Figured this might be a good first post as any, as I like to keep things practical and simple.
Short background: We did a migration recently, and I found myself wanting to have a quick way to check whether or not members of a given AAD / Entra ID group had any devices in Microsoft Intune. If they were, we could adjust the communications and app assignments for those that had already moved over.
I couldn’t find a way to filter on group memberships natively in the Intune Portal, and knowing the Microsoft Graph API has almost any cmdlet you’d want, I figured that would be the best approach.
To be able to look up this, I started on a PowerShell script that uses Microsoft Graph to list all the members of a specific Entra ID group. Then we take those members and do some checks.
Does the user have a device at all? And if they do, show a little bit of info on each device they have enrolled in Intune – like OS, version, Compliance, etc.
The script currently looks like this, but to filter on just mobile devices I just added a simple “-and” clause on the object-filtering. I’ll probably put a parameter there instead in the future. At a very high-level, it works like this:
- Connect to Microsoft Graph on the necessary scopes
- Prompts for the Entra ID group – using group ID / object ID, name lookup coming soon
- Fetches all the managed devices into an array (in larger environments this can take some time)
- Then we run through the array and check each user for their enrolled devices
- For filtering the array, I ended up writing a function that filters on each user UPN.
- If we find any devices belonging to the user, we’ll display some information on that
- And if not, we’ll just say we didn’t find any 😉
- Finally – some color coding to make it easier to read
- TODO: Parameters, summary, export to CSV etc.
Let me know if you find this useful, or have any questions or input
<#
.SYNOPSIS
Checks Intune enrollment for devices of members in a specified Entra ID group.
.DESCRIPTION
This script retrieves all members of a specified Entra ID group and checks their Intune
enrollment status. Script currently has basic filtering on iOS and Android devices by remocing the comment.
It uses the Microsoft Graph PowerShell SDK to interact with Microsoft 365 services.
TODO: Add parameters for filtering on specific sets of devices
.NOTES
File Name : Check-IntuneEnrollment.ps1
Author : Haakon Wibe
Prerequisite : Microsoft Graph PowerShell SDK
Copyright : (c) 2024 Haakon Wibe. All rights reserved.
License : GPL
Version : 1.0
Creation Date : 2024-09-12
.EXAMPLE
.\Check-IntuneEnrollment.ps1
#>
# Copyright (c) 2024 Haakon Wibe. All rights reserved.
# Requires the Microsoft Graph PowerShell SDK
# Install-Module Microsoft.Graph -Scope CurrentUser
# Connect to Microsoft Graph with the necessary scopes
Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All", "DeviceManagementManagedDevices.Read.All"
# Function to get Intune enrolled (or iOS and Android) devices for a user
function Get-UserIntuneDevices {
param (
[Parameter(Mandatory = $true)]
[string]$UserPrincipalName,
[Parameter(Mandatory = $true)]
[array]$AllDevices
)
return $AllDevices | Where-Object {
$_.UserPrincipalName -eq $UserPrincipalName -and
# Remove comment to filter on iOS and Android devices
# $_.OperatingSystem -in @("iOS", "Android") -and
$_.ManagementAgent -in @("mdm", "configurationManagerClientMdm", "configurationManagerClientMdmEas")
}
}
# Main script
$groupId = Read-Host "Enter the Entra ID Group ID"
try {
Write-Host "Fetching all managed devices... This may take a moment." -ForegroundColor Yellow
$allDevices = Get-MgDeviceManagementManagedDevice -All
Write-Host "Fetched $($allDevices.Count) devices." -ForegroundColor Green
$groupMembers = Get-MgGroupMember -GroupId $groupId -All
foreach ($member in $groupMembers) {
$user = Get-MgUser -UserId $member.Id
$intuneDevices = Get-UserIntuneDevices -UserPrincipalName $user.UserPrincipalName -AllDevices $allDevices
Write-Host "User: $($user.DisplayName) ($($user.UserPrincipalName))" -ForegroundColor Green
if ($intuneDevices) {
Write-Host "Intune Enrolled Devices: $($intuneDevices.Count)" -ForegroundColor Cyan
foreach ($device in $intuneDevices) {
Write-Host " - Name: $($device.DeviceName)" -ForegroundColor Yellow
Write-Host " OS: $($device.OperatingSystem)"
Write-Host " OS Version: $($device.OsVersion)"
Write-Host " Management Agent: $($device.ManagementAgent)"
Write-Host " Compliance State: $($device.ComplianceState)"
Write-Host " Last Sync DateTime: $($device.LastSyncDateTime)"
Write-Host ""
}
} else {
Write-Host "No devices enrolled in Intune." -ForegroundColor Red
}
Write-Host "-----------------------------------------"
}
} catch {
Write-Error "An error occurred: $_"
} finally {
Disconnect-MgGraph
}UPDATE: I also found the old script which I used to do much of the same. A lot more basic, but got the job done.
It was based on the earlier Azure AD and MS Graph libraries, so won’t work as well anymore. I think that was a good thing, because I always had problems with the filtering on those cmdlets.
Anyway, here is the old version:
# Install the necessary modules
Install-Module -Name AzureAD
Install-Module -Name Microsoft.Graph.Intune
# Import the modules
Import-Module -Name AzureAD
Import-Module -Name Microsoft.Graph.Intune
Connect-AzureAD
# All Users or the group you want
$groupId = "<Group Object ID>"
$groupMembers = Get-AzureADGroupMember -ObjectId $groupId
# Loop each user and display the devices
foreach ($user in $groupMembers) {
$devices = Get-IntuneManagedDevice -Filter "userPrincipalName eq '$($user.UserPrincipalName)'"
if ($devices) {
Write-Host "$($user.DisplayName) has enrolled devices:"
$devices | Format-Table -Property deviceName, operatingSystem, complianceState
} else {
Write-Host "$($user.DisplayName) has no enrolled devices."
}
}
