Managing Azure AD Devices with PowerShell. To manage Azure Active Directory (AD) devices with PowerShell provides a powerful and efficient way to streamline device management tasks. Administrators automate device provisioning, configuration, and monitoring with PowerShell cmdlets specifically designed for Azure AD. Through PowerShell, admin easily perform tasks such as enrolling devices, setting device policies, retrieving device information, and even performing bulk operations on multiple devices simultaneously. PowerShell’s scripting capabilities enable administrators to create customized and repeatable processes, enhancing the overall efficiency and effectiveness of Azure AD device management.
Managing Azure AD Devices with PowerShell
Every device utilized for accessing cloud based resources carries a significant potential for serving as a conduit for major cybersecurity threats, including data breaches, phishing attacks, ransomware incidents, and others. Such devices typically do not act as direct initiators of identity-based attacks; rather, they are employed as deceptive instruments to exploit security vulnerabilities through user impersonation.
As an admin, it’s essential to monitor devices used within our organization for effective defence systems, Azure AD device management, and compliance management and maintain security & regulatory compliance.
And therefore, to help admins, this article provides a PowerShell script to get reporting for Azure AD devices. With this script, admins better understand their organization’s device landscape and easily identify potential issues or risks.
Also Read Try InfraSOS Office 365 User Reports
Viewing Devices in Azure AD
Cybercriminals may breach our organization’s security by registering unauthorized devices, using Primary Refresh Tokens on trusted devices, or stealing Primary Refresh Tokens from trusted user devices. Therefore, monitoring Azure AD devices becomes the only solution to reduce such threats and massive attacks against our organization. Also, monitoring devices are the primitive step for managing the devices and troubleshooting unusual events related to devices.
Moreover, we get reports on Azure AD devices either through the Azure portal or through PowerShell. These approaches are traditional workarounds to retrieve the necessary information. Let’s explore how to get Azure AD device reports by using these methods in the following section.
Find Azure AD Devices in the Azure Portal
The Azure portal provides centralized device management to perform essential Azure AD device management tasks. These include configuring device join types, registering and updating devices, also reviewing audit logs for device registration activities. Furthermore, admins easily restrict or allow device access, delete devices, and manage device settings through the portal.
Navigate the path below to get all Azure AD devices in our organization:
- Open and login to the Microsoft Azure Admin Center.
- Navigate to Azure Active Directory.
- Click on Devices.
- Select All devices.
Here we find details of the devices, such as name, operating system, version, join type, etc. But generating customized device reports is a crucial task for administrators in the Azure portal.
Get All Azure AD Devices Using PowerShell
Previously, the Get-AzureADDevice cmdlet in PowerShell was a workaround for slow Azure AD reporting. It helped admins quickly list all Azure AD devices in their organization and tailor output using filters and loops. However, Azure AD and MSOnline cmdlets will be deprecated soon in favour of the Microsoft Graph API. Thus, to lend us a hand in tracking the finer details of the devices in a single click, we have a PowerShell script that uses the latest MS Graph cmdlets.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Export All Azure AD Devices Report to CSV Using PowerShell
The Azure AD devices report shows the complete list of devices with their attributes in the organization. Therefore, admins efficiently use this report to monitor and analyse the critical events of device registration, deletion, etc., around the workspace.
Discussing the Script's Scope
- Executes the script with MFA-enabled accounts.
- Exports output to CSV.
- Automatically installs the Microsoft Graph PowerShell module in our PowerShell environment upon our confirmation.
- The script supports the method of certificate-based authentication.
- The script lists all the Azure AD devices of our organization.
- Customization of reports is possible according to the major device types like managed, enabled, disabled, etc.
List All Azure AD Devices in Azure Portal
Visualize in depth details of devices by downloading and running the script. The screenshot below shows a sample output of the script in a CSV format.
The exported report contains the following attributes of devices:
- Name – The device name is displayed here.
- Enabled – States whether the enabled devices with true or false values.
- OperatingSystem – The name of the Operating system
- Version – The Operating system version is listed here.
- JoinType – States the JoinType of devices such as Azure AD registered, Azure AD joined, and Hybrid Azure AD Joined.
- Owners – Owner names of the devices
- Users – Users of the devices
- IsManaged – Indicates whether the device managed status with a true or false value.
