I often face the challenge that field supporters without any Intune admin roles need to add/upload Autopilot hashes to Intune. This can be a time-consuming and error-prone process.
In this article, I will show you how to build a logic app that can be used to upload hardware hashes to Autopilot without admin rights. This logic app can be used to automate the process of adding devices to Autopilot.
Table of Contents
Prerequisites
Before you begin, you will need the following:
- A list that contains the hardware hashes of the devices that you want to add to Autopilot.
- You can get thos like this: Manually register devices with Windows Autopilot | Microsoft Learn
- An Azure subscription.
- A Microsoft Intune license.
Build the Solution yourself
Create a SharePoint list
Create a SharePoint list that contains the hardware hashes of the devices that you want to add to Autopilot. The list should have at least two columns:
- Serialnumber
- Hardware Hash
To create it, navigate to the SharePoint site where you want to create the list. There, under Site Content, click New and then click List.
Now define the name of the list. I chose "Autopilot Hash Upload".
Once in the list, I add a new coloum called Hardware Hash.
Because a single line of text can only hold 255 characters, you must use the Multiple Lines of Text field.
For a beter userexperience you can change the Name of the title to Serialnumber.
My list in the end looks like this:
Create a Logic App
Create a Logic App in the Azure porta by searching for Locig App and click Add.
As the hosting option is consumption based, it is absolutely free and will cost you almost nothing.
The next step is to define which subscription and resource group the Logic application should be in, and the name of the application itself:
After clicking Review + create your will be redirectet to the Logic App.
Activation and permisson for the Managed Identity
To use Managed Identity, you must enable it under Identity in the Logic application. Set the status to On and save the change.
Now we have the Logic App and the Managed Identity and need to asign the necessary permissions to access Intune/Autopilot.
Unfortunately, the Azure portal doesn't offer a UI for this step, but no worries! PowerShell comes to the rescue and lets us configure permissions quickly.
Ensure you have the Microsoft Graph PowerShell module installed. Run the following command in your PowerShell window:
Install-Module Microsoft.Graph -Scope CurrentUser
The following script grants the Logic App's managed identity the ability to upload the device information to Intune. You can modify it to assign additional permissions if needed.
The script will promt you for the name of the Managed Identy, thats the same as the name of your Logic App.
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.Read.All","AppRoleAssignment.ReadWrite.All","RoleManagement.ReadWrite.Directory"
# You will be prompted for the Name of you Managed Identity
$MdId_Name = Read-Host "Name of your Managed Identity"
$MdId_ID = (Get-MgServicePrincipal -Filter "displayName eq '$MdId_Name'").id
# Adding Microsoft Graph permissions
$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
# Add the required Graph scopes
$graphScopes = @(
"DeviceManagementServiceConfig.ReadWrite.All"
)
ForEach($scope in $graphScopes){
$appRole = $graphApp.AppRoles | Where-Object {$_.Value -eq $scope}
if ($null -eq $appRole) { Write-Warning "Unable to find App Role for scope $scope"; continue; }
# Check if permissions isn't already assigned
$assignedAppRole = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MdId_ID | Where-Object { $_.AppRoleId -eq $appRole.Id -and $_.ResourceDisplayName -eq "Microsoft Graph" }
if ($null -eq $assignedAppRole) {
New-MgServicePrincipalAppRoleAssignment -PrincipalId $MdId_ID -ServicePrincipalId $MdId_ID -ResourceId $graphApp.Id -AppRoleId $appRole.Id
}else{
write-host "Scope $scope already assigned"
}
}
Add a trigger
Add a trigger to your Logic App. You can use the When an item is created or modified trigger for SharePoint.
To do so navigate to the Logic app designer and click "Add a trigger":
In here search for SharePint and choose the "When an item is created or modified" trigger:
You will need to connect the connector to an account that has permissions to the list. Unfortunately, we cannot use a managed identity for this trigger. So make sure you have a well-protected service account.
Add an action
Add an action to your Logic App to upload the Autopilot Hash from the SharePoint list. For this I use a HTTP action.
In the Logic App Designer, below the trigger, click the plus sign and add an action. Look for HTTP and select it:
Configure the HTTP action (Hash Upload)
Configure the HTTP action as follows:
Method | Post |
URI | https://graph.microsoft.com/beta/deviceManagement/importedWindowsAutopilotDeviceIdentities |
Body | { "serialNumber": "", "hardwareIdentifier": "" } |
Authentification Type | Managed Identity / System Assigned |
Audience | https://graph.microsoft.com |
Finally: Test your Logic App
Test your Logic App by adding a new item to your SharePoint list. The Logic App should upload the hardware hash to Autopilot which takes around 1-5 minutes.
Additional tips & improvements
- You can use the Send email action to send an email notification when a device has been successfully added to Autopilot (or not).
- This is a very simple logic app, you could add error handling including notifications.
- You can add a state to even remove hashes when they are no longer needed.
I hope this article has been helpful. If you have any questions, please feel free to leave a comment below.