- 27 Feb 2023
- 4 Minutes to read
-
Print
-
DarkLight
-
PDF
Microsoft Azure (Azure AD) - Add or Remove Assets in Group
- Updated on 27 Feb 2023
- 4 Minutes to read
-
Print
-
DarkLight
-
PDF
Microsoft Azure (Azure AD) - Add or Remove Assets in Group adds or removes a user or device to or from an Azure Active Directory group for each asset that is a result of the saved query supplied as a trigger (or devices that have been selected in the asset table).
See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.
General Settings
- Enforcement Set name (required) - The name of the Enforcement Set. A default value is added by Axonious. You can change the name according to your needs.
- Add description (optional) - Click to add a description of the Enforcement Set. It is recommended to describe what the Enforcement Set does.
- Run action on assets matching following query (required) - Select an asset category and a query. The Enforcement Action will be run on the assets that match the query parameters.
- A query only returns results for the asset type it was created for.
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs and Adapter Fetch History Modules
- Action name - The name of the Main action. A default value is added by Axonious. You can change the name according to your needs.
- Configure Action Conditions - Toggle on to enter a condition statement. See Configuring Enforcement Action Conditions to learn more about condition statement syntax.
- Use stored credentials from the Azure AD adapter - Select this option to use the first connected Azure Active Directory adapter credentials.
- To use this option, you must successfully configure an Azure Active Directory adapter connection.
- The user name and the password used for the adapter connection must have the Add Users or Devices to Microsoft Azure Active Directory (AD) Group permissions to add assets.
Required Fields
These fields must be configured to run the Enforcement Set.
- Group Member Operation - Select the operation you want to perform, either 'Add assets to group' or 'Remove assets from group'.
- AD Group ID - The ID of the group to which to add the users.
- Instance Name - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.
Additional Fields
These fields are optional.
- Azure Client ID (required) - The Application ID of the Axonius application, as detailed in the Required Permissions section.
- Azure Client Secret (required) - A user created key for the Axonius application, as detailed in the Required Permissions section.
- Azure Tenant ID (required) - Microsoft Azure Active Directory ID, as detailed in the Required Permissions section.
- Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
Using this Action to Add an Application in InTune
Intune is a Microsoft cloud-based unified endpoint management service that can perform app deployment, updates, and removal.
Prerequisites:
- An Azure AD device group
- The App must be added to your Intune environment. Read about this.
- The Azure AD device group must be assigned to the App Assignments as required. Read about this
To Create the appropriate Group in Microsoft Endpoint Manager admin center
- Create a group.
Create the appropriate Group in Microsoft Endpoint Manager admin center.
To add the application to InTune
- From the Microsoft Endpoint Manager admin center click 'Apps'.
- Choose 'All apps'.
- Click 'Add'.
- Select 'app type'.
- Choose the appropriate Store app.
- Select the application and click 'Select'.
- Fill in all required information.
- 'Create' the application.
- In properties add the group to the app as required.
Use Microsoft Intune documentation for further information
Anyone in this group is now required to install this application. These groups (from InTune) are now available in Azure AD as groups.
Copy the ID of the groups to use above in the configuration.
In order to use this action to install applications, create a query to find Devices on the relevant platform that are missing the application.
For instance azureID exists AND NOT crowdstrike ID exists
Then use this Enforcement Action to add the devices to the groups that require these application. Once the device is added to the group, the user is notified by Azure AD that they have to install the required application.
Required Permissions
The value supplied in User name must have permission to modify the group listed,
Delegated permissions are needed to work with this Action.
For full ands up-to-date information about permissions required for working with Microsoft Azure AD refer to permissions in Microsoft Graph API Documentation.
Supported Resource | Delegated | Application |
---|---|---|
device | GroupMember.ReadWrite.All and Device.ReadWrite.All | GroupMember.ReadWrite.All and Device.ReadWrite.All |
group | GroupMember.ReadWrite.All and Group.ReadWrite.All | GroupMember.ReadWrite.All and Group.ReadWrite.All |
orgContact | GroupMember.ReadWrite.All and OrgContact.Read.All | GroupMember.ReadWrite.All and Group.ReadWrite.All |
group | GroupMember.ReadWrite.All and Group.ReadWrite.All | GroupMember.ReadWrite.All and OrgContact.Read.All |
servicePrincipal | GroupMember.ReadWrite.All and Application.ReadWrite.All | GroupMember.ReadWrite.All and Application.ReadWrite.All |
user | GroupMember.ReadWrite.All and User.ReadWrite.All | UGroupMember.ReadWrite.All and User.ReadWrite.All |
For more details about other Enforcement Actions available, see Action Library.