for example Intune or something similar:
Script is also located on Github: Scripts/ClientSideEnablement.ps1 at main · mmeierm/Scripts (github.com)
Again just replace the Webhook URL in the Script with the previously saved URL when you created the Webhook


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *