Onboarding devices and assigning user groups are two common actions that MSPs and enterprise IT teams look to automate to improve workflow. At scale, this is typically configured via RMM or Intune configuration profiles, which use device labels via Graph API. Read this guide to get started.
Steps for setting Intune configuration profile assignments via Graph API
Use the table to choose and quickly navigate to your preferred activation steps.
📌 Prerequisites:
- Microsoft Intune licenses
- Azure AD Premium (for dynamic groups and Intune policies)
- Registered application with Graph API permissions:
- DeviceManagementConfiguration.ReadWrite.All
- Device.Read.All
- Group.ReadWrite.All
- PowerShell 7+ with Microsoft.Graph module
- Optional: Local registry access for tagging
- Optional: NinjaOne or RMM platform for endpoint metadata and script execution
💡 Tip: Check out the Things to look out for section for tips on managing potential risks.
Step 1: Apply local registry-based device labels (Optional)
In this example, a simple registry key on each device is created with values like Label=Finance and AssignedProfile=None.
- Use Search 🔎 to open Terminal → PowerShell → Run as administrator.
- Tag endpoints with role or environment metadata:
Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\DeviceLabels” -Name “Label” -Value “Finance”
Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\DeviceLabels” -Name “AssignedProfile” -Value “None”
This step can be used with Intune or alongside it as you transition. It creates a simple registry key on each device, which also serves as metadata.
You may run reg query HKLM\SOFTWARE\Org\DeviceLabels in CMD or PowerShell for validation. These labels can guide which Intune profile should be assigned by an external script logic.
Step 2: Connect to Microsoft Graph and query devices by label
These scripts tag devices by a label (e.g., DeviceCategory -eq “Finance”) or via extension attributes, like Entra ID extension properties.
- Use Search 🔎 to open Terminal → PowerShell → Run as administrator.
- Connect to Graph:
Connect-MgGraph -Scopes “Device.Read.All”,”DeviceManagement
Configuration.ReadWrite.All”,”Group.ReadWrite.All”.
- Then, query devices by category:
$devices = Get-MgDevice | Where-Object { $_.DeviceCategory -eq “Finance” }.
If you’re using extension attributes, adjust the query to match those instead. Intune and Entra ID are best used to target enrolled devices.
Step 3: Create or find configuration profiles and assign them by group
The next objective is to ensure there’s a target group for the label (e.g., “Finance Devices”).
- Use Search 🔎 to open Terminal → PowerShell → Run as administrator.
- Run Get-MgDeviceManagementDeviceConfiguration to list existing configuration profiles.
- Then, find or create an assignment group for the target label:
$group = Get-MgGroup | Where-Object { $_.DisplayName -eq “Finance Devices” }
Or create a new group:
$group = New-MgGroup -DisplayName “Finance Devices” -MailEnabled:$false `
-MailNickname “FinanceGroup” -SecurityEnabled:$true -GroupTypes @(“DynamicMembership”)
}
- With the group created, you can add devices to the group and assign a configuration profile.
- Add devices:
Add-MgGroupMember -GroupId $group.Id -DirectoryObjectId $device.Id
- Assign configuration profile:
New-MgDeviceManagementDeviceConfigurationGroupAssignment `
-DeviceConfigurationId $configProfile.Id `
-Target @{groupId = $group.Id}
💡 Note: Additionally, you can use dynamic membership if your label is stored in a group-queryable attribute (e.g., extension attribute). Otherwise, you automate the tagging via RMM.
Step 4: Automate the workflow (Label → Group → Profile)
This step is all for setting hands-off management once the label sources and target profiles have been duly identified and queried. Here’s a sample script using the previous labels and profiles:
| $label = “Finance” $devices = Get-MgDevice | Where-Object { $_.DeviceCategory -eq $label }foreach ($device in $devices) { $group = Get-MgGroup | Where-Object { $_.DisplayName -eq “$label Devices” }if (-not $group) { $group = New-MgGroup -DisplayName “$label Devices” -MailEnabled:$false ` -MailNickname “$labelGroup” -SecurityEnabled:$true}Add-MgGroupMember -GroupId $group.Id -DirectoryObjectId $device.Id New-MgDeviceManagementDeviceConfigurationGroupAssignment ` } |
In managed and enterprise environments, this script must be run on a recurring basis to pick up new endpoints that need to be organized.
Step 5: Store assignment status for audit in the registry
To close, update the registry to track which profile has been applied. You can run the following script via PowerShell:
Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\DeviceLabels” -Name “AssignedProfile” -Value “Finance_Profile”
Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\DeviceLabels” -Name “LastSynced” -Value (Get-Date).ToString(“u”)
This action creates a local audit trail for support teams. This data can also be collected by an RMM or exported to CSV for central reporting.
💡 Note: This script may run or fail without displaying any confirmation or prompt. To confirm if changes have been applied successfully, check the corresponding registry keys or system settings.
⚠️ Things to look out for when automating Intune profile assignments
Below are common risks, their possible consequences, and some practical ways to reverse or prevent issues.
| Risks | Potential Consequences | Reversals |
| Inconsistent labeling sources (local registry vs. Intune DeviceCategory vs. Entra extension attributes) | Devices may not be grouped correctly; duplicates or unassigned machines | Standardize on one authoritative label source; if migrating, add safeguards to prevent duplicate assignments |
| Creating dynamic groups without a stable attribute | Group rules never resolve; devices never receive profiles | Ensure labels are stored in an attribute usable in dynamic rules (e.g., extensionAttribute, deviceCategory); test rules on a sample set |
| Graph throttling in large environments | Script execution slows; partial device updates | Batch devices, add retry logic, or run the workflow label-by-label instead of all at once |
Some of the earlier challenges in automating profile assignments via Intune happen in transitions. So, it’s best to do due diligence to ensure labels and groupings don’t conflict or get duplicated.
Also, the scripts may need to be run staggered in large environments, unless you’re running them via an RMM that fits the scale of the operation.
Use NinjaOne to enhance Intune workflows
Many Intune workflows can be layered with automation policies, reporting, and both scalable and granular IT management offered by NinjaOne RMM®.
- Deploying scripts that tag devices in the registry
- Triggering external Graph scripts via automation policies
- Reporting on device metadata (label, role, location) to guide assignments
- Tagging devices without proper configuration profiles for remediation
- Alerting when devices drift from expected Intune policy assignments
With NinjaOne, MSPs can streamline Intune policy governance while maintaining multi-client scalability and reporting.
Best practices for automating profile assignment in Intune
Enabling Intune configuration profile assignment automation with Graph API is an effective way to promote policy enforcement and streamline device onboarding across your network.
But as your organization grows, consider pairing Intune and Graph API with an RMM NinjaOne, which offers automation and remediation capabilities at scale. This proactive approach provides a complete framework for hands-off, audit-ready, and scalable endpoint management.
