Set Intune Primary User with Azure Automation
I have finally had some time to have a new look at my script to update primary user for devices in Intune. The previous script had some issues when updating mggraph modules to later versions. So i decided to start using invoke-mggraphrequest to avoid future failures. The script now only need Microsoft.Graph.Authentication module.
Why are primary user important for devices
The Primary User property in Intune is used when:
- Map a licensed Intune user to the device
- Show and map the user to the device in that users Company Portal app
- Show and map the user to the device in that users Device management website
- Easier to map user to device in Endpoint manager and Azure portal
If primary user is another user, this will happen:
- Company Portal is limited in functions. It can be published apps missing and device management tools missing.
- Company Portal shows a warning “This device is already assigned to someone in your organization…
- If an Intune device has no primary user assigned, then the Company Portal app detects it as a shared device
How to set primary user
To set primary user, it is a manual process for each devcice:
- Access the Intune Admin Center:
Start by logging into the Microsoft Intune admin center. Navigate to Devices and All Devices - Select the Devices you want to change primary user
- Navigate to Properties for this device
- Click Change Primary User below the current Primary User
- Choose the new primary user and save your changes.
Change Primary User with PowerShell or Azure Automation
But when you have lots of devices installed and enrolled with for example an install account. you might need to change them all. So, I built a script for this. The script uses Graph and using only the Microsoft MgGraph module Microsoft.Graph.Authentication.
- First it collects all Devices in Intune that are “Windows” devices.
- Next collect all sign-in logs of all windows devices.
- Next collect all primary users of all devices.
- Finally set primary user that has logged on most times the latest 30 days
Run the script in Azure Automation
Azure Automation is a fantastic tool to use to schedule automations in your organization.
- Open Azure Portal
- Create a new Azure Automation Account
- Select System assigned managed identity
- And you can keep the Public network access
- When the account is ready, open it up
- Select Modules node and click Add Module
- Add these modules from Gallery in Runtime Version 5.1:
- Microsoft.Graph.Authentication
- Select Runbooks node and click Create a Runbook
- Give the runbook a suitable name and select PowerShell with runtime version 5.1
- Copy the script Intune-Set-PrimaryUsers.ps1 from my Github and paste it in your Runbook.
- Modify it to suit your environment
- The last thing missing is permissions for your Managed Account. This needs to be added manually with a PowerScript.
- Download the script Azure-Add-PermissionsManagedIdentity.ps1 from my Github
- Change the two lines to fit your environment.
$TenantID = "11111-08a2-4ade-9a68-0db7586d80ad"
$ManagedIdentity = "Tbone-Automate"- Run the script in PowerShell
- Go back to your automation account
- Open your RunBook
- Click Edit
- Chage the setting $ExecutionMode = “Test” to run in Test mode and no real changes are made
- Now you can click Test Pane
- And run the script to see the results.
- If it works as expected, change back $ExecutionMode = “Prod”
- Publish the script and schedule the script to run every day.
Script can be found here Intune-Set-PrimaryUsers.ps1 on my Github
About The Author
