To the page content
Security Cave Blog

Automate Intune device tagging with user attributes

How to automatically tag Intune devices based on user attributes – including script, Azure Automation Account and practical how-to guide.

Person in the data centre working with a laptop between server cabinets, overlaid with programme code on the screen.

In brief

Devices in Intune should be automatically grouped according to specific user characteristics (e.g. organisation, location), for which device tags are used.

  • An automated process in Azure takes care of setting these labels and requires appropriate permissions on Microsoft Graph and Intune to do so.
  • To do this, the necessary PowerShell modules are installed in the automation environment so that user and device data can be read and the tags set accordingly.

Intune: Device tagging based on user attributes

The issue of grouping devices based on attributes of their primary users – such as company name, country, etc. – often arises. We can achieve this goal using device tags, which we can then use to create dynamic groups. Attached you will find the script and instructions for implementation. In my case, the script runs in an Azure Automation account.

Step 1: Preparing your Azure Automation account

Screenshots from the Azure Automation Account

2. Installing the necessary modules

Screenshot from the Azure Automation Account for installing modules

3. The script 

Once the runbook has been deployed, open it once, then go to 'Edit' (either in your browser or VS Code) and import the following script:

Download Script

 

4. If necessary, the planned regular execution

In the runbook under Resources / Schedules, you have the option of running the script regularly, e.g. daily. To do this, simply go to "Add schedule". This could look something like this:

Screenshot of the "Resources/Schedules" menu in Azure with the option to run scripts regularly.

Click on Create at the bottom and confirm the following dialogue box with OK. The time schedule is now assigned to the script.

This completes the implementation, and we can now create corresponding device groups based on the tags. We can then use these to scope roles, assign policies, etc.

Further information is available on this page: https://learn.microsoft.com/en-us/answers/questions/2237145/invalid-jwt-access-token
 


 

A holistic approach to security: Telekom's consulting services

Modern IT and cloud scenarios place new demands on security, governance and operations. Telekom's consulting services on Microsoft security help you analyse your environment in a structured manner and develop it in a targeted way – from initial classification to concrete implementation.

Start with a no-obligation orientation meeting or a Microsoft 365 Security Assessment and receive clear recommendations for action to improve security.

Telekom: Your partner for the entire Microsoft world

Licences & Software

All Microsoft licences from a single source – simple, secure and reliable.

übergreifend-Teaser-Telekom-Partner-Lizenzen-Software-Link-CMP

Free support

We are always there for you: quick assistance, personal support – at no extra cost.

Contact

Tested quality & safety

ISG and Microsoft-certified services for maximum security and reliability.

About the Microsoft portfolio

Your contact for questions and advice

Do you have questions about Telekom's Microsoft service offering or would you like personal advice? Simply contact our experts without obligation using the consultation form.

To the contact form
Image shows Telekom author Julien Cléro discussing Microsoft Copilot.

Author: Marcus Henker

Marcus began working with Microsoft Office 365 in 2014. Since then, he has focused on various projects and supported customers from a wide range of industries. In recent years, Marcus has concentrated on Microsoft security issues.

To the author page