Add Azure AD user and group into a local group

Add Azure AD user and group into a local group

In this blog we will look at how you can add an azure ad groups or users to a local group using Intune and custom profiles.
Add Azure AD user and group into a local group – Modern Device Management (jannikreinhard.com)
by JANNIKREINHARD


Frist, we create an AzureAd group, and add some members to that group.

  • Open the MEM Portal
  • Click Groups -> + New group
  • Select Security as Group type and enter a Group name
  • Add some user to the group under the Members sections
  • Click Create

Next we need to read out the Group SID. To do this we need first the ObjectID from the group. You can find this ID in the properties of the group.

Using the graph explorer to convert the ObjectID to the SID. Add the following URL followed by the group Object ID:

  • Run the query with the Run query button
  • In the results you can find the securityIdentifier

Now we create a custom configuration profile to sync the Azure AD group with the local group.

  • Open the MEM Portal
  • Navigate to Devices -> Configuration Profile
  • Click + Create profile
  • Select Windows 10 and later as Platform
  • Select Template -> Custom as Profile type
  • Click Create
  • Enter a Name
  • Click Next
  • Click Add
  • Enter the following informations:
  • Name: AddAdGroupToLocalGroup
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
  • Data Type: String
  • Value:
1
2
3
4
5
<groupmembership>
    <accessgroup desc = "LoginUsers">
        <member name = "S-1-12-1-1111111111-1111111111-11111111111-111111111" />
    </accessgroup>
</groupmembership>
  • <accessgroup desc>:  Add the local group name.
  • <member name>: Add the Group SID we found out above or the user name of an local user or an azure ad user sid (You can also add multiple lines)
  • Assign the policy to a group
  • Click Next
  • Click Next
  • Click Create

If we look at the group local we see that the AzureAD group is a member.

The way is a bit cumbersome but it works. Unfortunately there is no proper configuration policy for this. Thank you for reading this blog post.


    • Related Articles

    • Adding a network printer

      Select Add printer... from the context menu: Regardless of a fact if windows can or cannot find the printer you want to install, click on The Printer that I want isn't listed: If this is the first time this printer is being installed on this device ...

    • Remote Desktop client for Windows 10 stops responding or cannot be opened [Azure Virtual Desktop]

      You can reset the user data from the About page or using a command. Use the following command to remove your user data, restore default settings and unsubscribe from all Workspaces. msrdcw.exe /reset [/f]

    • How to add/amend NAS users

      Login to the Newline Auction System (NAS) with your existing credentials. Once logged in go to option #9 then option #1 Click add�at the bottom of the window to add a new user User Name and Password�are required fields. To allow access to all of NAS ...

    • How to add External Links to website

      First login to the website Once logged in you will see an admin page, with a links subpage (these pages are only visible once logged in) To add a link, click the Add Link Button Enter a Title, this is purely for the website Administrator to show a ...

    • User Guide for The BOPS Tablet Application

      Contents   Storyboard.. 0 Start Up Windows 0 Customer Search. 0 Form Select Section. 0 Booking Forms 1 Report Select Section. 2 Rep Reports 2 Switching Views. 2 Navigating Through the Application. 4 Data Entry. 4 Login Screen. 5 Username Textbox. 5 ...