question

JesseWright-8800 avatar image
JesseWright-8800 asked ·

Is there a way to pull a list of users from AAD with certain criteria IE. no devices attached to their account?

Here's the situation to better explain my question:
We have a situation where some how (probably ex employee on their departure) a chunk of our users license for Intune was removed from their accounts. Therefore, their computers were removed from Intune and for some reason, AAD all together. Although, on the computer side, they are still doing everything like nothing had happened.
We are trying to pull a list of users who no longer have a device tied to them in AAD as that would be a easier place to start checking names off a list on who should have one listed but doesn't and as a by product give us the list of people whose license has been removed. Saving us the time of manually going through the entire company of users to check individually.
BUT i am also fully open to any other means of finding this information if anyone knows of a better source than AAD to do so. Thanks in advanced!

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KAREDD-MSFT avatar image
KAREDD-MSFT answered ·

Hi,

There are two ways you can do this.

A. Using device logic :

1) Dump all users into a CSV> Get-AzureADUser -ALL

2) Dump all devices along with properties into a CSV and use the device owner attribute to check against the all users list

This is complicated and might not be the easiest way.

B. Use Licenses :

Azure AD has license SKU's which have all the service plans like Intune, exchange online, Azure AD premium etc defined. So you can directly fetch users who have a specific SKU assigned and check which service plan they have enabled against them.

List of all services: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference

You can use powershell to do this directly
Ref: https://docs.microsoft.com/en-us/office365/enterprise/powershell/view-account-license-and-service-details-with-office-365-powershell

You can also use Azure AD dynamic groups which have a property called assigned plans to filter the users. This will automatically create a group of all the people with/ without Intune license as per the logic you provide.

Ref: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#multi-value-properties

Hope this helps.

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Will give it a go. Thanks!

0 Votes 0 · ·