Microsoft 365 automation using SDS attributes, Intune & Graph

June 19th I had the pleasure of talking about how to move your education environment to the cloud with Microsoft 365, at Experts Live Netherlands. In this post I will discuss some of the examples from that talk.

EL_social_tempate_speakers_Magnus.png

Experts Live Netherlands is a conference held in Ede, Netherlands, with more than a thousand attendees. For me this was a first, I had never before spoken at such a large conference, neither outside Norway.

OnStage2.png

I obviously spoke about Teams, and how to automate using School Data Sync which I have blogged about before, but also on modern management with Autopilot and Intune, and how to utilize extension attributes from SDS to automate anything from application delivery to redeployment of Windows 10 devices.

 

School Data Sync

To recap, School Data Sync is a free service in Office 365 Education. It takes data about Students, teachers, class rosters and more, from the Student Information System, and use that data to create and license users in Azure Active Directory and Microsoft 365, create classes in Microsoft Teams, complete with teachers and students, and more.

2018-03-29 16_29_15-Welcome to the 2018 Learn Teams Conference.pptx - PowerPoint

School Data Sync also lets you get grades and graduation year from the Student Information System, which you could then use to assign apps dynamically, automate archiving of classes End Of Year and to trigger Autopilot Reset.

2018-06-23 14_16_01-Task Switching.png

I won’t go through the details of setting up SDS, since I already covered that in a previous post, but you can see above what properties are available. In the upcoming examples we will need Grade and Graduation Year.

Autopilot

Autopilot is a set of technologies designed to get Windows 10 devices quickly into a secure and managed state, as well as reset, repurpose or recover them when needed.

Those who manage Apple iOS devices will notice there are many similarities to the Apple Device Enrollment Program (DEP).

Microsoft-365-powered-device-Windows-Autopilot-Deployment.png

To get devices into Autopilot we need the hardware vendor or distributor to provide or upload the hardware IDs, and we need to assign a deployment profile.

Within the Device Management portal in Azure we go to Device Enrollment followed by Windows Enrollment and Deployment Profiles.

We click Create profile, give it a name and choose a deployment mode, User-Driven in this case, specify that it should be joined to Azure AD, hide the EULA and Privacy Settings to ease the setup process for the user, and set the User account type to Standard.

2018-06-23 14_40_43-Task Switching.png

 

We assign the profile to a group of users and we’re good to go.

Vendor or distributor ship the device directly to the school, the student unboxes the device and gets a customized Out Of Box Experience.

They need to choose a region and pick a keyboard layout, as well as choose the appropriate Wi-Fi network.

Windows will then fetch the latest updates for the OOBE experience, and query the Autopilot service to get the configuration we just created.

2018-06-04 17_20_00-Remote Desktop Manager [hyperv].png

Company branding has been applied even before the student logs on, ensuring a sense of familiarity.

After logon the device starts configuring, and since we’re licensed and setup with Microsoft 365 A3 it will auto-enroll into Intune and get any configuration profiles, compliance policies and apps pushed down.

Auto-enrollment requires Azure AD Premium as well as a Mobile Device Management service like Intune (part of EMS and Microsoft 365 SKUs like A3, A5 etc.)

 

Dynamic application delivery

By now the device is enrolled and managed with Intune, and apps are installing, but students in the first grade most likely need different apps than students in the 7th grade?

So let’s find the extension attributes available from SDS, and create dynamic groups for app association. Relevant attributes can be found with the format: extension_appId_attribute name, and the appId for SDS is fe2174665583431c953114ff7268b7b3.

We need to connect to Azure AD using the preview module, then search for a user and have a look at the extension attributes.

Get-AzureADUser -SearchString student@teams.rocks | select -ExpandProperty ExtensionProperty

2018-06-25 17_31_35-Task Switching.png

You can see we have attributes like GraduationYear and Grade, as well as ObjectType to distinguish between students and teachers.

Let’s add all our users to a variable and then create a custom object to show only what is relevant.

# add users to variable
$users = Get-AzureADUser

# create a custom object and list users, grade and role
foreach ($user in $users) {
$user | select –Property @{n = 'Name'; e = {$_.DisplayName}},
@{n = 'Role'; e = {$_.ExtensionProperty.'extension_fe2174665583431c953114ff7268b7b3_Education_ObjectType'}},
@{n = 'Grade'; e = {$_.ExtensionProperty.'extension_fe2174665583431c953114ff7268b7b3_Education_Grade'}},
@{n = 'GraduationYear'; e = {$_.ExtensionProperty.'extension_fe2174665583431c953114ff7268b7b3_Education_GraduationYear'}}
}

 

2018-06-23 18_01_02-Task Switching.png We’ve got students from grade 7 and 8 as well as a teacher, synced using SDS. We also have the Graduation Year, which we will use later. First let’s create dynamic groups for app association.

