Is there a way to pull a list of users from AAD with certain criteria IE. no devices attached to their account?

Jesse Wright 6 Reputation points
2019-10-31T14:08:31.567+00:00

Here's the situation to better explain my question:
We have a situation where some how (probably ex employee on their departure) a chunk of our users license for Intune was removed from their accounts. Therefore, their computers were removed from Intune and for some reason, AAD all together. Although, on the computer side, they are still doing everything like nothing had happened.
We are trying to pull a list of users who no longer have a device tied to them in AAD as that would be a easier place to start checking names off a list on who should have one listed but doesn't and as a by product give us the list of people whose license has been removed. Saving us the time of manually going through the entire company of users to check individually.
BUT i am also fully open to any other means of finding this information if anyone knows of a better source than AAD to do so. Thanks in advanced!

Microsoft Entra
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KAREDD-MSFT 406 Reputation points Microsoft Employee
    2019-10-31T15:07:02.83+00:00

    Hi,

    There are two ways you can do this.

    A. Using device logic :

    1) Dump all users into a CSV> Get-AzureADUser -ALL

    2) Dump all devices along with properties into a CSV and use the device owner attribute to check against the all users list

    This is complicated and might not be the easiest way.

    B. Use Licenses :

    Azure AD has license SKU's which have all the service plans like Intune, exchange online, Azure AD premium etc defined. So you can directly fetch users who have a specific SKU assigned and check which service plan they have enabled against them.

    List of all services: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference

    You can use powershell to do this directly
    Ref: https://learn.microsoft.com/en-us/office365/enterprise/powershell/view-account-license-and-service-details-with-office-365-powershell

    You can also use Azure AD dynamic groups which have a property called assigned plans to filter the users. This will automatically create a group of all the people with/ without Intune license as per the logic you provide.

    Ref: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#multi-value-properties

    Hope this helps.