Extending the Intune Connector for Active Directory

When using Azure AD Hybrid Join with Windows Autopilot the «Intune Connector for Active Directory» is closing the gap between your on-premise Active Directory and Azure AD. It provides the domain join functionalities to your devices. This process works great, but as soon you start using it you have more requirements.

This can be for example:

  • Rename computers according a predefined naming convention, not only a prefix. Read more about that in my blog about «Ultimate guide to define device names in Windows Autopilot Hybrid Join Scenario»
  • Move the computer to a specific OU, based on things like hardware type or based on user’s location.
  • Add computer accounts to a specific active directory group to assign share permissions or grant auto enrollment on specific certificate template.
  • Cleanup old computer objects. With every join a new computer object in Active Directory is created and also Intune keeps records of the old device.

For all these requirements we need to be able to start a process as soon a new device is starting the Azure AD Hybrid Join process. I created the «Intune Connector for Active Directory Extender». This service can easily be installed on your server which is running the «Intune Connector for Active Directory».

Architecture

The extender installs a Windows service which is listening to events written by the «Intune Connector for Active Directory. The whole offline domain join functionality on the left side is working as normal, but directly after the Computer object is created in Active Directory your PowerShell Script is triggered with all information about the new object. Especially the device name in Active Directory and the device id in Intune.

Windows Event Log

The «Intune Connector for Active Directory» writes multiple event entries during an offline domain join. Details about each step are perfectly explained on Vimal Das blog. For my solution the event id 30130 is the important one. In the event data it contains all information we need:

{
    "Metric":{
        "Dimensions":{
            "RequestId":"60cbe32e-e657-428c-8ea7-35d9c069e1c8",
            "DeviceId":"37d4e872-31fd-4768-a3df-bb39c85502a4",
            "DomainName":"kurcontoso.ch",
            "MachineName":"KUR-FpsmCmcB814",
            "BlobDataLength":"1368",
            "InstanceId":"3AD91DE2-B93B-4B80-9CDC-AA1F1AF4AC3B",
            "DiagnosticCode":"0x00000000",
            "DiagnosticText":"Successful"
        },
        "Name":"RequestOfflineDomainJoinBlob_Success",
        "Value":0
    }
}

As you can see, we can use the MachineName and the DeviceId to identify objects in our script.

Installation and Configuration

The installation of the extender is simple.

  1. Download the Setup
  2. Install the Extender on the «Intune Connector for Active Directory» Server. If you have multiple, install it on all of them.
  3. After the installation the service should be up and running and the following directory is created:
  1. First of all, you need to configure ODJ-Extender.ps1 according to your needs. You can use the following variables in the main script region (Scroll down to the end) per default. An example is provided in the next section of this blog.
    Device Name: $DeviceName
    Intune Device Id: $DeviceId
  2. If you like, you can also execute a PowerShell script which is saved in another location by changing the IntuneConnectorForADExtender.Service.exe.config file.

Log files

The extender service writes it’s logs about started executions into logfiles in the C:\Windows\Temp directory. If you use my PowerShell script template also the logs of the script are written to this directory.

Example 1 – Add the computer to an Active Directory Group

The first example I provides mainly the logic to add the computer to an existing Active Directory Group. As a prerequisite you need to install the Active Directory PowerShell Module by executing:

Install-WindowsFeature RSAT-AD-PowerShell

Next you have to copy the bellow script or from GitHub (Perhaps more recent version) to the main region (“#region Main Script”) of the ODJ-Extender.ps1 script in the Program Files folder.

 
#region Add Computer Account to AD group
$TargetGroup = "sg-Intune-Computers"
$MaxRetries = 25
$RetryDelay = 5 # Seconds

try{
    # Group to be added to
    
    $i = 0
    while(($adComputerLength.Count -lt 1) -AND ($i -lt $MaxRetries)){
        $i++
        Write-Log "Start search try $i of $MaxRetries"
        Write-Log "Sleeping for $RetryDelay seconds before searching for computer"
        Start-Sleep -Seconds $RetryDelay
        try{
            Write-Log "Getting computer object with the name '$DeviceName' in the AD"
            $adComputer =  Get-ADComputer -Identity $DeviceName
            $adComputerLength = $adComputer | Measure-Object
        }catch{
            Write-Log "Computer with name '$DeviceName' not found, starting next try"
        }
        
    }
    Write-Log "Found computer '$DeviceName'"
    Write-Log "Adding '$DeviceName' to AD group '$TargetGroup'"
    ADD-ADGroupMember $TargetGroup –members $adComputer
} catch {
    Write-Log "Failed to add '$DeviceName' to AD group '$TargetGroup'" -Type Error -Exception $_.Exception
}
#endregion Add Computer Account to AD group

Adapt the script for your environment, especially specify the correct group name in the variable $TargetGroup.

Permissions

Then you need to grant permissions to add members to the group specified in the $TargetGroup variable. The permissions must be assigned to the computer account where the service is running. If you have multiple “Intune Connector for AD” servers, then I recommend to create a AD group with the computer accounts and the assign the permissions to the group. For a single server it should look like in the following screenshot:

As soon the first computer is doing the hybrid join it will be added automatically to the group. Mission accomplished!

More Ideas

More examples will follow in my next blog post. As you can imagine I’m already working on the solutions of the in the introduction written challenges. But if you create your own, please share them back.

Thanks

Special thanks to @athi who has also tested and improved the scripts.

Thomas Kurth

Thomas Kurth

I’m a consultant, trainer and architect for modern workplace and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

2 Comments

Ultimate guide to define device names in Windows Autopilot Hybrid Join Scenario - Workplace Management Blog by baseVISION · June 11, 2019 at 21:50

[…] Protected: Extending the Intune Connector for Active Directory – June 10, 2019 […]

Automatic environment cleanup with Intune Connector for AD Extender - Workplace Management Blog by baseVISION · June 24, 2019 at 22:45

[…] be found in the initial blog about the […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe
Hosting sponsored by:
Archive