First we need to create a security group in Azure AD, that contains the users that we want added to the built-in Administrators group, on the devices we assign it to.
Sign-in to your Azure tenant portal and open Azure Active Directory -> Groups, and create a new security group, and make sure to add one or more users to it!
Get the groups Object ID, by viewing the properties of it.
Add the groups Object ID to the script, in the “CONFIG” section.
Registering an application, in order to gain API access for the powershell script.
If you don’t know how the basics of getting API access, via an app registration in Azure AD, then it’s about time bro!
Lets get to it! (Don’t worry, we are doing the simplest form of app registration – Easy Peasy, Kanye is Jeezy.)
Go to your Azure Active Directory blade, in the Azure Portal, and click on “App Registrations” -> “New application registration”.
Now in the “Create” blade, fill in like this: (The URL is just a placebo, as we won’t be using it, but is required to be filled).
…and click on the blue “Create” button, at the bottom of the blade.
On the next blade that appears, you will immediately be presented with one of the things we need, namely the “Application ID”, copy that sucker and paste it into the CONFIG section of the PowerShell script.
Now click the blue “Settings” gear icon.
Next we create a key to give our script access.
Click on “Keys“
Enter a description (important if you decide to change keys because it might have been compromised, so keep track of these!).
Choose and expiration date for the key (I choose never, so I don’t have to deal with any s**t in a few years, lol).
Notice that the key will only be shown upon saving – so click on “save” and copy paste the key into the CONFIG section of the script.
Now we need to assign the appropriate permission in Azure AD for the script…
Close the “Keys” blade, so you are back at the “Settings” blade.
Click on “Required Permissions”.
Take a close look – a lot is going on here:
So first, we double click on “Windows Azure Active Directory”, which opens up the “Enable Access” blade.
Here we deselect any defaults, and just tick the box next to “Read Directory Data”, and click on “Save”.
After that ordeal, we click on “Grant permissions”, and accept that we are now granting the app full permission to access the data we are requesting.
Now you can close all the blades – this part is d o n e ! #phew
Getting the Tenant ID (Directory ID)
This might be the easiest thing in the world for some people, but here is how to find your tenant ID in Azure Active Directory.
Go to your Azure Active Directory portal – Open up the Azure Active Directory service from the lefthand menu – click “Properties”, and there you have it… Ready to be copied into the CONFIG section of the script.
Yup! That’s all there is to it.
Now on to the final part!
Publishing the PowerShell script with Intune.
While signed-in to the Azure portal as your tenant, open “Intune”.
From the Intune portal, go to “Device Configuration” -> “PowerShell scripts” and click the blue “+ Add” button, to add the script.
Now fill in a Name and Description, and select the script file to be uploaded.
Afterwards go directly to the blue “Create” button at the bottom of the blade, as the default settings are fine.
You should be familiar with assigning the script to some devices, so this guide will not cover that in detail.
However, please consider scoping the devices with groups, instead of just adding the script to all devices (it’s best practice yo!).
Advanced use cases
For some more advance use cases, one could create multiple versions of the script, that source from different security groups.
This would allow you to assign different administrators, to a segregated list of devices.
The scenario could be one where local IT staff exists in branch offices, and they have no business handling devices not belonging to their branch.
To do this, you would create multiple PowerShell Device Configurations that each target a different security group. these would in turn be assigned to different device groups.
More could be done, but this was just one quick example…
NB: The cons of adding any powershell script via Intune, is that it only runs once. So you will need to fix that by deleting the policy, and recreating it, if you have changes to the group membership. I have another workaround for this, in my blog post here: https://www.iphase.dk/force-reload-intune-powershell-scripts/ ALSO: Read the script through, there are experimental features in there you might need!
As always, I welcome any ideas, script changes, remote work gigs, and dad jokes.
Hope you found this article useful, if so PLEASE @mention me or follow me on Twitter@michael_mardahl
Michael works as a Cloud Architect with APENTO in Denmark. Specializing in customer journeys from classic Infrastructure to Cloud consumption.
He has been in the IT industry for more than 20 years, and has experience from a broad range of IT projects.
When not at work, Michael enjoys the value of spending time with family and friends, and BLOG's passionately about Enterprise Mobility whenever he has time to spare.