Intune Grouptag Assignment → Ivanti Automation
Overview
This automation playbook assigns or updates the Grouptag for Configuration Items (CIs) in Microsoft Intune, integrating with Ivanti ITSM for task management and Passwordstate for credential retrieval. It fetches key user information, generates and sets Grouptags, updates both Intune and Ivanti, and handles error reporting and escalation.
High-Level Flow
- Retrieve Ivanti and Intune credentials from Passwordstate
- For each CI:
- Update Grouptag Usecase in Ivanti
- Fetch key users from SharePoint via Microsoft Graph
- Generate Grouptag for the CI
- Set Grouptag in Intune Autopilot
- Update Grouptag in Ivanti
- Add notes to Ivanti task for success or failure
- Escalate failed tasks to Systeemsoftware
Execution Flow
sequenceDiagram
participant Ivanti as Ivanti ITSM
participant AAP as Ansible Automation
participant PWS as Passwordstate
participant Intune as Microsoft Intune/Graph
participant SP as SharePoint
Ivanti->>AAP: Trigger Grouptag assignment task
AAP->>PWS: Get Ivanti & Intune credentials
PWS-->>AAP: Credentials
loop For each CI
AAP->>Ivanti: Update Grouptag Usecase
AAP->>Intune: Fetch key users from SharePoint
SP-->>AAP: Key user info
AAP->>Intune: Generate Grouptag
AAP->>Intune: Set Grouptag in Autopilot
alt Success
AAP->>Ivanti: Update Grouptag in CI
AAP->>Ivanti: Add success note to task
AAP->>Ivanti: Add status note for CI removal
else Failure
AAP->>Ivanti: Add failure note to task
AAP->>Ivanti: Assign task to Systeemsoftware
AAP->>Ivanti: Set failed status fact
end
endComponents
Ivanti ITSM
- Task Management: Tracks Grouptag assignment tasks, updates CI records, and logs status notes
- Escalation: Assigns failed tasks to Systeemsoftware for manual intervention
Passwordstate
- Credential Storage: Securely stores credentials for Ivanti and Intune/Graph API access
Microsoft Intune & Graph API
- Grouptag Assignment: Sets Grouptag for devices in Autopilot
- Key User Retrieval: Fetches key user information from SharePoint lists
Playbook Logic
Main Steps
- Update Grouptag Usecase in Ivanti
- Sets the Grouptag usecase field for the CI in Ivanti
- Fetch Key Users from SharePoint
- Uses Microsoft Graph API to retrieve key users for the CI
- Generate Grouptag
- Generates a Grouptag value based on key user or usecase info
- Set Grouptag in Intune Autopilot
- Updates the device's Grouptag in Intune
- Update Grouptag in Ivanti
- Reflects the new Grouptag in the CI record in Ivanti
- Add Notes and Escalate if Needed
- Adds status notes to the Ivanti task for both success and failure
- Assigns failed tasks to Systeemsoftware and sets a failed status fact
Task Input & Output
Input Parameters
item.Name: Name of the CI/deviceitem.RecId: Ivanti record ID for the CItask_info.RecId: Ivanti task record IDtask_info.AssignmentID: Ivanti task assignment IDtask_info.servicereq_params.a_2gr_GrouptagUseCase: Grouptag usecase parameter- Intune and Ivanti credentials from Passwordstate
Output Actions
- On Success:
- Grouptag is set in Intune and Ivanti
- Notes are added to the Ivanti task
- CI status is updated as needed
- On Failure:
- Failure note is added to the Ivanti task
- Task is assigned to Systeemsoftware
- Failed status fact is set for further processing
Error Handling & Idempotency
- All credentials are handled with
no_log: truefor security - Errors in Grouptag assignment trigger escalation and status updates
- Playbook is safe for repeated runs; only updates as needed
Benefits
- Automates Grouptag assignment for Intune devices
- Integrates securely with Ivanti and Passwordstate
- Provides clear audit trail and escalation for failures
- Reduces manual overhead for device lifecycle management
Notes
- The _tasks file is included as part of the main playbook logic
- PowerShell scripts are used for Microsoft Graph and SharePoint integration
- All sensitive operations are delegated to localhost for security
- Grouptag logic can be extended for more complex scenarios