question

MethodDev avatar image
1 Vote"
MethodDev asked AxelCzuck-8461 commented

AzureAD - PowerShell - Determine if device has MDM enabled

Is there a good way to do that?

Currently I have:

 <# Connect To O365 Start #>
 Connect-AzureAD -Credential $credentials | Out-null
 <# Connect To O365 End #>
    
 $devices_List = Get-AzureADDevice -Filter "(DisplayName eq 'DESKTOP-DHGUVFV')" | select * #-All $true 
 $report = $devices_List | % { 
                    $device = $_
                    $registeredUser = (Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId)
                    [PSCustomObject]@{
                    Device = $device
                    userInfo = $registeredUser
                    }
                       
                   }
    
 $report.Device

But it sometimes does not line up with what is shown through the GUI

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jLight avatar image
0 Votes"
jLight answered MethodDev commented

Here you go:

 Get-MsolDevice -All -ReturnRegisteredOwners | Where-Object {$_.RegisteredOwners.Count -gt 0}|Select DisplayName,DeviceOsType,DeviceTrustType,RegisteredOwners


https://support.office.com/en-us/article/get-details-about-devices-managed-by-mobile-device-management-mdm-for-office-365-5602963c-a1f2-4c21-afb9-f66cd7dca1f0

If you still can't find what you are looking for, then it might be time to mess with Graph API

https://smsagent.blog/2018/10/22/querying-for-devices-in-azure-ad-and-intune-with-powershell-and-microsoft-graph/





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That is what I thought and ended up doing. Thanks for the time and help!

1 Vote 1 ·
saurabhsh-msft avatar image
0 Votes"
saurabhsh-msft answered MethodDev commented

You can check for IsManaged property of Get-AzureADDevice cmdlet result. If the value of isManaged parameter is True then device is enrolled and if it is False then device is not enrolled. You can also check for Get-MsolDevice for the same.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If that is the case then why do I see this:

https://imgur.com/a/5rpItYG

1 Vote 1 ·
jLight avatar image
0 Votes"
jLight answered MethodDev commented
 Get-AzureADDevice -All $true | select DisplayName,IsManaged
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If that is the case then why do I see this:

https://imgur.com/a/5rpItYG

1 Vote 1 ·
AxelCzuck-8461 avatar image
0 Votes"
AxelCzuck-8461 answered AxelCzuck-8461 commented

The isManagedAttribute is not very reliable.
What I found out:
isManaged False —> no corresponding device in intune

isManaged True —> Device MAY exist in Intune

isManaged $null —> no corresponding device in Intune

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just to outline my assumption with the isManaged True:

$devices = Get-AzureADDevice -All $true | Where-Object {$_.isManaged -eq $true}
$devices.Count --> nearly 35k devices

(Get-IntuneManagedDevice | Get-MSGraphAllPages).count --> 6300 devices

Can anyone explain?

0 Votes 0 ·

Could it be the case, that many of the AzureAD-Devices, which have isManaged -eq $true are stale devices?


So we may have 1 Intune Device matching e.g. 5 AzureADDevices? And four of those 5 are stale devices, but all of those four have isManaged $-eq $true?

0 Votes 0 ·