# create dynamic group for Grade 7
New-AzureADMSGroup -DisplayName "Grade 7" -MailEnabled $false -MailNickname "Grade7" -SecurityEnabled $True -GroupTypes DynamicMembership -MembershipRule "(user.extension_fe2174665583431c953114ff7268b7b3_Education_Grade -eq ""7"")" -MembershipRuleProcessingState On

# create dynamic group for Grade 8
New-AzureADMSGroup -DisplayName "Grade 8" -MailEnabled $false -MailNickname "Grade8" -SecurityEnabled $True -GroupTypes DynamicMembership -MembershipRule "(user.extension_fe2174665583431c953114ff7268b7b3_Education_Grade -eq ""8"")" -MembershipRuleProcessingState On

# create dynamic group for Graduation Year
New-AzureADMSGroup -DisplayName "Graduates 2021" -Description "Students that graduate in year 2021" -MailEnabled $false -MailNickname "Graduates2021" -SecurityEnabled $True -GroupTypes DynamicMembership -MembershipRule "(user.extension_fe2174665583431c953114ff7268b7b3_Education_GraduationYear -eq ""2021"")" -MembershipRuleProcessingState On

We created two dynamic groups for grade 7 and 8, as well as one for Graduation Year 2021.

# list groups
Get-AzureADMSGroup | select DisplayName, GroupTypes

Let’s also list the groups.

2018-06-23 18_14_45-Task Switching.png

Use dynamic groups like Grade 7 and 8 to assign applications. Whenever there is a new school year in august, students from grade 7 will be moved into the group for grade 8 and Intune will remove apps assigned to grade 7 and add any apps, or profiles for that matter, assigned to grade 8.

 

Autopilot Reset

Windows Autopilot Reset removes personal files, apps, and settings, resetting Windows 10 while still maintaining Azure AD Join and MDM enrollment.

Microsoft first announced this with 1709 as automatic redeployment, and said remote triggering would be available in the spring. Then remote triggering was pulled from 1803, but reappeared in insider build 17672 and was announced June 7th as Autopilot Reset.

Devices will retain the region, language, and keyboard settings, and connect to Wi-Fi using the network credentials provisioned prior to the reset.

This means that we can use the group we created earlier, based on graduation year, to automatically reprovision a set of devices!

When new students arrive after the summer they can log on to a fresh device in a managed and secure state, and all Intune needs to do is push any apps or profiles unique to the user or grade.

This example utilizes the Microsoft Graph to instruct the Intune service to reset one or more devices in a certain way. I will not cover the authentication part of working with Graph, but you can find the functions used in this example in Microsofts Github repository for powershell Intune samples.

First we need to construct a payload with the wipe instructions.

# construct JSON object (body) for wipe instructions
$payload = @{
keepEnrollmentData = $true
keepUserData = $false
}
$body = $payload | ConvertTo-Json

The object will look like this:

{
"keepEnrollmentData": true,
"keepUserData": false
}

 

We will then get the users from the dynamic group we created earlier, and the Device IDs of any devices they have enrolled in Intune. We use the Device ID to construct a URI, and trigger the wipe action using the Invoke-RestMethod cmdlet pointing to that URI together with the authToken as well as the JSON payload from the last step.

$users = Get-AzureADGroup -SearchString "Graduates 2021" | Get-AzureADGroupMember
foreach ($user in $users) {

# get user id (Intune device ID is not the same as Azure AD device ID)
$id = (Get-AADUser -userPrincipalName $user.UserPrincipalName).id
# get id from device registered to user
$DeviceID = (Get-AADUserDevices -UserID $id).id
if ($DeviceID) {
# construct uri
$Resource = "deviceManagement/managedDevices/$DeviceID/wipe"
$uri = "https://graph.microsoft.com/beta/$($resource)"
# reset device
Write-Host "Performing reset on device $DeviceID" -ForegroundColor Yellow
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $body

}
else {

Write-Host "User has no registered device" -ForegroundColor Cyan
}
}

 

The URI should look like this: https://graph.microsoft.com/beta/deviceManagement/managedDevices/7345bdbf-1f17-4b59-85e7-ac2e545d776c/wipe

And this is the result in our demo environment:

2018-06-24 13_38_20-Task Switching.png

We had two students fitting the description, you can see the first one didn’t have a registered device, but the second did.

We can see from the Intune console the action automaticRedeployment is now pending (status will change to completed when the device has registered back into the service).

2018-06-24 13_39_22-Task Switching.png

 

If a user is logged on they will first receive a toast message, informing them a restart is scheduled in 45 minutes for automatic redeployment.

2018-06-24 13_41_43-Task Switching.png

35 minutes later they will get a popup message counting down, warning that Windows will shut down in 10 minutes.

2018-06-25 08_28_27-Remote Desktop Manager [hyperv].png

When the device is reset and ready for a new student they will see the message above on the login screen.

 

Needless to say, you can customize the above script to better suit you environment, maybe you need to reset all devices in a particular school or you have some other criteria.

Microsoft Graph EDU

To sum’ up, when using School Data Sync, a set of extension attributes can be made available. Combine that with the power of the Microsoft Graph, and you can automate anything from application delivery to redeployment of Windows 10 devices, freeing up valuable time for IT and educators.