Need to get Intune device's primary UPN using microsoft graph, rather then enrolled upn

Question

Need to get Intune device's primary UPN using microsoft graph, rather then enrolled upn

Leon Prentice 11

Hello,

I'm setting up a report using microsoft graph via powershell to return device data where we can compare primary user and last logged on user. At the minute, using "https://graph.microsoft.com/beta/deviceManagement/managedDevices?&$select=deviceName,usersLoggedOn,userDisplayName,userPrincipalName,userId" is returning the enrolled user Id, principal name, and display name instead of the assigned primary user.

How are we able to find out the primary user using microsoft graph?

Thanks

Lu Dai-MSFT 28,496 Reputation points

2022-06-23T07:40:08.253+00:00

Thanks SrinivasaRaoDarna for the valuable input.

@Leon Prentice Have all the concern been addressed? Is there any other assistance that we can provide?

If the reply is helpful, please accept his answer.

Thanks for your kindness in advance.

4 answers

Your answer

Lu Dai-MSFT 28,496 Reputation points

2022-06-23T07:40:08.253+00:00

Thanks SrinivasaRaoDarna for the valuable input.

@Leon Prentice Have all the concern been addressed? Is there any other assistance that we can provide?

If the reply is helpful, please accept his answer.

Thanks for your kindness in advance.

Answer 1

Hi @Leon Prentice ,

Currently with Intune Graph API's we can only get Enrolled user with list-manageddevice GET /beta/deviceManagement/managedDevices.

We can get the primary users associated with the managed device for a specified managedDeviceId and this API/endpoint is only available in /beta now get-manageddevice.

GET /beta/deviceManagement/managedDevices/{managedDeviceId}/users

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

Reference docs: intune-devices-manageddevice

Additionally refer to this Intune Graph API with PowerShell that can help you get all devices and primary users PrimaryUser_Get.

Hope this helps.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have further questions about this answer, please click "Comment".

Sulli, Russell (HQP) 5 Reputation points

2023-02-15T22:53:12.9033333+00:00

Any known timeframe when this will be published to 1.0?

Answer 2

Sulli, Russell (HQP) 5

Hello, is there any timeframe on when we will be able to query for the primary user?

Answer 3

Konstantinos Passadis 19,586 MVP

Hello @Leon Prentice !

Regarding permissions i believe these are required

DeviceManagementManagedDevices.PrivilegedOperations.All
DeviceManagementManagedDevices.ReadWrite.All
Group.Read.All
GroupMember.Read.All
Organization.Read.All
User.Read.All

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Johnson, Aaron M 0 Reputation points

2023-05-28T21:05:36.05+00:00

Thank you!
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-29T09:17:31.6633333+00:00

Hello @Leon Prentice !

Do you have any feedback or is your issue resolved?

In case any answer helped kindly mark it as Accepted and upvote so others can benefit as well!

Regards

Answer 4

Souders, Justin 25

I am also trying to get the primary user assigned to a device, but I am getting a 403 returned when using the following endpoint.

https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}/users

I can successfully call the same endpoint without the users.

https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}

Are there additional permissions needed to get the users of a managed device?

I currently have the app role of DeviceManagementManagedDevices.Read.All assigned to this system managed identity and utilizing it from an Azure automation account runbook.

Johnson, Aaron M 0 Reputation points

2023-05-24T21:22:39.4666667+00:00

I am having the same issue as Justin. What additional permissions are required outside of DeviceManagementManagedDevices.Read.All? Thank you.

Souders, Justin 25

I got mine working by using the following permissions:

$Permissions = @(
    'DeviceManagementManagedDevices.Read.All'
    'DeviceManagementManagedDevices.ReadWrite.All'
    'DeviceManagementConfiguration.Read.All'
    'DeviceManagementConfiguration.ReadWrite.All'
    'Device.Read.All'
    'User.Read.All'
)

The following PowerShell function is what I then utilized to retrieve the primary user for each device. There are a few notes in the function that outline the issues I ran into along the way and references to articles if you want to dig in deeper.

function Get-DevicePrimaryUserBatch([String[]]$IntuneIds)
{
    # Issue with Graph API returning the correct primary user for a device: Associated user is inconsistent - https://github.com/microsoftgraph/microsoft-graph-docs/issues/16137
    # deviceManagement/managedDevices/{deviceID}/users returns the Primary User for the device. Including the UPN of the Primary User.
    # deviceManagement/managedDevices/{deviceID}/$select=userPrincipalName returns the UPN of the Enrolled user for the device.

