Share via

Export Intune devices NOT enrolled in any Group Memberships

Joe Calabria 41 Reputation points
2024-02-26T18:40:49.0566667+00:00

Looking for a PS script to export devices that are not associated with a Group Membership using MgGraph. It's easy enough to select a device in Intune, then select Group membership and see what groups they're in and not finding devices where Group membership = <null> is not.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,273 questions
Microsoft Intune Reporting
Microsoft Intune Reporting
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Reporting: The process of giving an account of something that has been observed, heard, done, or investigated.
67 questions
0 comments
Accepted answer
  1. Crystal-MSFT 49,426 Reputation points Microsoft Vendor
    2024-02-27T02:43:07.7+00:00

    @Joe Calabria, Thanks for posting in Q&A. From your description, I find you want to get the devices of which its group membership is null. If there's any misunderstanding, feel free to let us know.

    Based on my testing, we can use the following script to get the information:

    ## Requires the Microsoft.Graph.Intune module
Install-Module -Name Microsoft.Graph.Intune
connect-msgraph

## Examples:
$Devices=(Get-IntuneManagedDevice).devicename
write-host "The device without any groupmembership:" 
Foreach ($Device in $Devices)
{

$GroupMembership = Get-DeviceGroupMembership -DeviceName $Device 

If ($GroupMembership -eq $null)
{
write-host $Device
}
    else 
    {
        Return    
    }
}


# Function
function Get-DeviceGroupMembership{
    [CmdletBinding(DefaultParameterSetName='Name')]
    Param(  
    [Parameter(Mandatory=$true,ParameterSetName='Name')]  
    [ValidateNotNullOrEmpty()]  
        [string]$DeviceName,
    [Parameter(Mandatory=$true,ParameterSetName='Id')]  
    [ValidateNotNullOrEmpty()] 
        [string]$AADDeviceId
    )

    $ProgressPreference = 'SilentlyContinue'
    # Get a user token for MS Graph
    $GraphToken = Connect-MSGraph -PassThru

    # Find the object id
    If ($DeviceName)
    {
        $URL = "https://graph.microsoft.com/v1.0/devices?`$filter=displayName eq '$DeviceName'&`$select=id"
    }
    If ($AADDeviceId)
    {
        $URL = "https://graph.microsoft.com/v1.0/devices?`$filter=deviceId eq '$AADDeviceID'&`$select=id"
    }
    $headers = @{'Authorization'="Bearer " + $GraphToken}
    $D_Response = Invoke-WebRequest -Uri $URL -Method GET -Headers $Headers -UseBasicParsing
    If ($D_Response.StatusCode -eq 200)
    {
        # Check for duplicates
        $DeviceId = ($D_Response.Content | ConvertFrom-Json).Value.id
        If ($DeviceId.Count -gt 1)
        {
            Write-Warning "Multiple devices found. Please pass a unique devicename or AAD device Id!"
            Return
        }
        else 
        {
            If ($DeviceId)
            {
                # Get the group membership
                $URL = "https://graph.microsoft.com/beta/devices/$DeviceId/memberOf?`$select=displayName,description,id,groupTypes,membershipRule,membershipRuleProcessingState"
                $G_Response = Invoke-WebRequest -Uri $URL -Method GET -Headers $Headers -UseBasicParsing
                If ($G_Response.StatusCode -eq 200)
                {
                    $Groups = ($G_Response.Content | ConvertFrom-Json).Value 
                }
            }

        }
    }
    else 
    {
        Return    
    }

    # If results found
    If ($Groups.Count -ge 1 -or $TransitiveGroups.Count -ge 1)
    {
        # Create a datatable to hold the groups
        $DataTable = [System.Data.DataTable]::New()
        $Columns = @()
        @(
            'Name'
            'Description'
            'Object Id'
            'Membership Type'
            'Direct or Transitive'
            'Membership Rule'
            'Membership Rule Processing State'
        ) | foreach {
            $Columns += [System.Data.DataColumn]::new("$_")
        }
        $DataTable.Columns.AddRange($Columns)

        # Add the groups
        foreach ($Group in $Groups)
        {
            If (($Group.groupTypes | Select -First 1) -eq "DynamicMembership")
            {$MembershipType = "Dynamic"}
            Else {$MembershipType = "Assigned"}
            [void]$DataTable.Rows.Add($Group.displayName,$Group.description,$Group.id,$MembershipType,"Direct",$Group.membershipRule,$Group.membershipRuleProcessingState)
        }

        # Add the transitive groups
        foreach ($TransitiveGroup in ($TransitiveGroups | where {$_.id -NotIn $Groups.id}))
        {
            If (($TransitiveGroup.groupTypes | Select -First 1) -eq "DynamicMembership")
            {$MembershipType = "Dynamic"}
            Else {$MembershipType = "Assigned"}
            [void]$DataTable.Rows.Add($TransitiveGroup.displayName,$TransitiveGroup.description,$TransitiveGroup.id,$MembershipType,"Transitive",$TransitiveGroup.membershipRule,$TransitiveGroup.membershipRuleProcessingState)
        }

        Return $DataTable
    }
}

    enter image description here Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joe Calabria 41 Reputation points
    2024-02-28T16:21:29.75+00:00

    Thank you for clarifying and prompt assistance. Good result finding that all our Intune devices were found without any Group memberships. Results

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.