- ManagementType – If the device managed status is equal to true, the management type of the device displays in this parameter.
- IsCompliant – Returns true value if the device is compliant; otherwise, it returns false value.
- RegistrationDateTime – This shows the registration date and time of the devices.
- LastSigninDateTime – Displays the Last Sign-in date and time of the devices.
- Groups – Groups that a device belongs to are listed here. For example, autopilot devices.
- AdministrativeUnits – Indicates the administrative units of the devices.
- DeviceId – Specifies the ID of the device here.
- ObjectId – A unique identifier related to the device in Azure AD.
- ExtensionAttributes – Azure AD extension attributes are an additional way to store extra information on user objects and other directory objects.
As we notice, most attributes provided by the script are also present in the previously discussed Azure portal UI. The reason behind it is that the hand mainly uses the Get-MgDevice (and other sub-commands) cmdlet. The Get-MgDevice cmdlet is a PowerShell command used to retrieve information about devices registered in the Microsoft Azure tenant.
Export All Azure AD Devices to CSV
Upon running the script with no parameters, it exports the details of all registered devices in Azure AD with their other attributes to a CSV file. To start, simply run the following snippet below:
.\GetAzureADDevicesReport.ps1
NOTE: If we use certificate-based authentication, the script generates output only when the directory permissions such as Directory.Read.All is in Enabled status in our organizational setup.
We share more info on how to use the script by supplying it with different parameters in the next section of the article.
Find the Managed Devices in Azure AD
Managed devices are completely controlled and managed by the organization, giving users no control. And it’s always crucial to manage and control access to the organization’s managed devices. This parameter is where the -ManagedDevice parameter comes in handy, allowing admins to view and export a list of all managed Azure AD devices.
This information provides insights into the volume of managed devices, which helps to identify any unmanaged devices needing attention. By using the -ManagedDevice parameter, organizations ensure that all their devices are properly managed and secure, helping to protect against potential security threats and unauthorized access.
.\GetAzureADDevicesReport.ps1 -ManagedDevice
Identify the Inactive Devices in Azure AD
Unfortunately, the biggest challenge for Azure AD admins is to locate stale or inactive devices, to reduce the potential security risks. If an inactive device falls into the wrong hands, we could use it to gain unauthorized access to our organization’s resources. Therefore, it’s essential to monitor inactive devices in Azure AD to identify devices that may pose a security risk and take appropriate action, such as removing them from our organization’s Azure AD or resetting their passwords.
To locate all the inactive devices in our Azure AD environment, use the –InactiveDays parameter, and mention the minimum number of days. Therefore, it exports the device details that have been inactive for the specified period.
.\GetAzureADDevicesReport.ps1 -InactiveDays
Finding the Azure AD Enabled Devices
Enabled devices in Azure AD refer to devices registered and authorized by organizations, which allows them to authenticate and access resources such as applications and data. Moreover, it permits access to the resources protected with conditional-based access.
It’s important to monitor enabled devices in Azure AD to identify the devices and users with the most inclusive permissions. By monitoring enabled devices, we identify potential security risks, identify the misuse of resources and detect the possible indicators of insider threats. Easily spot all our enabled devices in the Azure AD environment by executing the script below after mentioning the required parameter –EnabledDevice in the script.
.\GetAzureADDevicesReport.ps1 -EnabledDevice
Finding the Azure AD Disabled Devices
Devices are disabled as an immediate response to threats and cyber security problems instead of deleting them completely. Also, by monitoring disabled devices, we identify devices no longer needed and remove them from our Azure AD, freeing up resources and reducing licensing costs.
Therefore, to identify the disabled devices in Azure AD, we use the param –DisabledDevice and export the results into a CSV file.
.\GetAzureADDevicesReport.ps1 -DisabledDevice
Managing Azure AD Devices with PowerShell Conclusion
In conclusion, leveraging PowerShell for managing Azure AD devices offers numerous benefits to administrators. PowerShell cmdlets empower admins to automate tasks, saving time and effort in device management. The ability to customize and script processes enhances efficiency and scalability, allowing admins to handle large-scale device management easily. With its comprehensive features and integration with Azure AD, PowerShell remains a valuable tool for managing Azure AD devices effectively.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
