Microsoft Azure (Azure AD) - Add or Remove Assets in Group
  • 27 Feb 2023
  • 4 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Azure (Azure AD) - Add or Remove Assets in Group

  • Dark
    Light
  • PDF

Article Summary

Microsoft Azure (Azure AD) - Add or Remove Assets in Group adds or removes a user or device to or from an Azure Active Directory group for each asset that is a result of the saved query supplied as a trigger (or devices that have been selected in the asset table).

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

General Settings

  • Enforcement Set name (required) - The name of the Enforcement Set. A default value is added by Axonius. You can change the name according to your needs.
  • Add description - Click to add a description of the Enforcement Set. It is recommended to describe what the Enforcement Set does.
  • Run action on assets matching following query (required) - Select an asset category and a query. The Enforcement Action will be run on the assets that match the query parameters.
  • Action name (required) - The name of the Main action. A default value is added by Axonius. You can change the name according to your needs.
  • Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

  • Use stored credentials from the Azure AD adapter - Select this option to use the first connected Azure Active Directory adapter credentials.
Note:
  • To use this option, you must successfully configure an Azure Active Directory adapter connection.
  • The user name and the password used for the adapter connection must have the Add Users or Devices to Microsoft Azure Active Directory (AD) Group permissions to add assets.

Required Fields

These fields must be configured to run the Enforcement Set.

  1. Group Member Operation - Select the operation you want to perform, either 'Add assets to group' or 'Remove assets from group'.
  2. AD Group ID - The ID of the group to which to add the users.
  3. Instance Name - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.

Additional Fields

These fields are optional.

  1. Azure Client ID (required) - The Application ID of the Axonius application, as detailed in the Required Permissions section.
  2. Azure Client Secret (required) - A user created key for the Axonius application, as detailed in the Required Permissions section.
  3. Azure Tenant ID (required) - Microsoft Azure Active Directory ID, as detailed in the Required Permissions section.
  4. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

Using this Action to Add an Application in InTune

Intune is a Microsoft cloud-based unified endpoint management service that can perform app deployment, updates, and removal.
Prerequisites:

  • An Azure AD device group
  • The App must be added to your Intune environment. Read about this.
  • The Azure AD device group must be assigned to the App Assignments as required. Read about this

To Create the appropriate Group in Microsoft Endpoint Manager admin center

  • Create a group.
    Create the appropriate Group in Microsoft Endpoint Manager admin center.

To add the application to InTune

  1. From the Microsoft Endpoint Manager admin center click 'Apps'.
  2. Choose 'All apps'.
  3. Click 'Add'.
  4. Select 'app type'.
  5. Choose the appropriate Store app.
  6. Select the application and click 'Select'.
  7. Fill in all required information.
  8. 'Create' the application.
  9. In properties add the group to the app as required.

Use Microsoft Intune documentation for further information

Anyone in this group is now required to install this application. These groups (from InTune) are now available in Azure AD as groups.
Copy the ID of the groups to use above in the configuration.

In order to use this action to install applications, create a query to find Devices on the relevant platform that are missing the application.
For instance azureID exists AND NOT crowdstrike ID exists
Then use this Enforcement Action to add the devices to the groups that require these application. Once the device is added to the group, the user is notified by Azure AD that they have to install the required application.

Required Permissions

The value supplied in User name must have permission to modify the group listed,
Delegated permissions are needed to work with this Action.

For full ands up-to-date information about permissions required for working with Microsoft Azure AD refer to permissions in Microsoft Graph API Documentation.

Supported ResourceDelegatedApplication
deviceGroupMember.ReadWrite.All and Device.ReadWrite.AllGroupMember.ReadWrite.All and Device.ReadWrite.All
groupGroupMember.ReadWrite.All and Group.ReadWrite.AllGroupMember.ReadWrite.All and Group.ReadWrite.All
orgContactGroupMember.ReadWrite.All and OrgContact.Read.AllGroupMember.ReadWrite.All and Group.ReadWrite.All
groupGroupMember.ReadWrite.All and Group.ReadWrite.AllGroupMember.ReadWrite.All and OrgContact.Read.All
servicePrincipalGroupMember.ReadWrite.All and Application.ReadWrite.AllGroupMember.ReadWrite.All and Application.ReadWrite.All
userGroupMember.ReadWrite.All and User.ReadWrite.AllUGroupMember.ReadWrite.All and User.ReadWrite.All

For more details about other Enforcement Actions available, see Action Library.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.