Manage Entra Groups with the Graph API

In my previous blog [Win32 App Deployment with Intune Supersedence Rules] I explained how to update Win32 applications deployed within Microsoft Intune by using the supersedence feature. Although the process is typically straightforward and simple, the requirement of keeping a security group populated with all user or device objects can make the task time-consuming. This isn’t a big deal in small organizations; however, large organizations may have hundreds or thousands of objects that need to be added or removed. Performing these tasks by hand is less than ideal and can take a substantial amount of time. 

This article explains how to use the Microsoft Graph API to automate membership of a security group in five simple steps.

  1. Install the required Microsoft Graph API modules.

If you don’t have the following modules installed, you will first need to install them using this command:

Install-Module -Name Microsoft.Graph.Users, Microsoft.Graph.Groups, Microsoft.Graph.DeviceManagement, Microsoft.Graph.Devices.CorporateManagement
Code language: PowerShell (powershell)
  1. Connect to the Microsoft Graph API.

Next, you’ll want to connect to the Graph API with the required scopes and select the beta API profile. The permissions outlined below are the minimum required when utilizing the cmdlets identified later.

$scopes = @("DeviceManagementApps.Read.All","DeviceManagementManagedDevices.Read.All","User.Read.All","GroupMember.ReadWrite.All","Group.ReadWrite.All")
Connect-MgGraph -scopes $scopes
Select-MgProfile -Name beta
Code language: PowerShell (powershell)
  1. Retrieve the Win32 application and its installed users or devices.

Once connected to the Graph API with the appropriate scopes and profile, you’ll want to request the application and its installations. The command below will also ensure that the application requested has an assignment applied. If there are no assignments, then no action is necessary.

$Name = "Application Name"
$application = Get-MgDeviceAppMgtMobileApp -Filter "DisplayName eq '$Name'" | Where-Object isAssigned -eq $true
$applicationInstallationsUsers = (Get-MgDeviceAppMgtMobileAppDeviceStatuses -MobileAppId $($application.id)).userPrincipalName | sort -unique
$applicationInstallationsDevices = (Get-MgDeviceAppMgtMobileAppDeviceStatuses -MobileAppId $($application.id)).deviceId | sort -unique
Code language: PowerShell (powershell)
  1. Create a new security group for the Win32 application.

You’ll need a security group to contain the users or devices returned from the applications. Once the security group is created, the group’s object ID must be acquired.

$groupParams = @{
    Description = "Group containing user or devices with $($application.name) installed"
    DisplayName = $Name
    MailEnabled = $false
    MailNickname = "NotSet"
    SecurityEnabled = $true
}
New-MgGroup -BodyParameter $groupParams
$groupId = (Get-MgGroup -Filter "DisplayName eq '$groupName'").Id
Code language: PowerShell (powershell)
  1. Add each user or device to the security group.

If the application is targeted to users, the following code will retrieve each user object ID and add the users to the security group.

foreach $user in $applicationInstallationsUsers) {
    $userObjectId = (Get-MgUser -UserId $user).Id
    New-MgGroupMember -GroupId $groupId -DirectoryObjectId $userObjectId
}
Code language: PowerShell (powershell)

Otherwise, if the application is targeted to devices, the following code will take the Intune object ID provided by the earlier application installation output, find the associated Entra (formerly Azure AD) object ID, and add the device object to the security group.

foreach ($device in $applicationInstallationsDevices) {
    #Retrieve device Azure Id from device Intune Id
    $deviceAzureId = (Get-MgDeviceManagementManagedDevice -ManagedDeviceId $device).AzureActiveDirectoryDeviceId

    #Retrieve device Object Id from device Azure Id
    $deviceObjectId = (Get-MgDevice -Filter "DeviceId eq '$deviceAzureId'").Id

    New-MgGroupMember -GroupId $groupId -DirectoryObjectId $deviceObjectId
}
Code language: PowerShell (powershell)

If you plan on automating this process to execute at scheduled intervals, we highly recommend utilizing Azure Automation. David Conners’ article series (See “Authentication Options for Automated Azure PowerShell Scripts, Part 1: Service Account vs. App Registration,” as well as Part 2 and Part 3.) provides details on how to securely authenticate the script using either certificates or managed identities.

Ravenswood has experts available to assist with streamlining management of your deployed Win32 applications. Contact our team to see how we can help with your project.

[RELEVANT BLOG CONTENT]

6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

Migrating to Windows LAPS

Windows Local Administrator Password Solution (LAPS), now integrated into the OS, is the replacement for Microsoft LAPS, which was a separate installation. Windows LAPS is

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.