Creating an Intune Azure AD Device Admins group and assigning the Privileged Identity Management Role via Powershell

This post will cover how to create a new Azure PIM Eligible assignment and link it to an Azure AD group, but all done via Powershell.

For Azure AD joined devices, using Privileged Identity Management and the built-in Device Administrators role you can control who has access to be a machine admin and for how long, with full auditing in place. By linking this to a group, it takes the admin overhead away when dealing with staff changes etc.

As always, the script can be found on GitHub here

To start, we need to install the AzureAD Preview Powershell module (if it isn’t already installed):

if (Get-Module -ListAvailable -Name AzureADPreview) {
    Write-Host "AZ Ad Preview Module Already Installed"
else {
    try {
        Install-Module -Name AzureADPreview -Scope CurrentUser -Repository PSGallery -Force -AllowClobber 
    catch [Exception] {

This can run alongside the non-preview so we now need to import it, but making sure the non-preview isn’t running first:

Remove-Module AzureAD -ErrorAction SilentlyContinue
# Load the AzureADPreview module
Import-Module AzureADPreview

Now connect to Azure AD:


Now that part is out of the way, we can start the fun bit!

First up, group creation. The important thing to note here is the -IsAssignabletoRole $True switch at the end. This is a fairly new feature which allows groups to be assigned to a PIM role (as I’m sure you had guessed)

$admingrp = New-AzureADMSGroup -DisplayName "Intune-Device-Admins" -Description "Azure AD Joined Device Admins (PIM Role)" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -IsAssignableToRole $True

Next up we need the AAD Tenant ID, you could hard-code, but I prefer re-usable scripts:

$tenantdetails = Get-AzureADTenantDetail
$tenantid = $tenantdetails.ObjectID

Now we need to find the PIM role for “Azure AD Joined Device Local Administrator”

$PIMrole =Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenantid | where-object DisplayName -eq "Azure AD Joined Device Local Administrator"

The assignment will need a schedule. I’m setting it from the minute it’s run with no end-date:

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.endDateTime = $null

The next part needs to query the Azure AD group and the script runs quite quickly so I’ve added a pause to let Azure catch up:

start-sleep -s 30

And finally, create the role using the AAD group ID, the Role ID and the schedule previously created

$assign = Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $tenantid -RoleDefinitionId $PIMrole.Id -SubjectId $ -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "Environment Build"

Just like magic, you have a PIM role configured.

One fairly big thing to note: PIM does require Azure AD P2 licensing, so make sure you have that in place!

Posted in AzureIntune