Time based Group membership for Entra devices – Part 2

As promised last week, here is part 2 of my time-based group membership. In this part, I will show you, how you can use the backend from part 1 to allow admins to add Intune managed devices to the group using a PowerApp.


Let’s start with importing the PowerApp:

You can find the sources on my GitHub: https://github.com/mmeierm/Scripts/blob/main/Time-based-Groupmembership/TimeBasedGroups_20240609105421.zip

App registration

For the newly created Get-Devices Flow, we need an Entra App registration, to get the permissions to list all Intune Devices.

Give it a name:

Next, we can assign the needed Graph API permission

We need the Permission “DeviceManagementManagedDevices.Read.All” to read all Intune Devices:

Grant admin consent:

And create an app secret, that we will use in our Flow:

Make sure, to save the secret somewhere secure, since you can’t view it later:

Power Automate Flow

Now that we have the needed prerequisites, we can modify our Power Automate Flows to match our environment. You should be able to see the two fresh created flows, which are still disabled:

Let’s start with the “TimeBased-Get-Devices” flow, we have to edit the HTTP step, to add the Tenant ID, the Client ID and the secret of the App registration, that we just created.

Once you save the changes, we can turn on the flow and go to the next flow:

In the “TimeBased-Add-Devices” flow, we again just have to modify the HTTP step, we need to add the Webhook URL from the Azure Automation Runbook of part 1 and the GroupID of the Time-based Entra Group:

Once this is done and the flow is enabled, we should be good to go.

Admin experience

You can start the App and search for a Serial Number of any Intune Device:

At the first start, you need to approve the connection to Office 365 to allow us to show your profile picture:

Once you found the device that you want to add, you can simply click on it, to see more details:

If you are happy with your choice, you can click on “Add Device”, which will start the Azure Automation Runbook from part 1:


If you don’t feel comfortable with the user self-service from part 1 which has a potential risk of misuse through the end user, or you just want to have an additional way to use the time-based device groups, you now have the option. This variant also has the potential to allow your first level support guys to have a quick and easy way to help your users, without needed to have high privileged roles.





Leave a Reply

Your email address will not be published. Required fields are marked *