Notification about untagged Autopilot devices

This post is about getting a notification about untagged Autopilot devices. Just like if your licenses run out, when you have an untagged autopilot device, you want to know! I wrote a script that does that and I want to share it with you!

I run this script in an Azure automation account with a runbook. To authenticate I use a managed identity.


  • Autopilot Devices with their hardware hash registered in Intune
  • Azure subscription

Azure Automation Account

Firstly, we need to create the Azure Automation Account. Log on to Microsoft Azure and create the automation account:

Choose a subscription, ResourceGroup, Name, and Region for the automation account.

At the advanced part, make sure to create the system assigned managed identity:

For the networking part, I choose public access but please, do want your environment requires.

After that, add Tags if you want to, and click on Review & Create.

Lastly, for the automation account, we need to add permissions to the Managed Identity. We need to make sure it can gather the devices from MS Graph and send an e-mail with the report.

You can use this script to do so:

# Your tenant id (in Azure Portal, under Azure Active Directory -> Overview )
$TenantID = ""
# Microsoft Graph App ID (DON'T CHANGE)
$GraphAppId = "00000003-0000-0000-c000-000000000000"
# Name of the manage identity (same as the service name)
$DisplayNameOfMSI = "UntaggedDevices"
# Check the Microsoft Graph documentation for the permission you need for the operation
$PermissionName = "DeviceManagementServiceConfig.ReadWrite.All", "DeviceManagementManagedDevices.Read.All","Mail.Send"

# Install the module (You need admin on the machine)
#Install-Module AzureAD 

Connect-AzureAD -TenantId $TenantID

foreach ($Permission in $PermissionName) {
    $MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
    Start-Sleep -Seconds 10
    $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
    $AppRole = $GraphServicePrincipal.AppRoles | `
        Where-Object { $_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application" }
    New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId `
        -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id

Go to Azure Active Directory, Enterprise Applications, and select the Managed Identities:

Click on the managed identity (It has the same name as your automation account), and after that on permissions. Check that it has these permissions:

Implement the script for untagged Autopilot Devices

Next up is adding the script that will gather the untagged Autopilot Devices and send it via mail as a report.

In the automation account, create a new Runbook.

Give the Runbook a name, choose Powershell as the type, and use 5.1 as the Powershell Version:

After that, paste this script from my Github into the runbook:

Edit these variables:

Next, run the runbook and receive this email in your inbox:

And, that is how you can automate the notification for untagged autopilot devices. You can also add a schedule to check multiple times a day.


Other posts:
Autopatch notes from the field
Use Winget with Intune

Leave a Comment