Automation for Device to Group management in AzureAD.

Oliver Hallifa1
Tera Contributor

We need to automate adding / removing AzureAD computer (device) objects from groups. The SN Spoke for AzureAD "Add User to Group" works with devices which is brilliant. But it only works if you provide the ObjectID.

The ServiceGraph for Intune connector brings back device data with only the DeviceID - not the ObjectID. Similarly if we use the SN Spoke 'Get Managed Device' and provide the DeviceID, we do not get the ObjectID.

Possible solutions could include:

a) Get a spoke for "Device to Group management" (insert/remove/check) working with DeviceID instead of ObjectID to represent the computer account. Currently we use the "Add User to Group" spoke which works for Devices, but only if we provide the ObjectID (not the deviceID). I don't see any Microsoft API that supports this however.

c) Get an API to bring back computer data with objectID instead of deviceID. The ServiceGraph connector for Intune, with the provided transforms, works great. But only provides DeviceID. Again I cannot find an API from Microsoft which provides device data and objectID.

b) Get an API to lookup ObjectID from DeviceID and use that to enrich our CMDB so we have the right key. This is less ideal, but if we have to we could schedule calls to an API like this to update any CI which has a DeviceID but no ObjectID. Then we can keep our CMDB up to date with ObjectIDs which can be used in this automation. Yet again, I can't see any option for this.

We have multiple use cases which require automation of both User to Group and Device to Group management in AzureAD so this is critical for our build. If anyone has achieved anything similar please advise how you did it!

2 REPLIES 2

Shreya Shah
ServiceNow Employee
ServiceNow Employee

For (a) Add a suggestion in the Ideas Portal under "IntegrationHub Spokes" category to have such actions in the Microsoft Intune Spoke for all "Device to Group Management".

(b) There is an endpoint from Microsoft Graph API (https://docs.microsoft.com/en-us/graph/api/device-list?view=graph-rest-1.0&tabs=http) that takes in the filters and returns Object ID and Device ID both. You can create a custom action to get this mapping. 

OR

Add a suggestion in the Ideas Portal under "IntegrationHub Spokes" category to have action "Look up Devices" in the Microsoft Azure Active Directory Spoke.

(c) It would use the endpoint suggested in (b).

Good Luck!

 

Shreya Shah
ServiceNow Employee
ServiceNow Employee

Hi Oliver,

Check out the latest release for Microsoft Azure Active Directory Spoke i.e. v3.7.0 on store here.

It has 4 new actions that you will be able to use for the use case at hand.

Good Luck!