Today I want to show you a little script that allows you to dynamically populate a Entra ID group with Intune Devices that are enrolled after a given date. This can be useful in scenarios, where you want to rollout a new feature to newly enrolled devices, but not touch existing devices. Unfortunately, this is currently not possible with the built in dynamic group membership rules and also not via assignment filters in Intune.
Entra ID Group
First thing we have to prepare is the Entra ID Group, that we will use. Simply create a static Entra ID Group and give it a name.
Once the Group is created, note the Object ID of the Group, we will need this ID later in our Runbook script.
Azure Automation Account
Next step is to create an Azure Automation Account. If you already have an Azure Automation Account, you can skip this part.
Let’s start with the Automation Account itself, we can simply add it to a existing Azure AD Subscription from the Azure Marketplace:
Make sure to enable the System managed identity, we will need it to assign the needed permission, that we will use in our script.
Once the Deployment is finished, we can add the needed Script to a new Runbook. You can find the Script in my GitHub Repo: https://github.com/mmeierm/Scripts/tree/main/DynamicGroupByEnrollmentData
Just replace the GroupID with the ID from our newly created Entra Group. Also modify the enrollment date variable to match your needs and finally copy the script to the new Runbook.
Once we have created the Runbook, we can assign the needed Permissions to the System Managed Identity. Just replace the ID from the Identity Tab of the Automation Account in the Script.
You can find the needed Script to assign the Permissions here: https://github.com/mmeierm/Scripts/blob/main/DynamicGroupByEnrollmentData/GroupMembership-ByEnrollmentData_AddPermissions.ps1
Test and schedule the Runbook
Once you have finished all prerequisites, you can test the script for the first time:
If everything worked, you should now have a Entra ID Group with all Intune managed devices with an enrollment date after what you defined in the Script:
As a last step, you can link the runbook to a schedule based on your requirements.
Conclusion
With this little script, you now have the option to target Apps or policies in Intune to newly enrolled devices. In my opinion, this can be helpful for rollouts of bigger changes, where you don’t want to target all existing devices. Hopefully sometime in the future, such a dynamic membership can be done with built-in tools like assignment filters in Intune, but for now we at least have an option to still use the enrollment date.
Leave a Reply