Microsoft Entra ID (formerly Azure AD) - Add or Remove Assets in Group
  • 10 Feb 2025
  • 4 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Entra ID (formerly Azure AD) - Add or Remove Assets in Group

  • Dark
    Light
  • PDF

Article summary

Microsoft Entra ID (formerly Azure AD) - Add or Remove Assets in Group adds or removes a user or device to or from an Entra ID group for:

  • Assets returned by the selected query or assets selected on the relevant asset page.
    This action can be used to deploy patches.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

Note:

Required Fields

These fields must be configured to run the Enforcement Set.

  • Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
  • Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

  • Use stored credentials from the Microsoft Entra ID (formerly Azure AD) adapter - Select this option to use the first connected Entra ID adapter credentials.
    • When you select this option, the Select Adapter Connection drop-down becomes available. Select the adapter connection to use for this Enforcement Action.
Note:
  • Group Member Operation - Select the operation you want to perform: 'Add assets to group' or 'Remove assets from group'.
  • AD Group ID - The ID of the group to which to add the users.
  • Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.

Additional Fields

These fields are optional.

Connection and Credentials

When Use stored credentials from the adapter is toggled off, some of the connection fields below are required to create the connection, while other fields are optional.

  • Azure Client ID - The Application ID of the Axonius application, as detailed in the Required Permissions section.
  • Azure Client Secret - A user created key for the Axonius application, as detailed in the Required Permissions section.
  • Azure Tenant ID - Microsoft Entra ID, as detailed in the Required Permissions section.
  • Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
Note:
The following parameters are only relevant for customers who have SaaS Management enabled.
  • Account Sub Domain - The Microsoft account's sub domain (<sub_domain>.onmicrosoft.com).
  • User Name and Password - The credentials for a user account that has the permissions needed to fetch SaaS data.
  • 2FA Secret Key - The secret generated in Microsoft Entra ID for setting up 2-factor authentication for the Microsoft user. For more information, see Enable or Exclude Multi-Factor Authentication.
  • SSO Provider - If your organization uses Microsoft Entra ID for SSO, you can select this check box. For more information, see Connecting your SSO Solution Provider Adapter .

Using this Action to Add an Application in InTune

Intune is a Microsoft cloud-based unified endpoint management service that can perform app deployment, updates, and removal.
Prerequisites:

  • An Entra ID device group
  • The App must be added to your Intune environment. Read about this.
  • The Entra ID device group must be assigned to the App Assignments as required. Read about this

To Create the appropriate Group in Microsoft Endpoint Manager admin center

  • Create a group.
    Create the appropriate Group in Microsoft Endpoint Manager admin center.

To add the application to InTune:

  1. From the Microsoft Endpoint Manager admin center click 'Apps'.
  2. Choose All apps.
  3. Click Add.
  4. Select app type.
  5. Choose the appropriate Store app.
  6. Select the application and click Select.
  7. Fill in all required information.
  8. Create the application.
  9. In properties add the group to the app as required.

Use Microsoft Intune documentation for further information

Anyone in this group is now required to install this application. These groups (from InTune) are now available in Entra ID as groups.
Copy the ID of the groups to use above in the configuration.

In order to use this action to install applications, create a query to find Devices on the relevant platform that is missing the application.
For example, azureID exists AND NOT crowdstrike ID exists.
Then, use this Enforcement Action to add the devices to the groups that require these applications. Once the device is added to the group, the user is notified by Entra ID that they have to install the required application.

Required Permissions

The value supplied in User name must have permission to modify the group listed, meaning, it must have the Add Users or Devices to Microsoft Entra ID Group permissions to add assets.
Delegated permissions are needed to work with this Action.

For full ands up-to-date information about permissions required for working with Microsoft Entra ID refer to permissions in Microsoft Graph API Documentation.

Supported ResourceDelegatedApplication
deviceGroupMember.ReadWrite.All and Device.ReadWrite.AllGroupMember.ReadWrite.All and Device.ReadWrite.All
groupGroupMember.ReadWrite.All and Group.ReadWrite.AllGroupMember.ReadWrite.All and Group.ReadWrite.All
orgContactGroupMember.ReadWrite.All and OrgContact.Read.AllGroupMember.ReadWrite.All and Group.ReadWrite.All
groupGroupMember.ReadWrite.All and Group.ReadWrite.AllGroupMember.ReadWrite.All and OrgContact.Read.All
servicePrincipalGroupMember.ReadWrite.All and Application.ReadWrite.AllGroupMember.ReadWrite.All and Application.ReadWrite.All
userGroupMember.ReadWrite.All and User.ReadWrite.AllUGroupMember.ReadWrite.All and User.ReadWrite.All

For more details about other Enforcement Actions available, see Action Library.


Was this article helpful?