Change device ownership in Microsoft Intune standalone using Microsoft Graph API and Powershell

Introduction

When enrolling devices into Microsoft Intune using the Company Portal, the devices end up enrolling as personal owned. This can be changed manually on each device directly in the Intune portal after enrollment. Making sure that all devices are company owned refines management and identification, as well as enabling Intune to perform additional management tasks. Also, for additional security, you can configure device restrictions to block enrollment of devices that are not company owned.

But what if we don’t like to do stuff manually and have hundreds or thousands of devices? Automation through Microsoft Graph API and Powershell to the rescue.

Requirements

  • All of this is done with inspiration from the public available Microsoft Graph API Powershell script samples on GitHub: https://github.com/microsoftgraph/powershell-intune-samples. I suggest that you head over there and dig into the scripts as a first step in this journey.
  • Running anything automated (or manually for that matter) requires an account with proper permissions. A service account with delegated permissions (if not done through a Global Admin). For more information on setting up a service account with proper permissions, see this post: https://blogs.technet.microsoft.com/smeems/2017/12/18/automate-dep-assignment/#delegate
  • If you really want to automate this to run unattended, you also need some sort of method for authentication. In below script, following Powershell snippet was used to create a credentials.txt file used in combination with a SA with the required permissions:

  • The script itself requires the Azure AD Powershell module. Run Install-Module AzureAD from an elevated Powershell prompt on the computer running the script.

How to

Following is the ManagedDevices_DeviceOwnership_Set.ps1 script from the aforementioned GitHub page with my own modifications. The original script does not have built in authentication and also requires confirmation prior to any action. This is changed in my edition as well as I included a piece that finds all personal owned devices in your tenant and changes the ownertype. The other parts of the script is not my doing.

Copy below script into Powershell ISE and update the authentication region with your own service account / credentials. To fully automate this, this can be run through a scheduled task, but I’m not covering that part here.

Running the script

As mentioned, I’ve removed the requirement for confirmation prior to any action (to be able to run this unattended), so be careful when running the script. It will change the ownertype on ALL personal devices and write the output to the screen. I recommend that you test it on a few devices before running it full blown.

You can limit the result to a few test devices by changing following line:

to something like (and limit on the devicename):

Also, you can of course use the same script to change the ownertype back to personal if that is required. In that case, change the last part of the script to:

The entire script is running towards the Beta API, as the v1.0 API doesn’t have the ownertype data included.

Hope this was helpful 🙂

Ressources

https://github.com/microsoftgraph/powershell-intune-samples
https://blogs.technet.microsoft.com/smeems/2018/03/07/device-cleanup-with-graph-api/

8 thoughts on “Change device ownership in Microsoft Intune standalone using Microsoft Graph API and Powershell

  1. Authorization Access Token is null, please re-run authentication…

    $password = read-host -prompt “Enter your Password”
    write-host “$password is password”
    $secure = ConvertTo-SecureString $password -force -asPlainText
    $bytes = ConvertFrom-SecureString $secure
    $bytes | out-file .\creds.txt

    i have then set the script to use creds.txt in c:\scripts

    I have tried numerous encrypted txt file options which work with other scripts

    Any Idea

    • The account generating the creds.txt file, is the one also required to run the actual script. Its unique in that way. So be aware of switching accounts in that regard. Thanks 🙂

  2. In this script

    $Password = “C:\Scripts\creds.txt”
    get-content $password | convertto-securestring
    Get-AuthToken -User $User -Password “$Password”

    So for me to get $password which is the content of the file:

    $File = “c:\scripts\creds.txt”
    $Password = “password” | ConvertTo-SecureString -AsPlainText -Force
    $Password | ConvertFrom-SecureString | Out-File $File

    Authorization Access Token is null, please re-run authentication…

    Does this script work??

    • The script works just fine – I tested it as recently as today. 🙂

      The script has to be run as the account that created the credential file.

  3. Hi Martin,

    I put in my user and password like this:

    #region Authentication

    #update info with service account and credential.txt file location
    $User = “scurtis@blahblah.onmicrosoft.com”
    $Password = “D:\Files\credentials.txt” #example – can be stored anywhere on the PC

    Then I have only my password in plain text in the text file.

    I’m getting:
    Checking for AzureAD module…
    Input string was not in a correct format.

    Am I doing something wrong?

    • Hi Shane, you are not supposed to put in your password in clear text, but rather generate the credentials.txt file through the powershell command I provided in the post. The powershell command will prompt you for the password and then generate the .txt file as a securestring. 🙂

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.