Created
February 4, 2018 17:07
-
-
Save zloeber/de30502faa6cf48b7288479272fae3c8 to your computer and use it in GitHub Desktop.
Azure AD Dynamic Group Standard Groups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Creates or updates existing a handful of AzureAD dynamic groups for use in Azure AD | |
Requires the AzureADPreview module to work correctly! | |
More on dynamic membership in Azure AD: | |
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal | |
#> | |
Remove-Module AzureAD -Force -ErrorAction:SilentlyContinue | |
Import-Module AzureADPreview | |
Connect-AzureAD | |
# Update this JSON to suit your needs or add/remove groups. | |
$DynamicGroups = ('{ | |
"Groups":[{ | |
"Type":"device", | |
"Name":"enabled_allpcs", | |
"Filter":"(device.managementType eq \"PC\") and (device.accountEnabled eq true)", | |
"Description":"All Enabled PC Devices" | |
}, | |
{ | |
"Type":"device", | |
"Name":"enabled_ios", | |
"Filter":"((device.deviceOSType contains \"iPhone\") or (device.deviceOSType contains \"iPad\")) and (device.accountEnabled eq true)", | |
"Description":"All Enabled iOS Devices" | |
}, | |
{ | |
"Type":"device", | |
"Name":"enabled_rootedios", | |
"Filter":"(device.deviceOSType contains \"iPhone\" or device.deviceOSType contains \"iPad\") and device.accountEnabled eq true and device.isRooted eq true", | |
"Description":"All Enabled iOS Devices" | |
}, | |
{ | |
"Type":"device", | |
"Name":"enabled_android", | |
"Filter":"device.deviceOSType contains \"Android\" and device.accountEnabled eq true", | |
"Description":"All Enabled Android Devices" | |
}, | |
{ | |
"Type":"device", | |
"Name":"enabled_rootedandroid", | |
"Filter":"device.deviceOSType -contains \"Android\" and device.accountEnabled eq true and device.isRooted eq true", | |
"Description":"All Enabled and Rooted Android Devices" | |
}, | |
{ | |
"Type":"device", | |
"Name":"enabled_windows", | |
"Filter":"device.deviceOSType contains \"Windows\" and device.accountEnabled eq true", | |
"Description":"All Enabled Windows Devices" | |
}, | |
{ | |
"Type":"device", | |
"Name":"disabled", | |
"Filter":"device.accountEnabled eq false", | |
"Description":"All Disabled Devices" | |
}, | |
{ | |
"Type":"device", | |
"Name":"personal", | |
"Filter":"device.deviceOwnership -eq \"Personal\"", | |
"Description":"All personal devices" | |
}, | |
{ | |
"Type":"device", | |
"Name":"MDM", | |
"Filter":"device.managementType -eq \"MDM\"", | |
"Description":"All MDM devices" | |
}, | |
{ | |
"Type":"user", | |
"Name":"all", | |
"Filter":"(user.assignedPlans -any assignedPlan.service -startsWith "SCO" -and assignedPlan.capabilityStatus -eq \"Enabled\")", | |
"Description":"All personal devices" | |
} | |
]}' | ConvertFrom-Json).Groups | |
# {{Type}} will get replaced by the group type in the name. Not required in this string | |
$GroupNamePrefix = 'azure_dyn_{{Type}}_' | |
# If a group with the same name already exists try to update its filter if it is dynamic | |
$OverWriteExisting = $true | |
# Create or update dynamic groups | |
Foreach ($NewGroup in $DynamicGroups) { | |
$GroupName = ($GroupNamePrefix -replace '{{Type}}',$NewGroup.Type) + $NewGroup.Name | |
$ExistingGroup = Get-AzureADMSGroup -Filter "DisplayName eq '$GroupName'" | |
if ($null -ne $ExistingGroup) { | |
Write-Output "Found existing group: $GroupName" | |
if ($OverWriteExisting) { | |
Write-Output " Attempt to overwrite group filter: TRUE" | |
if ($ExistingGroup.GroupTypes -eq 'DynamicMembership') { | |
Write-Output " Dynamic group: TRUE" | |
if ($ExistingGroup.MembershipRule -ne $NewGroup.Filter) { | |
Write-Output " Filters differ: TRUE" | |
try { | |
$null = Set-AzureADMSGroup -Id $ExistingGroup.Id -MembershipRule $NewGroup.Filter -Description $NewGroup.Description | |
} | |
catch { | |
Write-Warning " Unable to update $GroupName!" | |
} | |
} | |
else { | |
Write-Output " Filters differ: FALSE (nothing to do!)" | |
} | |
} | |
else { | |
Write-Output " Dynamic group: FALSE" | |
Write-Warning " Unable to update group as it is not dynamic!" | |
} | |
} | |
else { | |
Write-Output " Attempt to overwrite group filter: FALSE (nothing ot do!)" | |
} | |
} | |
else { | |
Write-Output "New Dynamic Group: $GroupName" | |
try { | |
$null = New-AzureADMSGroup -DisplayName $GroupName -MailNickname $GroupName -MembershipRule $NewGroup.Filter -Description $NewGroup.Description -MailEnabled:$false -MembershipRuleProcessingState 'On' -GroupTypes 'DynamicMembership' -SecurityEnabled:$true | |
} | |
catch { | |
Write-Warning " Unable to create the dynamic group!" | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment