Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Azure AD Dynamic Group Standard Groups
<#
Creates or updates existing a handful of AzureAD dynamic groups for use in Azure AD
Requires the AzureADPreview module to work correctly!
More on dynamic membership in Azure AD:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal
#>
Remove-Module AzureAD -Force -ErrorAction:SilentlyContinue
Import-Module AzureADPreview
Connect-AzureAD
# Update this JSON to suit your needs or add/remove groups.
$DynamicGroups = ('{
"Groups":[{
"Type":"device",
"Name":"enabled_allpcs",
"Filter":"(device.managementType eq \"PC\") and (device.accountEnabled eq true)",
"Description":"All Enabled PC Devices"
},
{
"Type":"device",
"Name":"enabled_ios",
"Filter":"((device.deviceOSType contains \"iPhone\") or (device.deviceOSType contains \"iPad\")) and (device.accountEnabled eq true)",
"Description":"All Enabled iOS Devices"
},
{
"Type":"device",
"Name":"enabled_rootedios",
"Filter":"(device.deviceOSType contains \"iPhone\" or device.deviceOSType contains \"iPad\") and device.accountEnabled eq true and device.isRooted eq true",
"Description":"All Enabled iOS Devices"
},
{
"Type":"device",
"Name":"enabled_android",
"Filter":"device.deviceOSType contains \"Android\" and device.accountEnabled eq true",
"Description":"All Enabled Android Devices"
},
{
"Type":"device",
"Name":"enabled_rootedandroid",
"Filter":"device.deviceOSType -contains \"Android\" and device.accountEnabled eq true and device.isRooted eq true",
"Description":"All Enabled and Rooted Android Devices"
},
{
"Type":"device",
"Name":"enabled_windows",
"Filter":"device.deviceOSType contains \"Windows\" and device.accountEnabled eq true",
"Description":"All Enabled Windows Devices"
},
{
"Type":"device",
"Name":"disabled",
"Filter":"device.accountEnabled eq false",
"Description":"All Disabled Devices"
},
{
"Type":"device",
"Name":"personal",
"Filter":"device.deviceOwnership -eq \"Personal\"",
"Description":"All personal devices"
},
{
"Type":"device",
"Name":"MDM",
"Filter":"device.managementType -eq \"MDM\"",
"Description":"All MDM devices"
},
{
"Type":"user",
"Name":"all",
"Filter":"(user.assignedPlans -any assignedPlan.service -startsWith "SCO" -and assignedPlan.capabilityStatus -eq \"Enabled\")",
"Description":"All personal devices"
}
]}' | ConvertFrom-Json).Groups
# {{Type}} will get replaced by the group type in the name. Not required in this string
$GroupNamePrefix = 'azure_dyn_{{Type}}_'
# If a group with the same name already exists try to update its filter if it is dynamic
$OverWriteExisting = $true
# Create or update dynamic groups
Foreach ($NewGroup in $DynamicGroups) {
$GroupName = ($GroupNamePrefix -replace '{{Type}}',$NewGroup.Type) + $NewGroup.Name
$ExistingGroup = Get-AzureADMSGroup -Filter "DisplayName eq '$GroupName'"
if ($null -ne $ExistingGroup) {
Write-Output "Found existing group: $GroupName"
if ($OverWriteExisting) {
Write-Output " Attempt to overwrite group filter: TRUE"
if ($ExistingGroup.GroupTypes -eq 'DynamicMembership') {
Write-Output " Dynamic group: TRUE"
if ($ExistingGroup.MembershipRule -ne $NewGroup.Filter) {
Write-Output " Filters differ: TRUE"
try {
$null = Set-AzureADMSGroup -Id $ExistingGroup.Id -MembershipRule $NewGroup.Filter -Description $NewGroup.Description
}
catch {
Write-Warning " Unable to update $GroupName!"
}
}
else {
Write-Output " Filters differ: FALSE (nothing to do!)"
}
}
else {
Write-Output " Dynamic group: FALSE"
Write-Warning " Unable to update group as it is not dynamic!"
}
}
else {
Write-Output " Attempt to overwrite group filter: FALSE (nothing ot do!)"
}
}
else {
Write-Output "New Dynamic Group: $GroupName"
try {
$null = New-AzureADMSGroup -DisplayName $GroupName -MailNickname $GroupName -MembershipRule $NewGroup.Filter -Description $NewGroup.Description -MailEnabled:$false -MembershipRuleProcessingState 'On' -GroupTypes 'DynamicMembership' -SecurityEnabled:$true
}
catch {
Write-Warning " Unable to create the dynamic group!"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.