You're reading from Microsoft Intune Cookbook

Product typeBook

Published inJan 2024

PublisherPackt

ISBN-139781805126546

Edition1st Edition

Concepts

Cloud Security

Author (1)

Andrew Taylor

Creating Entra ID dynamic groups

In this recipe, we will configure Entra ID dynamic groups, where we can configure a group to automatically populate based on specified criteria. This example will cover both user and device-based queries.

Getting ready

First, load the Entra portal, expand Groups, and click on All groups (you can also access groups within the Intune portal, which loads the same window).

How to do it…

Dynamic groups are automated; you set a membership rule (the user is a member of a particular location, device prefix, and so on), and then Entra ID reviews the rules on a schedule and adds/removes members accordingly. It is worth noting that there can be a delay while Entra queries the membership rules to populate the group membership.

For this example, we will create one Office user group and one Autopilot device dynamic group that we can use later on.

The user group will collect any users with an Office Business license (not the Enterprise ones), while the device group will collect all of your Autopilot devices; we will cover this in more detail in Chapter 4.

Creating a dynamic Office user group

Follow these steps to create a dynamic group containing only licensed Office users:

Starting with the user group, click New Group and enter the basic details:
1. Group type: Security.
2. Enter Group name and Group description details.
3. Change the membership type to Dynamic User.
You will notice that we have to create a dynamic query. So, click Add dynamic query. This will take you to the Configure Rules interface and is where you can view the properties available and set them accordingly. If you already know the query, you can add it directly into the Rule syntax window.
To detect Office users, we are going to check the user assigned plans:
1. For Property, select assignedPlans.
2. Set Operator to Any.
3. The Value needs to be(assignedPlan.servicePlanId -eq "43de0ff5-c92c-492b-9116-175376d08c38" -and assignedPlan.capabilityStatus -eq "Enabled")).
4. It should look like this in the syntax (sometimes, you may need to edit it to add the final closing brackets):

Figure 1.8 – Entra ID – new dynamic rule result

Now, click the Validate Rules button.
Add a user who has an Office license assigned and click Select.
Then, click Validate. Here, you can see I have only assigned the license to one of my two users:

Figure 1.9 – User validation results

With that, we have created a dynamic user group for users with an Office license.

To find the servicePlanId value for individual products, you can use a downloadable CSV from the Microsoft site. You can use this to create any other dynamic groups: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-reference.

Creating a dynamic Autopilot device group

When we create our Autopilot profile later, in Chapter 4, we will configure it to automatically pick up all users/devices. However, in a pilot or Proof of Concept (PoC), we may only want to target those devices enrolled in Autopilot. For this, we can query the device’s ZTID, which is added when we import it (covered in Chapter 4).

Follow this process to create our dynamic grou:.

Create a New Group value in Entra ID, but this time, pick Dynamic Device as the membership type. Set Group type to Security. Then, add the Group name and Group description values. Finally, click Add dynamic query.
This one is slightly more straightforward. Set Property to devicePhysicalIds, Operator to Any, and Value to (_ -startsWith "[ZTDid]:

Figure 1.10 – Dynamic rule creator

It should look like this (sometimes, you may need to edit it to add the final closing brackets). Click OK on this screen:

Figure 1.11– Dynamic device query

We do not need to validate this one as we do not have a device enrolled yet anyway.

Now, click Save, then Create on the following screen.

With that, we have created our dynamic Autopilot devices group so that it is ready to enroll devices in Chapter 4.

Automating it

This script will demonstrate how we can use Graph and PowerShell to create both of our dynamic groups, demonstrating the different queries.

Dynamic Office user group

This is similar to a static group, except we must add an extra line for the dynamic rule:

Set the necessary variables:

$groupname = "TestGroup123"
$groupdescription = "TestGroupDescription"
$membershiprule = '(user.assignedPlans -any (assignedPlan.servicePlanId -eq \"43de0ff5-c92c-492b-9116-175376d08c38\" -and assignedPlan.capabilityStatus -eq \"Enabled\"))'
$groupnickname = ($groupname -replace '[^a-zA-Z0-9]', '').ToLower()

Important note

We have single quotes around the rule because we are using double quotes in the rule and also escaping the double quotes.

Now, give it a URL:

$url = "https://graph.microsoft.com/beta/groups"
Populate the JSON
$json = @"
{
    "description": "$groupdescription",
    "displayName": "$groupname",
    "groupTypes": [
        "DynamicMembership"
    ],
    "mailEnabled": false,
    "mailNickname": "$groupnickname",
    "membershipRule": "$membershiprule",
    "membershipRuleProcessingState": "On",
    "securityEnabled": true
}
"@

Finally, submit our Graph request:

Invoke-MgGraphRequest -Uri $url -Method Post -Body $json -ContentType "application/json"

This script will create a dynamic group for users who have an active Office license based on the SKU and license properties.

Dynamic Autopilot device group

This is the same as the user group but with a different rule. The Graph backend does not differentiate between user and device groups.

We can now create a PowerShell script to create a dynamic group:

Set the necessary variables:

$groupname = "TestGroup123"
$groupdescription = "TestGroupDescription"

Set the mail nickname:

$groupnickname = ($groupname -replace '[^a-zA-Z0-9]', '').ToLower()

Set the membership rule:

$membershiprule = '(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))'

Set the URL:

$url = "https://graph.microsoft.com/beta/groups"

Populate the JSON:

$json = @"
{
    "description": "$groupdescription",
    "displayName": "$groupname",
    "groupTypes": [
        "DynamicMembership"
    ],
    "mailEnabled": false,
    "mailNickname": "$groupnickname",
    "membershipRule": $membershiprule,
    "membershipRuleProcessingState": "On",
    "securityEnabled": true
}
"@

Finally, submit our Graph request:

Invoke-MgGraphRequest -Uri $url -Method Post -Body $json -ContentType "application/json"

We now have a script for creating our dynamic Autopilot group.

You have been reading a chapter from

Microsoft Intune Cookbook

Published in: Jan 2024Publisher: PacktISBN-13: 9781805126546

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at $15.99/month. Cancel anytime

Author (1)

Andrew Taylor

Andrew Taylor is an End-User Compute architect with 20 years IT experience across industries and a particular interest in Microsoft Cloud technologies, PowerShell and Microsoft Graph. Andrew graduated with a degree in Business Studies in 2004 from Lancaster University and since then has obtained numerous Microsoft certifications including Microsoft 365 Enterprise Administrator Expert, Azure Solutions Architect Expert and Cybersecurity Architect Expert amongst others. He currently working as an EUC Architect for an IT Company in the United Kingdom, planning and automating the products across the EUC space. Andrew lives on the coast in the North East of England with his wife and two daughters.
Read more about Andrew Taylor

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages