Microsoft Entra ID (Azure AD) - Add or Remove Assets in Group

Microsoft Entra ID (formerly Azure AD) - Add or Remove Assets in Group adds or removes a user or device to or from an Entra ID group for each asset that is a result of the saved query supplied as a trigger (or devices that have been selected in the asset table).
This action can be used to deploy patches.

General Settings

• Use stored credentials from the Entra ID adapter - Select this option to use the first connected Entra ID adapter credentials.

Required Fields

These fields must be configured to run the Enforcement Set.

1. Group Member Operation - Select the operation you want to perform, either 'Add assets to group' or 'Remove assets from group'.
2. AD Group ID - The ID of the group to which to add the users.

3. Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.

Additional Fields

These fields are optional.

1. Azure Client ID (required) - The Application ID of the Axonius application, as detailed in the Required Permissions section.
2. Azure Client Secret (required) - A user created key for the Axonius application, as detailed in the Required Permissions section.
3. Azure Tenant ID (required) - Microsoft Entra ID, as detailed in the Required Permissions section.
4. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

Using this Action to Add an Application in InTune

Intune is a Microsoft cloud-based unified endpoint management service that can perform app deployment, updates, and removal.
Prerequisites:

• An Entra ID device group
• The App must be added to your Intune environment. Read about this.
• The Entra ID device group must be assigned to the App Assignments as required. Read about this

To Create the appropriate Group in Microsoft Endpoint Manager admin center

• Create a group.
  Create the appropriate Group in Microsoft Endpoint Manager admin center.

To add the application to InTune:

1. From the Microsoft Endpoint Manager admin center click 'Apps'.
2. Choose All apps.
3. Click Add.
4. Select app type.
5. Choose the appropriate Store app.
6. Select the application and click Select.
7. Fill in all required information.
8. Create the application.
9. In properties add the group to the app as required.

Use Microsoft Intune documentation for further information

Anyone in this group is now required to install this application. These groups (from InTune) are now available in Entra ID as groups.
Copy the ID of the groups to use above in the configuration.

In order to use this action to install applications, create a query to find Devices on the relevant platform that is missing the application.
For example, azureID exists AND NOT crowdstrike ID exists.
Then, use this Enforcement Action to add the devices to the groups that require these applications. Once the device is added to the group, the user is notified by Entra ID that they have to install the required application.

Required Permissions

The value supplied in User name must have permission to modify the group listed,
Delegated permissions are needed to work with this Action.

For full ands up-to-date information about permissions required for working with Microsoft Entra ID refer to permissions in Microsoft Graph API Documentation.