Account Protection Local Group Membership Management Automation with Azure Function
This automation is implemented as an Azure Function (PowerShell) that creates device-specific Account Protection policies in Microsoft Intune (via Microsoft Graph) to grant specific users local administrator rights on specific devices. It exists to provide exceptions to a global account protection policy for targeted device-user pairs.
High-level Workflow
- Receive HTTP request (POST) with JSON body containing
UserPrincipalName
andDeviceName
. - Obtain Microsoft Graph access token — prefer supplied token in request body, fallback to the Function's Managed Identity via IMDS.
- Query Intune for managed devices matching
DeviceName
(prefix match) and select the first match. - Query Azure AD (Entra ID) for the device object representing the Intune device by
azureADDeviceId
. - Create an Entra ID security group for the device, add the device to this group, and add the device to the global exclusion group.
- Create or update a configuration policy (Account Protection) in Intune with the user (and optional default admin group SID) as a member.
- Assign the configuration policy to the device group.
- Return success/failure diagnostics.