change AAD Joined windows 10 device ownership with Powershell

Arif Usman 421 Reputation points
2019-12-15T16:21:52.863+00:00

Folks,
I am in situation to get up running Intune. My previous collegue joined every windows 10 devices to AAD with one UPN id, so like over 1000 computers have one ownership. When I tried to enroll Windows devices to Intune, the login user is different than device owner.

Is there way to change device ownership with upn through PowerShell?

I know I can have user go to settings>Access or school. but this way it will required local administrator account, reboot and will remove current user profile.

So, I am looking for automation...

thanks in advance

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,453 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2019-12-16T07:37:42.82+00:00

    @Arif Usman In order to change the device owner, you would need to first add another owner to the device and then remove the existing user. There is no single PowerShell command to change the owner. I am sharing the cmdlets below:

    1. Open PowerShell as Administrator and run Install-module AzureADPreview. If you have this module installed already, you can skip this step.
    2. Login to Azure AD with your Global Admin account by using Connect-AzureAD cmdlet.
    3. Run Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "AzureAd"} to get object ID of all Azure AD joined devices in your tenant.
    4. Run Add-AzureADDeviceRegisteredOwner -ObjectId 94b0b212-xxxx-xxxx-xxxx-xxxxxxxxxxxx -RefObjectId 86757ad2-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Where, -ObjectId is to specify the object id of the device and -RefObjectId is to specify the object ID of the user you want to add as registered owner.
    5. Run Remove-AzureADDeviceRegisteredOwner -ObjectId 94b0b212-xxxx-xxxx-xxxx-xxxxxxxxxxxx -OwnerId 540b9c12-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Where, -OwnerId is to specify the object ID of the previous owner that you want to remove.
    6. To confirm the new registered owner, run Get-AzureADDeviceRegisteredOwner -ObjectId 94b0b212-xxxx-xxxx-xxxx-xxxxxxxxxxxx or login to Azure Portal and navigate to Azure AD > Devices > All devices.

    -----------------------------------------------------------------------------------------------------------

    Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    3 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Arif Usman 421 Reputation points
    2019-12-19T19:22:06.067+00:00

    I was able remove previous and register new owner fine, my script is below...thanks for your help

    $Device_Object = 'pcwindows'
    $CurrentRegOwner = 'currentowner@Company portal .com'
    $NewRegOwner = 'newowner@Company portal .com'

    Install Module enable this on new system

    Install-module AzureADPreview -AllowClobber

    connect with Azure AD

    Connect-AzureAD

    get object ID of all Azure AD joined devices in your tenant

    $DeviceObjectID = Get-AzureADDevice -SearchString $Device_Object |select id

    $Device = Get-AzureADDevice -SearchString $Device_Object
    $Device

    Get current owner of device objectid

    $CurrentOwnerRefObjectId = get-azureaduser -All $true | Where-Object {$_.UserPrincipalName -eq $CurrentRegOwner}
    $CurrentOwnerRefObjectId

    Get new owner of device objectid

    $NewOwnerRefObjectId = get-azureaduser -All $true | Where-Object {$_.UserPrincipalName -eq $NewRegOwner}
    $NewOwnerRefObjectId

    getting device ownership

    $GetRegCurrentOwner = Get-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId

    add new owner to device Where,

    -ObjectId is to specify the object id of the device

    -RefObjectId is to specify the object ID of the user you want to add as registered owner.

    If ($GetRegCurrentOwner.UserPrincipalName -eq $NewOwnerRefObjectId.UserPrincipalName){
    Write-Host "Red on white text." -ForegroundColor red -BackgroundColor white
    } Else {
    Write-Host "Red on blue text." -ForegroundColor Blue -BackgroundColor white
    $AddnewOwner = Add-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId -RefObjectId $NewOwnerRefObjectId.ObjectId
    }

    Remove Current owner from device Where,

    -ObjectId is to specify the object id of the device

    -OwnerId is to specify the Current registered owner.

    $Device = Get-AzureADDevice -SearchString $Device_Object

    $Owner = Get-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId #| Where-Object {$_.UserPrincipalName -eq $CurrentRegOwner}
    If ($Owner.UserPrincipalName -match $CurrentRegOwner){
    $RemCurrentOwner = Remove-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId -OwnerId $CurrentOwnerRefObjectId.ObjectId

     Write-Host "Red on white text." -ForegroundColor red -BackgroundColor white  
} Else {  
    Write-Host "Red on blue text." -ForegroundColor Blue -BackgroundColor white

    }

    1 person found this answer helpful.