This post is about getting a notification about untagged Autopilot devices. Just like if your licenses run out, when you have an untagged autopilot device, you want to know! I wrote a script that does that and I want to share it with you!
I run this script in an Azure automation account with a runbook. To authenticate I use a managed identity.
Prerequisites
- Autopilot Devices with their hardware hash registered in Intune
- Azure subscription
Azure Automation Account
Firstly, we need to create the Azure Automation Account. Log on to Microsoft Azure and create the automation account:
Choose a subscription, ResourceGroup, Name, and Region for the automation account.
At the advanced part, make sure to create the system assigned managed identity:
For the networking part, I choose public access but please, do want your environment requires.
After that, add Tags if you want to, and click on Review & Create.
Lastly, for the automation account, we need to add permissions to the Managed Identity. We need to make sure it can gather the devices from MS Graph and send an e-mail with the report.
You can use this script to do so:
# Your tenant id (in Azure Portal, under Azure Active Directory -> Overview ) $TenantID = "TENANTNAME.onmicrosoft.com" # Microsoft Graph App ID (DON'T CHANGE) $GraphAppId = "00000003-0000-0000-c000-000000000000" # Name of the manage identity (same as the service name) $DisplayNameOfMSI = "UntaggedDevices" # Check the Microsoft Graph documentation for the permission you need for the operation $PermissionName = "DeviceManagementServiceConfig.ReadWrite.All", "DeviceManagementManagedDevices.Read.All","Mail.Send" # Install the module (You need admin on the machine) #Install-Module AzureAD Connect-AzureAD -TenantId $TenantID foreach ($Permission in $PermissionName) { $MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'") Start-Sleep -Seconds 10 $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" $AppRole = $GraphServicePrincipal.AppRoles | ` Where-Object { $_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application" } New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id }
Go to Azure Active Directory, Enterprise Applications, and select the Managed Identities:
Click on the managed identity (It has the same name as your automation account), and after that on permissions. Check that it has these permissions:
Implement the script for untagged Autopilot Devices
Next up is adding the script that will gather the untagged Autopilot Devices and send it via mail as a report.
In the automation account, create a new Runbook.
Give the Runbook a name, choose Powershell as the type, and use 5.1 as the Powershell Version:
After that, paste this script from my Github into the runbook:
Edit these variables:
Next, run the runbook and receive this email in your inbox:
And, that is how you can automate the notification for untagged autopilot devices. You can also add a schedule to check multiple times a day.
References
Other posts:
Autopatch notes from the field
Use Winget with Intune