Change device ownership in Microsoft Intune standalone using Microsoft Graph API and Powershell

Introduction

When enrolling devices into Microsoft Intune using the Company Portal, the devices end up enrolling as personal owned. This can be changed manually on each device directly in the Intune portal after enrollment. Making sure that all devices are company owned refines management and identification, as well as enabling Intune to perform additional management tasks. Also, for additional security, you can configure device restrictions to block enrollment of devices that are not company owned.

But what if we don’t like to do stuff manually and have hundreds or thousands of devices? Automation through Microsoft Graph API and Powershell to the rescue.

Requirements

  • All of this is done with inspiration from the public available Microsoft Graph API Powershell script samples on GitHub: https://github.com/microsoftgraph/powershell-intune-samples. I suggest that you head over there and dig into the scripts as a first step in this journey.
  • Running anything automated (or manually for that matter) requires an account with proper permissions. A service account with delegated permissions (if not done through a Global Admin). For more information on setting up a service account with proper permissions, see this post: https://blogs.technet.microsoft.com/smeems/2017/12/18/automate-dep-assignment/#delegate
  • If you really want to automate this to run unattended, you also need some sort of method for authentication. In below script, following Powershell snippet was used to create a credentials.txt file used in combination with a SA with the required permissions:

  • The script itself requires the Azure AD Powershell module. Run Install-Module AzureAD from an elevated Powershell prompt on the computer running the script.

How to

Following is the ManagedDevices_DeviceOwnership_Set.ps1 script from the aforementioned GitHub page with my own modifications. The original script does not have built in authentication and also requires confirmation prior to any action. This is changed in my edition as well as I included a piece that finds all personal owned devices in your tenant and changes the ownertype. The other parts of the script is not my doing.

Copy below script into Powershell ISE and update the authentication region with your own service account / credentials. To fully automate this, this can be run through a scheduled task, but I’m not covering that part here.

Running the script

As mentioned, I’ve removed the requirement for confirmation prior to any action (to be able to run this unattended), so be careful when running the script. It will change the ownertype on ALL personal devices and write the output to the screen. I recommend that you test it on a few devices before running it full blown.

You can limit the result to a few test devices by changing following line:

to something like (and limit on the devicename):

Also, you can of course use the same script to change the ownertype back to personal if that is required. In that case, change the last part of the script to:

The entire script is running towards the Beta API, as the v1.0 API doesn’t have the ownertype data included.

Hope this was helpful 🙂

Ressources

https://github.com/microsoftgraph/powershell-intune-samples
https://blogs.technet.microsoft.com/smeems/2018/03/07/device-cleanup-with-graph-api/

18 thoughts on “Change device ownership in Microsoft Intune standalone using Microsoft Graph API and Powershell”

  1. Authorization Access Token is null, please re-run authentication…

    $password = read-host -prompt “Enter your Password”
    write-host “$password is password”
    $secure = ConvertTo-SecureString $password -force -asPlainText
    $bytes = ConvertFrom-SecureString $secure
    $bytes | out-file .\creds.txt

    i have then set the script to use creds.txt in c:\scripts

    I have tried numerous encrypted txt file options which work with other scripts

    Any Idea

    Reply
    • The account generating the creds.txt file, is the one also required to run the actual script. Its unique in that way. So be aware of switching accounts in that regard. Thanks 🙂

      Reply
  2. In this script

    $Password = “C:\Scripts\creds.txt”
    get-content $password | convertto-securestring
    Get-AuthToken -User $User -Password “$Password”

    So for me to get $password which is the content of the file:

    $File = “c:\scripts\creds.txt”
    $Password = “password” | ConvertTo-SecureString -AsPlainText -Force
    $Password | ConvertFrom-SecureString | Out-File $File

    Authorization Access Token is null, please re-run authentication…

    Does this script work??

    Reply
    • The script works just fine – I tested it as recently as today. 🙂

      The script has to be run as the account that created the credential file.

      Reply
  3. Hi Martin,

    I put in my user and password like this:

    #region Authentication

    #update info with service account and credential.txt file location
    $User = “scurtis@blahblah.onmicrosoft.com”
    $Password = “D:\Files\credentials.txt” #example – can be stored anywhere on the PC

    Then I have only my password in plain text in the text file.

    I’m getting:
    Checking for AzureAD module…
    Input string was not in a correct format.

    Am I doing something wrong?

    Reply
    • Hi Shane, you are not supposed to put in your password in clear text, but rather generate the credentials.txt file through the powershell command I provided in the post. The powershell command will prompt you for the password and then generate the .txt file as a securestring. 🙂

      Reply
  4. Hi Martin,

    First of all, thanks for this great work. I am trying the script but get the following error:

    Authorization Access token is null, please re-run authentication…

    I am using the same account that has created the credentials.txt file to run the script. So I don’t understand what is happening.

    Any feedback would be highly appreciated

    Reply
  5. I’m getting in late here. Is there an attribute for Category I can query against? So something like where $._category=”Company Owned” to select the devices and change those to Company ownership?

    Reply
  6. we would change the owner (user) only for Microsoft Intune (MDM) registered devices (not hybrid or other type).
    how can we do? i tried several ways but nothing. probably it’s yet impossible.

    Reply
    • Francesco,

      Just change add an and statement to the URI line:
      $uri = “https://graph.microsoft.com/$graphApiVersion/$Resource?$filter=managedDeviceOwnerType eq ‘personal’ and managementAgent eq ‘mdm'”

      Reply
  7. Just wanted to drop a note. Your code is good, but if you haven’t granted approval for the Graph API in your tenant then the authentication fails, which I think is what others were seeing when they ran it.

    I have taken your auth bit and modified the rest of the code so that it only gets devices from users in a specific AzureAD group. Over all VERY helpful bit of code. Thank you!

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.