The current task will work for AD joined machines and Hybrid Azure AD joined machines, but it will not work for Azure AD only joined machines or for users that exist only in Azure AD
In order to add an Azure AD users to a local group on a Hyrbid Joined or Azure AD joined machine, the Azure AD user’s UPN needs to be be prepeded with AzureAD\
The command dsregcmd /status will return the device’s registration status, for devices where AzureAdJoined = YES and DomainJoined = No, then the add command should be
Add-LocalGroupMember -Group “$Group” -Member AzureAD$sidString -ErrorAction Stop
Further testing showed that add-localgroupmember didn’t seem to work, but this did:
net localgroup $Group /add “AzureAD$Member”
The script can be imporved by detecting whether a machine is AzureAD joined, and determining if the user exists in AzureAD only, and using the correct add command.
I tested this by running both commands, without and with AzureAd, and it seems to work, but I couldn’t figure out how to properly modify the Get/Test script portion. Ideally the script would only run the add command that is needed, instead of running both commands redundantly.