As Microsoft puts it, the Sync device action forces the selected device to immediately check in with Intune. When a device checks in, it immediately receives any pending actions or policies that have been assigned to it. This feature can help you immediately validate and troubleshoot policies you’ve assigned, without waiting for the next scheduled check-in.
It is easy enough to send a sync to an individual Intune device using the portal. Intune — Devices — All Devices — Select a device — Sync
But what if we want to sync multiple devices based on their AAD group membership? in this post, I am assuming a sync is being invoked to all members of a dynamic group of Windows 10 hybrid joined devices.
Creating AAD Dynamic Group
Let’s start by creating a dynamic group. This can be done either using the portal or Powershell.
The cmdlet New-AzureADMSGroup can be used to create the dynamic group, however, the one that comes with AzureAD module has missing parameters so the module we will be using is AzureADPreview
First, make sure you have the module installed by running the following code
|
1 2 3 4 5 6 7 8 9 10 11 |
if (Get-Module -ListAvailable -Name AzureADPreview) { Write-Host "Module already installed" -ForegroundColor Green } else { Write-Host "Module was not found. Installing........." -ForegroundColor Red Install-Module -Name AzureADPreview -AllowClobber -Force Write-Host "Module is now installed" -ForegroundColor Green } Import-Module AzureADPreview -Verbose |
In this example. I am creating a dynamic group for all Windows 10 devices that are hybrid joined to Azure AD
|
1 2 3 4 5 6 7 8 9 10 11 |
Connect-AzureAD New-AzureADMSGroup -DisplayName "Windows 10 Hybrid Joined Devices" ` -Description "A group of all Windows 10 hybrid joined devices" ` -GroupTypes DynamicMembership ` -MembershipRule "(device.deviceOSType -eq ""Windows"" -and device.deviceOSVersion -eq ""10.0"") -and (device.deviceTrustType -eq ""HybridAzureADJoined"")" ` -MailEnabled $false ` -MailNickname "Windows10HybridJoinedDevices" ` -SecurityEnabled $true ` -MembershipRuleProcessingState "On" |
The result should look similar to this
In few seconds, the group will show up in the portal – verify the dynamic rules and give it some time to process the membership of matching devices
Invoking Sync on members of AAD Group
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
#Make sure the require module is installed if (Get-Module -ListAvailable -Name Microsoft.Graph.Intune) { Write-Host "Module already installed" -ForegroundColor Green } else { Write-Host "Module was not found. Installing........." -ForegroundColor Red Install-Module -Name Microsoft.Graph.Intune -AllowClobber -Force Write-Host "Module is now installed" -ForegroundColor Green } Import-Module Microsoft.Graph.Intune -Verbose #Connect to MSGraph Connect-MSGraph #Variables $GroupName = "Windows 10 Hybrid Joined Devices" #Get the Group ID from the group name $Groupid = (Get-AADGroup -Filter "(displayName eq '$GroupName')" ).id #Fetch all group members (devices) using the AD Group ID $DevicesResponse = (Get-AADGroupMember -groupId $Groupid | Get-MSGraphAllPages) #Loop and send a sync to every member ForEach ($Device in $DevicesResponse){ $Devid = (Get-IntuneManagedDevice -Filter "(deviceName eq '$($device.displayname)')").id Write-Host "Sending Sync request to Device $($device.displayname) with DeviceID $DevID" Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $DevID } |
The code utilizes the Microsoft Graph API and the Azure Active Directory (AAD) PowerShell module to fetch information about devices and send a sync request to each device in a specific group.
The script begins by checking that the required module are present and if not installs them. Then it connects to MSGraph – An interactive prompt to login is expected at this point.
Then, we pipe the group we created earlier in this example e.g. “Windows 10 Hybrid Joined Devices” to a variable ($GroupName). This variable is used to identify the group of devices that the script will be working with.
The next step is to use the Get-AADGroup cmdlet to fetch the group ID of the group specified in the $GroupName variable. The cmdlet takes a filter parameter, which is set to the value of the $GroupName variable, and returns the ID of the group.
With the group ID in hand, the script then uses the Get-AADGroupMember cmdlet to fetch all the members of the group. The groupId parameter is set to the value of the $Groupid variable, which contains the group ID. The script also uses the Get-MSGraphAllPages cmdlet to ensure that all pages of the group members are retrieved.
Finally, the script enters a loop that iterates through each device in the group. For each device, the script uses the Get-IntuneManagedDevice cmdlet to fetch the device ID of the device. It then uses the Invoke-IntuneManagedDeviceSyncDevice cmdlet to send a sync request to the device, which will synchronize the device with Intune for management. The script also writes the device name and ID to the console for reference.