Bulk add devices to Azure AD Group

A simple script, which takes a list of device names in a text file and adds them to the specified Azure AD group.

Requires the AzureAD PowerShell module, the script will check for its existence and offer to install it if it is not found. This script can cope with MFA for Azure AD admins.

<#
.Synopsis
   Add Computers to Azure AD Group
.DESCRIPTION
   Add Computers to Azure AD Group. Jimmy White Feb 2021 www.deviousweb.com
.EXAMPLE
  Create a txt file with the netbios names of devices you want to add. The script invokes a file picker to allow you to choose the file.
.INPUTS
   Inputs to this cmdlet (if any) None
.OUTPUTS
   Output from this cmdlet (if any) Console
.NOTES
   General notes
.COMPONENT
   AzureAD

#>
###################################################################################
#                       Adjust these variables accordingly...                     #
###################################################################################
$azgroup = "MyAzureAdGroupName"

###################################################################################

#lets check to see if we have the Azure AD module installed...

if (Get-Module -ListAvailable -Name Azuread) {
    Write-Host "AzureAD Module exists, loading"
	Import-Module Azuread 
	} 
else {
    #no module, does user hae admin rights?
    Write-Host "AzureAD Module does not exist please install`r`n with install-module azuread" -ForegroundColor Red
	
		if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
		[Security.Principal.WindowsBuiltInRole] "Administrator")) {
			Write-Host "Insufficient permissions to install module. Please run as an administrator and try again." -ForegroundColor DarkYellow
            return(0)
		    }
		else {
		    Write-Host "Attempting to install Azure AD module" -ForegroundColor Cyan
		    Install-Module AzureAD -Confirm:$False -Force
        }
	
}

# OK, lets pick the file..
$FileBrowser = New-Object System.Windows.Forms.OpenFileDialog -Property @{ 
    InitialDirectory = [Environment]::GetFolderPath('Desktop') 
    Filter = 'Documents (*.txt)|*.txt|TextFile (*.txt)|*.txt'
}
$null = $FileBrowser.ShowDialog()
$machines = get-content $FileBrowser.FileName


#ok, if we got here, we must have the Azure AD module installed, lets connect...
Connect-AzureAD
write-host "Getting Object ID of group.." -ForegroundColor Green
$objid = (get-azureadgroup -Filter "DisplayName eq '$azgroup'" ).objectid
write-host "Getting group members (We dont want duplicates!).." -ForegroundColor Cyan
$members = Get-AzureADGroupMember -ObjectId $objid -all $true | select displayname

foreach ($machine in $machines) {
    ################################################################
    #$refid = Get-AzureADDevice -Filter "DisplayName eq '$machine'"#
    ################################################################
    # Above was removed and updated with the below to take into account stale and dupplicate devices
    # thanks to Nazid Kimmie for pointing this out!

    $refid = Get-AzureADDevice -Filter “DisplayName eq ‘$machine'” | Where {$_.IsCompliant -eq $False}
    $result = ""
    $result =  ($members -match $machine)
    if($result -eq ""){
        try{
            Write-host "Adding " $refid.displayname -ForegroundColor Cyan
            Add-AzureADGroupMember -ObjectId $objid -RefObjectId $refid.objectid
            }
        catch{
            write-host "An error occured for " $refid.displayname  -ForegroundColor Red
            }
        }
        else
        {
            write-host $machine " is already a member" -ForegroundColor Green
        }

}

12 thoughts on “Bulk add devices to Azure AD Group”

    • Experienced the same. First time i run the script it said “is already a member” which it isnt since its an empty group and the group is specified correctly. Then i ran the script again and it said “Member already added” but two hours later this group is still empty…..

  1. OK, thanks to my colleague who is more PS aware than myself we found the problem. The objects were not uploading to the AAD group because we had multiple duplicate AZ Id’s for many of the pc’s – some stale records still in AAD.

    My colleague added the following to weed out any duplicate stale records for the objects:

    foreach ($machine in $machines) {
    $refid = Get-AzureADDevice -Filter “DisplayName eq ‘$machine'” | Where {$_.IsCompliant -eq $False}

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.