Azure-docs: Add Device to Azure AD Security Group

@chendley80
Thanks for your feedback! We will investigate and update as appropriate.

I'm not sure if this is what you are looking for, but you can create a dynamic device group through powershell that adds devices based on membership rules. https://osddeployment.dk/2017/04/26/how-to-create-a-dynamic-device-group-in-azuread-for-personal-and-corporate-devices/

@curtand please confirm if this is up to date.

I'm trying to add specific user's devices to a security group.

The parameters are all user related which affirms that it is not currently supported to do this programmatically. @curtand please confirm.

It does not appear to be possible, though the documentation does not clearly specify whether the objectID can be a device object in Add-AzureADGroupMember

Your best bet would be to use the Azure portal.

We will proceed to close this thread. If you have further questions, please tag me in the comments and I will gladly continue the conversation.

We will proceed to close this thread. If you have further questions, please tag me in the comments and I will gladly continue the conversation.

Almost a year and half later, and still MS hasn't implemented it or even gave a clear statement that Add-AzureADGroupMember doesn't support devices!? Honestly how difficult it is? People in Hybrid situation are really screwed with these sort of things, also I should mention that MS still doesn't support dynamic groups based on DeviceTrustType!! How can we use Azure if it's not complete?

By the way regarding Add-AzureADGroupMember, MS document it only referencing an example without results to show if it supports users or devices.

https://docs.microsoft.com/en-us/powershell/module/azuread/add-azureadgroupmember?view=azureadps-2.0

Here is an error when I try to add a device in case of engineers care to do something about it. I tried it with the -ObjectID which is the only supported parameter, also tried the device ID and surely it errored.

`PS C:\WINDOWS\system32> Add-AzureADGroupMember -ObjectId 357ed4c4-42f7-418f-bbcf-39fa2471421c -RefObjectId bf88549f-5185-4a38-8b47-081b69e5e450

Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_ResourceNotFound
Message: Resource '357ed4c4-42f7-418f-bbcf-39fa2471421c' does not exist or one of its queried reference-property objects are not present.
RequestId: 8fff6659-e1fd-478f-849f-75786d72b138
DateTimeStamp: Mon, 16 Mar 2020 00:19:46 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:1

• Add-AzureADGroupMember -ObjectId 357ed4c4-42f7-418f-bbcf-39fa2471421c ...
• ~~~~~~~~~~~~~~~~~
  
  
  
  • CategoryInfo : NotSpecified: (:) [Add-AzureADGroupMember], ApiException
  
  
  • FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddGroupMember
    
    `
    
    Below is a confirmation that this device object ID exists.
  
  

`PS C:\WINDOWS\system32> Get-AzureADDevice -ObjectId 357ed4c4-42f7-418f-bbcf-39fa2471421c

ObjectId DeviceId DisplayName
-------- -------- -----------
357ed4c4-42f7-418f-bbcf-39fa2471421c ae52b772-1d3b-4c8f-ac67-1a30ac67a9a5 XXXXX-V5Oe5N`

This is one is for the referenced group object ID.

`PS C:\WINDOWS\system32> Get-AzureADGroup -ObjectId bf88549f-5185-4a38-8b47-081b69e5e450

ObjectId DisplayName Description
-------- ----------- -----------
bf88549f-5185-4a38-8b47-081b69e5e450 azure.autopilot.AZADJoined
`

The frustration continues....

Same error referenced by Mahmoud87 above. My devices are Autopilot White Glove enrolled and resealed. First User has not yet logged in. I verified that the device can be added (and removed) thru the Intune Endpoint Manager >Groups Blade.
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_ResourceNotFound
Message: Resource _'xxxxxx-x-x---xx'_ does not exist or one of its queried reference-property
objects are not present.

SOLVED :

The deviceID object name being supplied to add-azureAdgroupMember's refObjectId must be called 'ObjectId'. I was feeding it the object named 'AzureADDeviceId' obtained from the get-IntuneManagedDevice command.