This script helps to create dynamic Azure AD groups based on the PowerShell module Graph SDK.

The idea is that organizations have different autopilot profiles. These can differ by region, language or other elements.

In order to roll these out in the best possible way with little effort, it is recommended to work with dynamic Azure groups.

Microsoft offers the variant of working with Group TAGS (or Order IDs). Since there is a dedicated TAG per Autopilot profile, the dynamic group can be created accordingly.

 

Therefore, when using this script, a dynamic group is created, which always looks like this:

Intune-PROD_Autopilot_Devices_$OrderID.

 

When the script is executed, a pop-up window appears where the corresponding TAG must be defined. Then the dynamic group with the variable part is created.

A dynamic group works with so-called membership rules, so they are created with this script as follows: (device.devicePhysicalIds -any (_ -eq “[OrderID]:$OrderID”)) where the variable $OrderID is exactly the same as the variable group name.

 

Example of use:

The script itself does not require any modifications before it is executed. After accepting the licence conditions, a pop-up window appears where we can enter the desired TAG ID.
The next step is to check whether the required PowerShell module is already installed. If this is not the case, an attempt is made to install it automatically. (Note: The PowerShell module can only be installed with elevated permissions).

 

The user can then log in with his credentials. Finally, the required Graph permissions are requested. These must be confirmed so that the script can do its work.

 

The required permissions for this script are:

Group.ReadWrite.All”, “GroupMember.ReadWrite.All”, “User.ReadWrite.All

Now the desired group is created.
When the script has done its work, the new dynamic group is visible in the Azure AD portal. As explained in the introduction, the name of the dynamic group is defined as follows: Static part: Intune-PROD_Autopilot_Devices_ and dynamic part as entered.
If we have a look at the group, we also see that the required membership rule has been created correctly.

 

 

The new script can be downloaded free of charge from the following link (in the logo).

As always with my scripts, the same applies here:

The script can be used free of charge as described in the licence conditions. Changes are also allowed. However, when distributing or using the individual modules, reference must be made to this article and the MSB365 blog.

I strongly recommend testing the script in a LAB the first time you use it.

Likewise, I assume no liability for possible damage that the script may cause.

It is not allowed to pass on this script or single modules to third parties against payment. We follow the approach: From the community, for the community.