Add a device to a AD DS group via Endpoint Manager

Kjetil Hagen 1 Reputation point
2022-03-16T10:44:31.597+00:00

Hi

I have a domain with Hybrid Azure AD joined devices. Because of some services that is running in the local domain, all devices needs to be in a local group with a GPO connected to it. I have a setup where I use Endpoint Manager with automated join both in AAD and ADDS (Hybrid Azure AD join) and a Autopilot setup that is working fine. When a device is enrolled the computer joins the groups it shall in AAD and the default Domain Computers in ADDS. After the device have enrolled I have to add the device(s) manually to the ADDS groups.

Is there a way to automate the manual task either via Endpoint Managers policy settings or via running a Powershell script in Endpoint Manager?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,776 questions
Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
411 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,383 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 43,311 Reputation points Microsoft Vendor
    2022-03-17T02:51:14.023+00:00

    @Kjetil Hagen , To add device to ADDS group,I have a thought for the reference:

    1. We can collect these device name into a CSV. For instance, we can run a Powershell script on the device to collect the hostname to CSV.
    2. Then we can create a task on DC to add these computers into the ADDS group. here is a link I find with the script "Add Computers to Group from CSV" we can try:
      https://shellgeek.com/add-computer-to-group-using-add-adgroupmember/
      Note: Non-Microsoft link, just for the reference.

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Kjetil Hagen 1 Reputation point
    2022-03-17T06:58:19.903+00:00

    Hi Crystal

    Thank You for the reply.

    I can see that this can solve the issue but this involves to much manual work. I want to automate the process. It is easier to add the devices manually via AD Users and Computers. I was looking for an solution who did this via Microsoft Endpoint Manager. If there is a way to either set this up by templates or by powershell script.

    0 comments
  3. Limitless Technology 39,381 Reputation points
    2022-03-17T09:42:03.837+00:00

    Hi @Kjetil Hagen

    You can certainly add devices through Powershell. Please refer to this article:

    https://learn.microsoft.com/en-us/powershell/module/azuread/add-azureaddeviceregistereduser?view=azureadps-2.0

    Scenario 1: You have the Azure AD Object IDs for the devices.

    In this case, we can directly make use of the Add-AzureADGroupMember cmdlet that adds a member to a group.

    1) Add-AzureADGroupMember -ObjectId "62438306-7c37-4638-a72d-0ee8d9217680" -RefObjectId "0a1068c0-dbb6-4537-9db3-b48f3e31dd76"
    For more information on Add-AzureADGroupMember, please visit this link.

    Scenario 2: You do not have their AAD Object IDs. Instead you have the device Names and their Azure AD Device IDs. In this case, we will first try to get the Object IDs for each device so that we can use Add-AzureADGroupMember cmdlet.

    To proceed, let’s create a csv file named DevicesToAdd.csv which have two columns with headers in the below format:

    DeviceName,azureADDeviceId
    james-laptop,2bb27401-6b71-4c43-8b1d-ccd81e4f6623
    James-surface,46d6c1fe-c099-420a-994e-d3f0db447983

    Copy the below script:

    $groupName = "myAADGroupName"  
try {  
    $deviceList = Import-Csv -Path "D:\DevicesToAdd.csv"  
    Connect-AzureAD  
    $groupObj = Get-AzureADGroup -SearchString $groupName  
    foreach ($device in $deviceList) {  
        $deviceObj = Get-AzureADDevice -SearchString $device.DeviceName  
        if($deviceObj -ne $null){  
            try{  
                foreach($dev in $deviceObj){  
                    if($dev.DeviceId -eq $device.azureADDeviceId){  
                        Add-AzureADGroupMember -ObjectId $groupObj.ObjectId -RefObjectId $dev.ObjectId         
                    }  
                }     
            }  
            catch{}  
        }  
        else{  
           Write-Host "No device found:$($device.DeviceName)"  
        }  
    }  
}  
catch {  
    Write-Host -Message $_  
}

    Script explanation:
    i. The script creates a variable $groupName which stores the AAD group name.
    ii. The variable $deviceList contains all the devices from the csv file.
    iii. Connect-AzureAD connects you to the Azure Active Directory
    iv. It gets the details of the group so that its object ID can be used later.
    v. For each device in the list, the script calls the Get-AzureADDevice cmdlet to get the device details. However, duplicate device names or display names can exist. So, it checks for the specific device in your list by comparing the device ID.
    vi. Upon successful comparison, the right device is added to the group using its ObjectID with the help of Add-AzureADGroupMember cmdlet.

    I do hope this answers your question.

    Thanks.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  4. Kjetil Hagen 1 Reputation point
    2022-03-17T10:23:49.65+00:00

    Hi LimitLessTech

    Both You and Crystal are giving a solution that I can use. But I think you both are misunderstanding my goal a little bit. I really appreciate both your solution.

    I have everything I need when it comes to the devices info and the devices are Hybrid Azure AD Joined. The policy I want to add to the devices are on the ON-Prem side and are linked to a group. My goal is to automate this via Microsoft Endpoint Manager/Intune when I add devices to Autopilot and add a policy in the process to add the device to the On-Prem policy, if it is possible. If it is not possible to do that then it is OK. I simply have to add the device to the group manually. And update my documentation.