This is a blog post on request. Someone commented on another post (Create Autopilot Profile Powershell) that they would like a script to create a Domain Join Profile in Intune via Powershell.
Some of you need to create more than 10 of these profiles. (Some even more than a 100!)
I thought that was interesting! So, I opened my VS Code to create the script.
Prerequisites
You need an account that has enough permissions in Microsoft Intune. Read more about it here.
The script
The script is more than 100 lines. So, I put the script in my GitHub account. This is the link.
You can run the script with the following example code:
$PolicyName = "Windows10_DomainJoin2" $Assignment = "All Users" $ComputernamePrefix = "Win10" $ActiveDirectoryFQDN = "nielskok.tech" $OUname = "OU=Demo,DC=NielsKok,DC=Tech" .\DomainJoinProfile.ps1 -PolicyName $PolicyName -Assignment $Assignment -ComputerNamePrefix $ComputernamePrefix -ActiveDirectoryFQDN $ActiveDirectoryFQDN -OUName $OUname
I will explain the parameters below:
PolicyName –>This is the name that the profile gets in Intune (Displayname)
Assignment –> There are 3 options: “All Users”, “All Devices”, and “Custom group (Fill in Azure AD Group ID)”
ComputernamePrefix –> Prefix for the devices that will be domain joined. After that, a string of 10 random numbers is added to the name. You can change this in the script if you like.
ActiveDirectoryFQDN –> Fully qualified domain name for your Active Directory Domain
OUName –> Organizational Unit where you want to put the machines
Example Run
All Users:
All Devices:
Custom Group
My goodness, that was fast 😉
Thanks so much for this Niels – aside from the utility of the script itself, which is awesome, I think studying it will also give me a lof of insight for automating config profile creation.
I will get cracking now testing this script 😉
Nice! Maybe for the next blog. How to create a script for Graph.
Tested your script now. Working perfectly for me. Combined with your other script it’s really going to speed this up for us. I found I can actually reduce the entire thing to one initial variable, which can be injected automatically when an OU is created in our on prem AD. That way we get a zero touch process for generating Autopilot templates.
So again many thanks, looking much forward to further blogs from you ;). How to create a script for Graph will definitely be one I will read with interest !
Thanks mate!
Love reading that this helps you a lot!
Regards,
Niels
Hi Niels,
Many thanks for this, hope you don’t mind, but I edited your script so it runs a foreach statement based on an CSV import, here is the script if you or anyone needs it: https://github.com/durrante/Intune/tree/master/BulkCreateDomainJoinProfiles
Always nice to see!
Thanks,
Niels
Hey should i change parametrs in whole script or only in header?
$PolicyName = “Windows10_DomainJoin2”
$Assignment = “All Users”
$ComputernamePrefix = “Win10”
$ActiveDirectoryFQDN = “nielskok.tech”
$OUname = “OU=Demo,DC=NielsKok,DC=Tech”
.\DomainJoinProfile.ps1 -PolicyName $PolicyName -Assignment $Assignment -ComputerNamePrefix $ComputernamePrefix -ActiveDirectoryFQDN $ActiveDirectoryFQDN -OUName $OUname
Best Regards
Hi Lukas,
You only need to change these variables:
$PolicyName = “Windows10_DomainJoin2”
$Assignment = “All Users”
$ComputernamePrefix = “Win10”
$ActiveDirectoryFQDN = “nielskok.tech”
$OUname = “OU=Demo,DC=NielsKok,DC=Tech”
After that, you can run the script.
Thanks,
Niels
Hey Niels, happy new year! I used your script to create a function. I am faced with the task of creating more than 300 domain join profiles and I need the corresponding dynamic groups to go with them, since everything in Intune depends on the dynamic groups afterwards. All in all, a very exciting solution. At the end of the day, these are the steps: import Excel list, create group (if not already available), read ObjectID and use it to create the domain join profile.
Now, after much error analysis, I have noticed that even in your original script the content of the parameter “Computernameprefix” cannot contain more than 5 digits although Intune allows 12 out of the possible 15.
Do you have any idea where the problem could lie?
Br, Marius
Hi Marius,
That sounds like a challenge which I like!
You could try to remove the “computerNameSuffixRandomCharCount = 10;” part of the JSON body and add the characters you want yourself.
Does that help? Let me know!
Niels
Hey Niels,
Oh, what a stupid mistake. I’ve missinterpreted this property completly… I’ve used this day to quickly fix my fault and optimized my function. Now I’ve a funktion collection for “new, get, update and remove IntuneDomainJoinProfile”. Let me know if you would like to have the script.
Br, Marius
Hi Marius,
Good to hear that you fixed the issue.
Please share the script 🙂
Thanks,
Niels
May I know anyone checked after domain join what is the status of device in intune?
Hybrid join or entra join ..
And same in ENTRA AAD?
I want to run this script as autopilot.. do not want to use autopilot domain join features due to device name issue
That would be Hybrid Joined.
So, don’t use this feature.
This is a cool script except I am unable to run it successfully. I receive errors….. What am I missing?
Invoke-RestMethod : The remote server returned an error: (400) Bad Request.
At C:\Dell\TestDomainJoinProfile.ps1:41 char:18
+ … teProfile = Invoke-RestMethod -Headers @{Authorization = “Bearer $($A …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
The bad request often refers to your JSON body not being correct.
Can you check out Graph X Ray and Graph Explorer to check what (in your case) the correct JSON body is?
Thanks,
Niels
Neils…A few weeks ago this script was working fine now however I am receiving the following message:
Request Id: 1adfedc8-44c2-401e-9cf6-a8b934742a00
Correlation Id: 8abf9710-0c3e-407c-af18-29681d10d0ce
Timestamp: 2024-08-07T18:32:21Z
Message: AADSTS50194: Application ‘TenantID'(Azure AD – Graph API) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after ’10/15/2018’. Use a tenant-specific endpoint or configure the application to be multi-tenant.
Not being a powershell expert…what am I missing? Any assistance is appreciated.
Hi David,
Thanks for your message. Yes, Microsoft has made some changes to the Graph API. On line 27 of the script this line is there:
$AuthToken = Get-MsalToken -ClientId d1ddf0e4-d672-4dae-b554-9d5bdfd93547 -RedirectUri “urn:ietf:wg:oauth:2.0:oob” -Interactive
That doesn’t work anymore because Microsoft got rid of the Intune PowerShell client id (d1ddf0e4-d672-4dae-b554-9d5bdfd93547).
You need to add a new way to authenticate. An example to do so is this one:
https://www.modernendpoint.com/managed/connecting-to-microsoft-graph-with-powershell/
If you have any questions. Please let me know.
Niels