Skip to main content

Account Protection Local Group Membership Management Automation with Azure Function

This automation is implemented as an Azure Function (PowerShell) that creates device-specific Account Protection policies in Microsoft Intune (via Microsoft Graph) to grant specific users local administrator rights on specific devices. It exists to provide exceptions to a global account protection policy for targeted device-user pairs.

High-level Workflow

  1. Receive HTTP request (POST) with JSON body containing UserPrincipalName and DeviceName.
  2. Obtain Microsoft Graph access token — prefer supplied token in request body, fallback to the Function's Managed Identity via IMDS.
  3. Query Intune for managed devices matching DeviceName (prefix match) and select the first match.
  4. Query Azure AD (Entra ID) for the device object representing the Intune device by azureADDeviceId.
  5. Create an Entra ID security group for the device, add the device to this group, and add the device to the global exclusion group.
  6. Create or update a configuration policy (Account Protection) in Intune with the user (and optional default admin group SID) as a member.
  7. Assign the configuration policy to the device group.
  8. Return success/failure diagnostics.