Auto assign Managed Google Play (Android) apps

Published: October 14, 2023 | Author: René Laas

The purpose of this blog is to inform you how to auto-assign Android Managed Google Play apps via an Azure Logic app.

If I have time, I check the Intune support TechNet, and if I can I help others with their question about Intune. So, my eyes fell on the question “auto assign”.

A few other people also responded with their point of view but didn’t answer the question. I purposed to use a logic app. The logic app can monitor a scheduled interval of the Graph API for newly added apps, if an app is new and not assigned, the logic app will automatically assign the app to all user groups.


  • Microsoft Intune
  • Azure Logic App
  • Cloud Application Administrator or Global Administrator
  • Android Enterprise account

Graph API Permissions:

  • Application.Read.All
  • Application.ReadWrite.All

What is an Azure Logic app

Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, sbusiness processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations.

More information about Azure Logic Apps can be found here

Android Managed Google Play store

The Android Managed Google Play is an app platform within the Android ecosystem to make your public and private business apps available to your employees.

Designed to facilitate the deployment, and management of Android apps in your environment, the managed Google Play store provides your users with only the applications and tools authorized by your organization.

Graph API

The Microsoft Graph API provides a set of RESTful endpoints that enable developers to access and manipulate data in Microsoft Intune, a cloud-based service that enables organizations to manage and secure their mobile devices and apps. With the Graph API, administrators can get, create, update, and delete Intune resources such as devices, apps, policies, and profiles.

Administrators can use the Graph API to perform their tasks in Intune, such as retrieving device inventory information, deploying apps and profiles to devices, configuring device compliance policies, and managing device actions like wiping or locking a device. In summary, the Microsoft Graph API provides a powerful and flexible tool for administrators.

Let start with the registration of the application API permissions.

Note. In this example, I have used an App registration with App secret. Keep in mind this is not the most securest way to connect to the Graph API. For production environments please use a managed identity of Certificate.

  • Click on + New registration
  • Configure an app name e.g., Auto assign Android Managed Google Play apps
  • Click on the Register button, and the app will be created and automatically opened.
  • In the menu click on API Permissions
  • Click on+ Add a permission
  • Select Microsoft Graph and select Application permissions
  • Search and add the following permissions:
  • Grant admin consent for your organization
  • In the menu, click on Certificates & Secrets
  • Click on + New Client secret
  • Set a description and the expiry of the secret and click on Add
  • Copy the value of the secret,
  • Go to the overview page and copy the Client ID and Tenant ID

Let start Automate your retire actions and report via an Azure Logic App

Note. Rename every Azure Logic App action to match the screenshots!

  • Click on + Add
  • Select an existing Resource Group or create a new Resource Group
  • Select the instance Type (I have chosen Consumption, but check the Azure Calculator which option fits your environment)
  • Select your region and click on Review + Create
  • Check the details on the Review + Create page and click on Create
  • After the deployment is completed, go to your new Logic App via Go to Resource button
  • The first step of the workflow is the Recurrence trigger, based on the desired interval

Note. I have used a daily interval in this blog.

  • The next four steps of the workflow are to initialize variables.
Initialize TenantIDTenantIDString{Paste your Tenant ID}
Initialize ClientIDClientIDString{Paste your Client ID}
Initialize AudienceAudienceString
Initialize SecretSecretString{Paste your Secret}
  • The first action after the four variables is the HTTP action. With the HTTP connector, the logic app will connect to the Graph API

Authentication TypeActive Directory OAuth
Client ID@{variables(‘ClientID’)}
Credential TypeSecret
  • After the HTTP – Get All Android Enterprise Store Apps action. You need to parse the data.
  • Create a Parse JSON action.




    "properties": {
        "@@odata.context": {
            "type": "string"
        "@@odata.count": {
            "type": "integer"
        "value": {
            "items": {
                "properties": {
                    "@@odata.type": {
                        "type": "string"
                    "assignments": {
                        "type": "array"
                    "[email protected]": {
                        "type": "string"
                    "displayName": {
                        "type": "string"
                    "id": {
                        "type": "string"
                "required": [
                    "[email protected]",
                "type": "object"
            "type": "array"
    "type": "object"
  • After the Parse JSON action, create a Filter array action.
Choose a value@empty(item()?[‘assignments’])
Is equal to
Choose a value@true
  • After the Filter Array action. Create a for each loop with the output of the Body property of the Filter array action.
  • Within the For each Android Enterprise Store App loop action, create another HTTP action.



  "mobileAppAssignments": [
      "@@odata.type": "#microsoft.graph.mobileAppAssignment",
      "intent": "Available",
      "settings": {
        "@@odata.type": "#microsoft.graph.androidManagedStoreAppAssignmentSettings",
        "androidManagedStoreAppTrackIds": [],
        "autoUpdateMode": "default"
      "target": {
        "@@odata.type": "#microsoft.graph.allLicensedUsersAssignmentTarget"
Authentication TypeActive Directory OAuth
Client ID@{variables(‘ClientID’)}
Credential TypeSecret
  • The logic app will now run every day. It will search for unassigned managed Google Play apps. If an app is not assigned, it will automatically assigned to the All user group to the Available for Enrolled Devices assignment method of the app.

Entire flow to automate the auto assign Android managed Google Play apps

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.