英文:
Populate an Intune/MS Endpoint Manager Device Group based on a User Group
问题
如何根据在Azure/Intune/MS终端管理中的用户组成员资格创建设备组?
理想情况下,在Azure/Intune/MS终端管理中应该有一种方法,可以使用动态组查询来根据用户组填充设备组。不幸的是,用于执行此操作的字段似乎未在组动态成员查询环境/引擎中公开。我已向微软提交了功能请求,但同时正在寻找解决此需求的另一途径。
英文:
How can you create a device group, based on membership in a user group in Azure/Intune/MS Endpoint Manager?
Ideally, there should be a means of using a dynamic group query in Azure/Intune/MS Endpoint Manager to populate a device group based on a user group. Unfortunately, the fields needed to do this do not appear to be exposed to the group dynamic membership query environment/engine. I've submitted the feature request to MS, but in the interim was looking for another pathway to solve this need.
答案1
得分: 0
很抱歉,目前还没有这个功能。我已经向微软提交了功能请求,但同时我也开发了一个PowerShell脚本来解决这个需求,并希望分享给其他人。我发现在我搜索的任何地方都找不到类似脚本的帖子。它可以根据其他用途进行定制,并且可以添加其他功能,但目前对于需要基础的人来说,这是一个很好的起点(例如财务部门的人需要在其设备上使用特定配置的App XYZ)。
希望这对其他人有帮助,随时发布更新版本,添加从我发布的内容中扩展的更多功能。下面还附有我为在Azure AD/MS Endpoint Manager/Intune中的动态成员查询功能内使其可用而提交的功能请求链接,通过在那里投票,将对最终以正确的方式在Azure/MSEM/Intune中本地解决此问题非常有帮助。
https://feedbackportal.microsoft.com/feedback/idea/75f632df-92b7-ed11-a81b-002248519701
#此代码可通过自动化运行以在间隔内更新组成员身份以维护组
#连接到具有特权的mggraph beta环境。这可能对于用户和目录的只读访问也有效。
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "DeviceManagementManagedDevices.PrivilegedOperations.All"
Select-MgProfile -Name "beta"
#获取此组的用户成员
#将下面的用户组ID替换为您的用户组ID
$grpMembers = Get-MgGroupMember -GroupId "12345ab1-a1ab-123a-a123-123a4567b890" -All | Where {$_}
$grpUsers = ($grpMembers.AdditionalProperties).userPrincipalName
#获取用户组中用户的设备列表
$uDevices = $grpUsers | ForEach-Object {Get-MgUserRegisteredDevice -UserId $_}
#从用户组中设备的完整列表中获取个人设备的列表
$pDevices = $uDevices.AdditionalProperties | Where {$_.deviceOwnership -eq "Personal"}
#不同的mggraph命令返回或使用不同的ID,因此我们需要将上面返回的ID转换为添加设备组成员所需的ID。
#修复这个问题将是一个重大变更,因此在MgGraph环境的主要版本更新之前将不会修复。
#届时,可以删除此处返回ID的翻译步骤
$gDevices = $pDevices.deviceId | ForEach-Object {get-mgdevice -Filter "DeviceId eq '$($_)'"}
#获取当前设备组成员身份
#将下面的组ID替换为您的设备组ID
$eDevices = Get-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -All
如果($eDevices -ne $null){ #如果组不为空...
