Set Intune Primary User with Azure Automation

I have finally had some time to have a new look at my script to update primary user for devices in Intune. The previous script had some issues when updating mggraph modules to later versions. So i decided to start using invoke-mggraphrequest to avoid future failures. The script now only need Microsoft.Graph.Authentication module.

Why are primary user important for devices

The Primary User property in Intune is used when:

• Map a licensed Intune user to the device
• Show and map the user to the device in that users Company Portal app
• Show and map the user to the device in that users Device management website
• Easier to map user to device in Endpoint manager and Azure portal

If primary user is another user, this will happen:

• Company Portal is limited in functions. It can be published apps missing and device management tools missing.
• Company Portal shows a warning “This device is already assigned to someone in your organization…
• If an Intune device has no primary user assigned, then the Company Portal app detects it as a shared device

How to set primary user

To set primary user, it is a manual process for each devcice:

1. Access the Intune Admin Center:
   Start by logging into the Microsoft Intune admin center. Navigate to Devices and All Devices
2. Select the Devices you want to change primary user
3. Navigate to Properties for this device
4. Click Change Primary User below the current Primary User
5. Choose the new primary user and save your changes.

Change Primary User with PowerShell or Azure Automation

But when you have lots of devices installed and enrolled with for example an install account. you might need to change them all. So, I built a script for this. The script uses Graph and using only the Microsoft MgGraph module Microsoft.Graph.Authentication.

• First it collects all Devices in Intune that are “Windows” devices.
• Next collect all sign-in logs of all windows devices.
• Next collect all primary users of all devices.
• Finally set primary user that has logged on most times the latest 30 days

Run the script in Azure Automation

Azure Automation is a fantastic tool to use to schedule automations in your organization.

1. Open Azure Portal
2. Create a new Azure Automation Account

3. Select System assigned managed identity

4. And you can keep the Public network access

5. When the account is ready, open it up
6. Select Modules node and click Add Module

7. Add these modules from Gallery in Runtime Version 5.1:

• Microsoft.Graph.Authentication

8. Select Runbooks node and click Create a Runbook

9. Give the runbook a suitable name and select PowerShell with runtime version 5.1

10. Copy the script Intune-Set-PrimaryUsers.ps1 from my Github and paste it in your Runbook.
11. Modify it to suit your environment
12. The last thing missing is permissions for your Managed Account. This needs to be added manually with a PowerScript.
13. Download the script Azure-Add-PermissionsManagedIdentity.ps1 from my Github
14. Change the two lines to fit your environment.

$TenantID = "11111-08a2-4ade-9a68-0db7586d80ad"
$ManagedIdentity = "Tbone-Automate"

15. Run the script in PowerShell
16. Go back to your automation account
17. Open your RunBook
18. Click Edit
19. Chage the setting $ExecutionMode = “Test” to run in Test mode and no real changes are made
20. Now you can click Test Pane
21. And run the script to see the results.
22. If it works as expected, change back $ExecutionMode = “Prod”
23. Publish the script and schedule the script to run every day.

Script can be found here Intune-Set-PrimaryUsers.ps1 on my Github

About The Author