EntraID (Azure AD) dynamic groups is very handy when it comes to automate group membership. Eventhough the possibilities are many (Autopilot, manufacturer, AD attributes, ExtensionAttribute, more), there is no way to use dynamic groups with Intune macOS custom attributes natively (for now ?).
You have created your custom attributes, it’s running fine. You succeded to monitor your favorite data (processor architecture, battery condition, EDR status, root user, remaining storage space).
You would like to add your devices into groups automatically depending on the custom attributes results ? You came into the right place !
My ramblings led me to one of my favorite tool to automate actions : Power Automate
Note : I use Power Automate but you’ll observe Graph APIs you can leverage using Powershell and other tools such as Azure AD Devops Pipeline for example or custom PS script.
Get your custom attribute
In this example, i created a script to monitor the OS architecture. Does the device has an Intel chip or an Apple one :
It’s deployed on my macOS devices group. You can also target your attribute on users.
Here is the result in the attribute reports :
The Result column is the one we’ll use.
Understand result with Graph Explorer
First, get your custom attribute id in your web browser (url bar or inspect) :
Open Graph Explorer and search custom attributes with expanding managedDevice to get device info (you’ll thank me later) :
See ? That’s the result we’re looking for. Let’s open Power Automate !
Creating a flow
Pick the trigger you want. I pick a simple scheduled trigger every 30 minutes but feel free to design a more advanced trigger.
Get custom attributes result
Chose a next step and search for HTTP.
Recognize the URI ? Yep, it’s the URI from the custom attribute.
What about authentication ? Well, it’s up to you.
Do you use a registered application ? If so, fill the tenantID, audience and app client ID with the certificate or secret associated.
If you rely on a certificate, you must convert the private key into Base-64. To do so, i’ve been through some PS cmdlets such as :
$pass = ConvertTo-SecureString -String ‘pass’ -Force -AsPlainText
Get-ChildItem -Path Cert:\LocalMachine\My\yourthumbprint | Export-PfxCertificate -FilePath C:\private.pfx -Password $pass
$privatekey = get-content ‘c:\certificate.pfx’ -Encoding Byte
$base64 = [System.Convert]::ToBase64String($privatekey)
Note : Make sure you linked the right certificate in your registered application. Comparing the thumbprints might help you.
Parsing JSON
Because the result of your custom attribute will be displayed as JSON, parsing is used so you can use the data later in your flow. No need for variable, parsing will do the trick. You will be able to use every fields of it.
Create a next step and chose Parse JSON :
Chose the Body of your result message as Content.
Then the Schema. Click on « Generate from sample » so you can put a JSON example. Power Automate will build a generate template (schema) of what you put into the sample.
What can you put into it ? Well, go back to Graph Explorer and copy/paste the displayed result in the sample prompt and click on Done. You’ll get the proper schema after that, Power Automate will offer you the possibility to use any field after that.
Get Azure AD Device ID
Important step because that is the link between EntraID and Intune on a single device.
To add a device to a group, you use the AzureAD object id, which you can find using the AzureAD device ID, which you can find in Intune using the Intune device id. No more Ids, i promise.. or not ?
Create a new step after the Parse Json and pick HTTP again !
Method : GET
As the URI, i suggest you to use the following : https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=azureADDeviceId eq ‘yourintunedeviceid’&?$select=id
This is where the previously parsed ID is used !
Pick the right id in the HTTP request dynamic content, because there is also an ID for the custom attributes result…
Don’t mind the « Apply to each » loop, it will be created automatically.
Note : You can see the two different IDS in Graph Explorer. This is why i expanded managedDevice in the URI, so you can have directly the device informations.
Parsing Azure AD Device ID and use it to find the Azure AD Object ID
Same thing that the previous parsing : Get the URI, go on Graph Explorer to copy/paste the result displayed and build the schema
Now you got the Azure AD Device ID, add another HTTP step to find the Azure AD Object ID :
Here is the API you’re looking for to get the AzureAD Object ID. Note you’re not leveraging a managed device API but a devices API : https://graph.microsoft.com/beta/devices?$filter=deviceid eq ‘yourazureaddeviceid’
Again, Parse the result by copy/paste the output of the HTTP Get request in Graph Explorer :
Condition on resultMessage
I want to add my device to a AAD group depending o the resultMessage value.
Basically, if my resultMessage contains « Apple », i add the device to my (not dynamic) AAD Group which will contain my macOS devices with Apple architecture. If my resultMessage does not contain « Apple », then i consider it’s an Intel architecure so i add the device to another group.
How can i translate my wish ? I add another step and pick « Condition » :
If yes, i create another HTTP request with POST method this time.
URI contains my group object id and my body contains my Azure AD Object ID. Retrieve API documentation here.
Note : Your registered application might required additionnal permissions.
If my condition is false, i use the exact same HTTP POST except for the URI which contains my Azure AD Group Object ID for Intel Devices :
Again, no worries about « Apply to each » loops, it’s created automatically because you’re using a data in an array.
Run
Looks like it’s working fine !
Confirm in your Entra ID group :
You might want to improve the flow to avoid errors when the device is already a member of the group. A condition in the right place might help you.
Enjoy automation. Possibilities are infinite with Graph API and Power Automate !
Poem to MDM 
Un avis sur « Leverage Power Automate and Intune custom attributes to add macOS devices to EntraID groups automatically »