Azure AD Device Registration – Part 2 – Use Azure Automation to Get Notified When Devices Go Pending State

This is the 2nd post of this 2 part troubleshooting series and In the 1st part of this series I showed you why the devices can go on Pending and what can you do to troubleshoot and fix the issue. But what if you go Hybrid AAD Join mode with your fleet and you need to stay on top of this and need to be notified when the devices go on Pending mode? Microsoft doesn’t have a native way of alerting this, but thanks to the tools, I was able to whip up something good.

If you didn’t read the 1st part – Check it from here 👇🏽
Azure AD Device Registration – Part 1 – How to Fix the Pending Registration State Issue?

This below activity requires the power of Azure Automation, Power Automate to create the flow and Microsoft Teams to send the notification from.

Table of Contents

  1. Create Azure Automation Account
  2. Import AzureAD Module
  3. Create an Azure AD Service Principal (Managed Identity)
  4. Prepare the Azure AD PowerShell CMD let
  5. Create the Azure AD Runbook
  6. Create the Power Automate Flow
  7. Time to Test the Solution
  8. Final Thoughts

So without any further do, lets get the hands dirty!

Create Azure Automation Account

For this, go to your Azure Subscripion

In a new or an existing Resource Group, add a new resource and search for Automation

Import AzureAD Module

In the Automation account, go to Modules and select Add a module if you cant see the Azure AD PowerShell module

Install Azure AD module

Select the Runtime Version 5.1 and the overview will look like below

Create an Azure AD Service Principal (Managed Identity)

This is where you use an account to run the PowerShell module, but we are not using an user account. Instead of that we are using a Service Principal that has a certificate embedded to it.

More on Service Principals: Read this Microsoft article

Once the Service Principal is created, note down the Application ID, Thumbprint and the Tenant ID

Prepare the Azure AD PowerShell CMD let

I discussed about how to identify all the Pending state devices in your fleet in my previous article. This CMD-let was provided by Microsoft and I did a small change to make it Power Automate worthy.

  1. Azure AD connection string
    Connect-AzureAD -TenantId <AzureAD TenantID> -ApplicationID <Above created service principal's app ID> -CertificateThumbprint <Certificate thumbprint of the Service Principal> | out-null

  1. Pending status search command
    If you check below, I’m using convertto-html so I can use the output later to format properly for Microsoft Teams

    Get-AzureADDevice -all $true | Where-Object{($_.DeviceTrustType -eq "ServerAd") -and ($_.ProfileType -ne "RegisteredDevice") -and (-not $_.AlternativeSecurityIds) } | select-object -Property DisplayName, AccountEnabled, ObjectId, DeviceId | Convertto-html

Create the Azure AD Runbook

In the Automation account, under Runbooks, create a new runbook

Name your runbook and select PowerShell as runbook type and runtime version 5.1

Add your previously created command by going to the runbook

Use the Test option to test the code as below and once done, use Publish to publish the runbook

As you can see below the test is successful

Publish the runbook so it will activate.

Create the Power Automate Flow

Now that we have the prerequisites ready, let’s create the Power Automate Flow where we add everything together.

Connections – You will need the below 2 connections to complete the Power Automate flow

Set the trigger – I set to run this flow every Monday at 9AM in my time zone

Action 1 – I create the runbook job instance

Action 2 – Set the wait to make sure the the job has been gone through the stages of Queuing > Starting > Running > Completed

Action – Getting the output of the previously executed job

Action 3 – Making sure the output is readable and sanitised

Action 4 – Using Microsoft Teams connection to send the result from the Flow Bot to the selected recipient. This can also send to a Group Channel as well.

Time to Test the Solution

As you can see below, the flow runs perfectly with no errors

Flow Bot will send a Team message as we configured earlier and this is in the HTML format

To clarify more, if you go to you Azure AD > Devices and look for that device, you can see the Pending state

Final Thoughts

This looks like a lot I agree, but when you know the basics of Azure Automation and runbooks, it’s so easy to connect them with Power Automate to get the final result.

When you have a lot of computers that needs to be HAAD joined and need to stay on top of things so you can easily enrol them to Intune, this is a good proactive way of getting notified with the Device Registration Status Pending devices and can troubleshoot for the issue.

Advertisement

3 thoughts on “Azure AD Device Registration – Part 2 – Use Azure Automation to Get Notified When Devices Go Pending State

  1. Pingback: Azure AD Device Registration – Part 1 – How to Fix the Pending Registration State Issue? – Shehan Perera:[techBlog]
  2. Pingback: Endpoint Manager Newsletter – 26th August 2022 – Andrew Taylor
  3. Pingback: My First Speaking Session and the First Microsoft EM+S Community Live Event – Shehan Perera:[techBlog]

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.