    #JSON Batching with MS Graph: https://learn.microsoft.com/en-us/graph/json-batching
    #Limit of 20 requests per batch
    $BatchUrl = "https://graph.microsoft.com/v1.0/`$batch"
    $ProcessedRecords = 0
    [System.Collections.ArrayList] $DeviceAndPrimaryUserList = @()
    $TotalRecords = $IntuneIds.Count
    $RequestGroupMax = 20 #MS Graph Batch Method has a max of 20 requests per call

    Write-Verbose "Total Primary Users to Retrieve: $TotalRecords"
    while($TotalRecords -gt $ProcessedRecords)
    {
        #Construct Request Object
        $BodyJson = @{}
        $RequestObjects = New-Object System.Collections.ArrayList
            
        if(($TotalRecords-$ProcessedRecords) -lt $RequestGroupMax)
        {
            $RecordsToRetrieve = $TotalRecords-$ProcessedRecords
        }
        else
        {
            $RecordsToRetrieve = $RequestGroupMax
        }
        
        $IntuneIdsToRetrieve = $IntuneIds[$ProcessedRecords..($ProcessedRecords+$RecordsToRetrieve-1)]
        
        Foreach($IntuneId in $IntuneIdsToRetrieve)
        {
           $RequestObjects.Add(@{"url"="/deviceManagement/managedDevices/$IntuneId/users";"method"="GET";"id"="$IntuneId"})
        }
    
        $BodyJson = @{"requests"=$RequestObjects;} | ConvertTo-Json -Compress
        
        try
        {
            $BatchResponse = Invoke-WebRequest -Uri $BatchUrl -Method POST -Headers $authTokenHeader -Body $BodyJson -UseBasicParsing
        }
        catch
        {
            Write-Verbose "There was an error when querying the Intune `$batch GraphAPI endpoint with multiple (deviceManagement/managedDevices/$IntuneId/users) requests"
            $StatusCode = $_.Exception.Response.StatusCode.value__
            $ErrorMessage = $_.Exception.Message
            Write-Verbose "Status Code Returned: $StatusCode - Message: $ErrorMessage"
            throw $_
        } 
    
        #Parse Results
        $BatchResponseObject = $BatchResponse | ConvertFrom-Json
    
        foreach($Response in $BatchResponseObject.responses)
        {
            $SkipAdd = $false
            $ResponseStatusCode = $Response.Status
            $IntuneId = $Response.id
            $PrimaryUserPrincipalId = $Response.body.value[0].id
            $PrimaryUserPrincipalName = $Response.body.value[0].userPrincipalName
    
            if($ResponseStatusCode -ne 200)
            {
                Write-Host "Invalid Status Code $ResponseStatusCode returned for IntuneId: $IntuneId"
                $SkipAdd = $true
            }
            elseif([string]::IsNullOrEmpty($PrimaryUserPrincipalId))
            {
                Write-Host "No primary user returned for IntuneId $IntuneId"
                $SkipAdd = $true
            }     
    
            if(!$SkipAdd)
            {
                $DeviceAndPrimaryUserList.Add(@{IntuneId = $IntuneId; PrimaryUserPrincipalId = $PrimaryUserPrincipalId; PrimaryUserPrincipalName = $PrimaryUserPrincipalName })
            }
        }
        
        $ProcessedRecords += $RecordsToRetrieve
        Write-Verbose "Total Primary Users Records Retrieved: $ProcessedRecords of $TotalRecords"
    }
    
    Write-Verbose "DeviceAndPrimaryUserList Total Records: $($DeviceAndPrimaryUserList.Count)"

    return $DeviceAndPrimaryUserList
}

Johnson, Aaron M 0 Reputation points

2023-05-28T21:05:12.4866667+00:00

Hi Justin,

Thank you for the permissions list and the sample code! You rock!

Also, I wanted to mention you can now also use Microsoft.Graph to get the Primary User.

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.devicemanagement/get-mgdevicemanagementmanageddeviceuser?view=graph-powershell-1.0
Johnson, Aaron M 0 Reputation points

2023-06-07T10:24:45.65+00:00

If you are using get-mgdevicemanagementmanageddeviceuser to get the primary user you will need:

DeviceManagementManagedDevices.Read.All

User.Read.All

Those are the permissions I have and it works.

Share via

Need to get Intune device's primary UPN using microsoft graph, rather then enrolled upn

4 answers

Your answer