#将现有设备与当前应在组中的设备进行比较
$cDevices = Compare-Object -ReferenceObject $eDevices.Id -DifferenceObject $gDevices.Id -IncludeEqual
#根据每个对象在现有设备或当前设备列表中的比较标志执行相应操作,不执行任何操作,添加新设备或删除非当前设备
$cDevices | ForEach-Object {If ($($.SideIndicator) -eq "==") {Write-Host "No change for $($.InputObject)"}}
#将下面的组ID替换为您的设备组ID
$cDevices | ForEach-Object {If ($($.SideIndicator) -eq "=>") { New-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($.InputObject); Write-Host "Added $($.InputObject)"}}
#将下面的组ID替换为您的设备组ID
$cDevices | ForEach-Object {If ($($.SideIndicator) -eq "<=") { Remove-MgGroupMemberByRef -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($.InputObject); Write-Host "Removed $($.InputObject)"}}
} Else {
#将所有用户设备添加到空组
#将下面的组ID替换为您的设备组ID
$gDevices | ForEach-Object {New-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($.Id); Write-Host "Added $($.Id)"}
}
英文:
Unfortunately, this functionality does not exist as of yet. I've submitted the feature request to MS, but in the interim developed a Powershell Script to solve this need, and wanted to share it as I found no posting of such a script anywhere I searched. It could be tailored for other uses, and could have other functionality added, but for now it's a good start for someone needing a base for this type of need (IE the folks in accounting need App XYZ available on their device with this specific configuration).
I hope this helps others, and feel free to post updated versions with expanded capabilities that you extend from what I'm posting. Below is also a link to the feature request that I've submitted for this to be available within the dynamic membership query functionality within Azure AD/MS Endpoint Manager/Intune, as upvoting there would be very helpful to get this ultimately solved the right way, natively within Azure/MSEM/Intune.
https://feedbackportal.microsoft.com/feedback/idea/75f632df-92b7-ed11-a81b-002248519701
#This could be run via automation to update the group membership at an interval to maintain groups
#Connect to mggraph beta environment with priviledges. This may work with read access for User and Directory.
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All", "DeviceManagementManagedDevices.PrivilegedOperations.All"
Select-MgProfile -Name "beta"
#Get the User members of this group
#Replace the user group id below with your user group id
$grpMembers = Get-MgGroupMember -GroupId "12345ab1-a1ab-123a-a123-123a4567b890" -All | Where {$_}
$grpUsers = ($grpMembers.AdditionalProperties).userPrincipalName
#Get list of devices for users in group
$uDevices = $grpUsers | ForEach-Object {Get-MgUserRegisteredDevice -UserId $_}
#Get list of personal devices from the full list of devices for the users in group
$pDevices = $uDevices.AdditionalProperties | Where {$_.deviceOwnership -eq "Personal"}
#There is a bug in what ID is returned or used with different mggraph commands so we need to translate
#the ID returned above to the ID needed for adding device group membership.
#Fixing this is a breaking change, so will not be fixed until a major version update of MgGraph environment
#At that time, this step of translating the ID returned will/can be removed
#Translate DeviceId returned from Get-MgUserRegisteredDevice to the DeviceID needed to add devices to device group
$gDevices = $pDevices.deviceId | ForEach-Object {get-mgdevice -Filter "DeviceId eq '$($_)'"}
#Get current device group membership
#Replace the group ID below with your device group ID.
$eDevices = Get-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -All
If($eDevices -ne $null){ #If the group isn't empty...
#Compare devices from the existing devices in the group with the current devices that should be in the group
$cDevices = Compare-Object -ReferenceObject $eDevices.Id -DifferenceObject $gDevices.Id -IncludeEqual
#Based on comparison flag of results for each object in existing or current devices lists, do nothing, add new devices, or remove non-current devices
$cDevices | ForEach-Object {If ($($_.SideIndicator) -eq "==") {Write-Host "No change for $($_.InputObject)"}}
#Replace the group ID below with your device group ID.
$cDevices | ForEach-Object {If ($($_.SideIndicator) -eq "=>") { New-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($_.InputObject); Write-Host "Added $($_.InputObject)"}}
#Replace the group ID below with your device group ID.
$cDevices | ForEach-Object {If ($($_.SideIndicator) -eq "<=") { Remove-MgGroupMemberByRef -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($_.InputObject); Write-Host "Removed $($_.InputObject)"}}
} Else {
#Add all devices for users to the empty group
#Replace the group ID below with your device group ID.
$gDevices | ForEach-Object {New-MgGroupMember -GroupId "a123456b-12ab-12a3-abc1-123abcd34efg" -DirectoryObjectId $($_.Id); Write-Host "Added $($_.Id)"}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论