Domain Join Profile Intune via Powershell

This is a blog post on request. Someone commented on another post (Create Autopilot Profile Powershell) that they would like a script to create a Domain Join Profile in Intune via Powershell.

Some of you need to create more than 10 of these profiles. (Some even more than a 100!)

I thought that was interesting! So, I opened my VS Code to create the script.

Prerequisites

You need an account that has enough permissions in Microsoft Intune. Read more about it here.

The script

The script is more than 100 lines. So, I put the script in my GitHub account. This is the link.

You can run the script with the following example code:

$PolicyName = "Windows10_DomainJoin2"
$Assignment = "All Users"
$ComputernamePrefix = "Win10"
$ActiveDirectoryFQDN = "nielskok.tech"
$OUname = "OU=Demo,DC=NielsKok,DC=Tech"

.\DomainJoinProfile.ps1 -PolicyName $PolicyName -Assignment $Assignment -ComputerNamePrefix $ComputernamePrefix -ActiveDirectoryFQDN $ActiveDirectoryFQDN -OUName $OUname

I will explain the parameters below:

PolicyName –>This is the name that the profile gets in Intune (Displayname)

Assignment –> There are 3 options: “All Users”, “All Devices”, and “Custom group (Fill in Azure AD Group ID)”

ComputernamePrefix –> Prefix for the devices that will be domain joined. After that, a string of 10 random numbers is added to the name. You can change this in the script if you like.

ActiveDirectoryFQDN –> Fully qualified domain name for your Active Directory Domain

OUName –> Organizational Unit where you want to put the machines

Example Run

All Users:

All Devices:

Custom Group

20 thoughts on “Domain Join Profile Intune via Powershell”

  1. My goodness, that was fast 😉
    Thanks so much for this Niels – aside from the utility of the script itself, which is awesome, I think studying it will also give me a lof of insight for automating config profile creation.
    I will get cracking now testing this script 😉

    Reply
      • Tested your script now. Working perfectly for me. Combined with your other script it’s really going to speed this up for us. I found I can actually reduce the entire thing to one initial variable, which can be injected automatically when an OU is created in our on prem AD. That way we get a zero touch process for generating Autopilot templates.
        So again many thanks, looking much forward to further blogs from you ;). How to create a script for Graph will definitely be one I will read with interest !

        Reply
  2. Hey should i change parametrs in whole script or only in header?
    $PolicyName = “Windows10_DomainJoin2”
    $Assignment = “All Users”
    $ComputernamePrefix = “Win10”
    $ActiveDirectoryFQDN = “nielskok.tech”
    $OUname = “OU=Demo,DC=NielsKok,DC=Tech”
    .\DomainJoinProfile.ps1 -PolicyName $PolicyName -Assignment $Assignment -ComputerNamePrefix $ComputernamePrefix -ActiveDirectoryFQDN $ActiveDirectoryFQDN -OUName $OUname

    Best Regards

    Reply
    • Hi Lukas,

      You only need to change these variables:

      $PolicyName = “Windows10_DomainJoin2”
      $Assignment = “All Users”
      $ComputernamePrefix = “Win10”
      $ActiveDirectoryFQDN = “nielskok.tech”
      $OUname = “OU=Demo,DC=NielsKok,DC=Tech”

      After that, you can run the script.

      Thanks,
      Niels

      Reply
  3. Hey Niels, happy new year! I used your script to create a function. I am faced with the task of creating more than 300 domain join profiles and I need the corresponding dynamic groups to go with them, since everything in Intune depends on the dynamic groups afterwards. All in all, a very exciting solution. At the end of the day, these are the steps: import Excel list, create group (if not already available), read ObjectID and use it to create the domain join profile.
    Now, after much error analysis, I have noticed that even in your original script the content of the parameter “Computernameprefix” cannot contain more than 5 digits although Intune allows 12 out of the possible 15.
    Do you have any idea where the problem could lie?
    Br, Marius

    Reply
    • Hi Marius,

      That sounds like a challenge which I like!

      You could try to remove the “computerNameSuffixRandomCharCount = 10;” part of the JSON body and add the characters you want yourself.

      Does that help? Let me know!

      Niels

      Reply
      • Hey Niels,
        Oh, what a stupid mistake. I’ve missinterpreted this property completly… I’ve used this day to quickly fix my fault and optimized my function. Now I’ve a funktion collection for “new, get, update and remove IntuneDomainJoinProfile”. Let me know if you would like to have the script.
        Br, Marius

        Reply
      • May I know anyone checked after domain join what is the status of device in intune?
        Hybrid join or entra join ..
        And same in ENTRA AAD?

        I want to run this script as autopilot.. do not want to use autopilot domain join features due to device name issue

        Reply
  4. This is a cool script except I am unable to run it successfully. I receive errors….. What am I missing?

    Invoke-RestMethod : The remote server returned an error: (400) Bad Request.
    At C:\Dell\TestDomainJoinProfile.ps1:41 char:18
    + … teProfile = Invoke-RestMethod -Headers @{Authorization = “Bearer $($A …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

    Reply
    • The bad request often refers to your JSON body not being correct.

      Can you check out Graph X Ray and Graph Explorer to check what (in your case) the correct JSON body is?

      Thanks,
      Niels

      Reply
  5. Neils…A few weeks ago this script was working fine now however I am receiving the following message:
    Request Id: 1adfedc8-44c2-401e-9cf6-a8b934742a00

    Correlation Id: 8abf9710-0c3e-407c-af18-29681d10d0ce

    Timestamp: 2024-08-07T18:32:21Z

    Message: AADSTS50194: Application ‘TenantID'(Azure AD – Graph API) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after ’10/15/2018’. Use a tenant-specific endpoint or configure the application to be multi-tenant.

    Not being a powershell expert…what am I missing? Any assistance is appreciated.

    Reply
    • Hi David,

      Thanks for your message. Yes, Microsoft has made some changes to the Graph API. On line 27 of the script this line is there:

      $AuthToken = Get-MsalToken -ClientId d1ddf0e4-d672-4dae-b554-9d5bdfd93547 -RedirectUri “urn:ietf:wg:oauth:2.0:oob” -Interactive

      That doesn’t work anymore because Microsoft got rid of the Intune PowerShell client id (d1ddf0e4-d672-4dae-b554-9d5bdfd93547).

      You need to add a new way to authenticate. An example to do so is this one:

      https://www.modernendpoint.com/managed/connecting-to-microsoft-graph-with-powershell/

      If you have any questions. Please let me know.

      Niels

      Reply

Leave a Comment