Get Azure AD Devices Report Using PowerShell

Are you sure organization users are accessing only via the authorized device? Are all the devices used by your users utterly safe?

Nah! Every device used to access cloud-based resources possesses a severe risk of becoming a pathway to cause major cyber-attacks like data breaching, phishing, ransomware, and many more. Devices usually don’t play a role in identity-based attacks, rather they are used as trump cards to trick security with the impersonation of users.

Therefore, as an admin, it’s essential to monitor devices used within your organization for effective defense systems, Azure AD device management, and compliance management and maintain security & regulatory compliance.

And therefore, to help admins with this task, this blog provides a PowerShell script to get Azure AD devices report. With this script, admins can gain a better understanding of their organization’s device landscape, and easily identify potential issues or risks. Without further delay, let’s get into the reporting zone quickly!

Cybercriminals may attempt to breach the security of your organization by registering unauthorized devices, using Primary Refresh Tokens on trusted devices, or stealing Primary Refresh Tokens from trusted user devices.

• Therefore, monitoring Azure AD devices essentially becomes the only solution to reduce such threats and massive attacks against your organization. Also, monitoring devices are the primitive step for managing the devices and troubleshooting unusual events related to devices.

Moreover, you can get reports on Azure AD devices either through the Azure portal or through PowerShell. These approaches are considered traditional workarounds to retrieve the necessary information. Let’s explore how to get Azure AD device reports by using these methods in the following section.

The Azure portal provides centralized management for devices, allowing admins to perform essential Azure AD device management tasks. These include configuring device join types, registering and updating devices, also reviewing audit logs for device registration activities. Furthermore, admins can easily enable or disable device access, delete devices, and manage device settings through the portal. Navigate to the path below to get all Azure AD devices in your organization.

Microsoft Entra admin center 🡢 Azure Active Directory 🡢 Devices 🡢 All devices

Here you will find the details of the devices, such as name, operating system, version, Join Type, etc. But generating customized device reports is a crucial task for administrators in the Azure portal.

Moreover, the Azure portal’s reporting features are limited in terms of customization, scalability, automation, and integration, which may not be suitable for organizations that require detailed and customized reports on a large scale. Therefore, switching to the PowerShell method is the perfect solution for organizations to meet their specific reporting requirements.

Previously, the ‘Get-AzureADDevice’ cmdlet in PowerShell was a workaround for slow Azure AD reporting. It helped admins quickly list all Azure AD devices in their organization and tailor output using filters and loops.

However, Azure AD and MSOnline cmdlets are being deprecated in favor of the Microsoft Graph API. Therefore, sticking to these Azure AD cmdlets for retrieving devices is not advisable!

Thus, to lend you a hand in tracking the finer details of the devices in a single click, we have provided a PowerShell script. This script is designed to simplify your device tracking process, providing a comprehensive overview of all the Azure AD devices. Let’s dive into the script’s features and explore its full potential!

The Azure AD devices report shows the complete list of devices with their attributes in the organization. Therefore, admins can efficiently use this report to monitor and analyze the critical events of device registration, deletion, etc., around the workspace. Download the script now and unleash the benefits you can avail with a click!

Script Download: GetAzureADDevicesReport.ps1

• The script can be executed with MFA-enabled accounts too.
• Exports output to CSV.
• Automatically installs the Microsoft Graph PowerShell module in your PowerShell environment upon your confirmation.
• Supports the method of certificate-based authentication.
• The script lists all the Azure AD devices of your organization. That too customization of reports is possible according to the major device types like managed, enabled, disabled etc.

Visualize in-depth details of devices just by downloading and running the script.

The exported report contains the following attributes of devices:

• Name – Device name is displayed here.
• Enabled – States whether the devices are enabled or not with true or false value.
• Operating system – The name of the Operating system is shown.
• Version – The Operating system version is listed here.
• Join Type – States the JoinType of devices such as Azure AD registered, Azure AD joined, and Hybrid Azure AD Joined.
• Owners – Device owner names are mentioned here.
• Users – Users of the device are mentioned in this place.
• Is Managed – Concludes whether the device is managed or not with true or false value.
• Management Type – If the device is managed, the management type of the device is recorded here.
• Is Compliant – Returns true value if the device is compliant otherwise it returns false value.
• Registration Date Time – Shows the registration date and time of the devices.
• Last Sign-in Date Time – Displays the Last Sign-in date and time of the devices.
• Groups – Groups that a device belongs to are listed here. For example, autopilot device.
• Administrative Units– Indicates the administrative units of the devices.
• Device Id – Specifies the ID of device here.
• Object Id – A unique identifier related to the device in Azure AD is shown here.
• Extension Attributes– Azure AD extension attributes are an additional way of storing extra pieces of info on user objects and other directory objects.

Choose any one of the below methods as per your need.

Method 1: Execute the script for both MFA and non-MFA accounts.

Method 2: Also, you can execute the script with certificate-based authentication (App-only access). This method is also scheduler friendly.

Note: Create self-signed certificates for internal and testing purposes if you don’t want to lend money on CA certificates.

The script supports some built-in filtering parameters according to your needs, and its use cases are listed below. Before getting started, make sure to connect to the Microsoft Graph PowerShell module.

1. Export All Azure AD Devices to CSV
2. Find the Managed Devices in Azure AD
3. Track the Devices with Bit Locker Key in Office 365
4. Identify the Inactive Devices in your Tenant
5. Find your Azure AD Enabled Devices
6. Get to Know the Disabled Devices of Azure AD

Now, upon running the script, it exports the details of all registered devices in Azure AD with their other attributes to a CSV file.

NOTE: If you are using certificate-based authentication, then the script generates output only when the directory permissions such as Directory.Read.All is enabled in your organizational setup otherwise you will be facing an error message while executing the script saying that,

“If you execute via CBA, then your application required Directory.Read.All application permissions”.

Managed devices are the devices that are completely controlled and managed by the organization, giving users no control over them. And it’s always crucial to manage and control access to the organization’s managed devices. This is where the -ManagedDevice parameter comes in handy, allowing administrators to view and export a list of all managed Azure AD devices.

This information can provide insights into the volume of managed devices, which can help identify any unmanaged devices that may need attention. By using the -ManagedDevice parameter, organizations can ensure that all their devices are properly managed and secure, helping to protect against potential security threats and unauthorized access.

BitLocker is a Microsoft encryption product that is used to conceal and protect sensitive user data on a computer. In which BitLocker keys were significantly required to recover the encrypted drives of your work environment. With the -DeviceWithBitLockerKey parameter, you can track the devices with BitLocker keys in your tenant. This helps to transparently monitor and secure BitLocker-encrypted devices within your organization. This will eventually retrieve only the devices with bit locker key and export them into a CSV file.

POINT TO REMEMBER: More importantly, note that you can retrieve bit locker key enabled devices only with interactive authentication (password authentication) and can’t be retrieved from a certificate-based authentication method. This is because BitLocker can only be accessed through delegated permissions and not application permissions. If you attempt to fetch BitLocker-enabled devices using certificate-based authentication, you will encounter an error message stating that

“You don’t get device with Bit Locker key info while using certificate-based authentication. If you want to get bit locker key enabled devices, they you can connect graph using credentials”.

Unfortunately, the biggest challenge for Azure AD admins is to locate stale or inactive devices, to reduce the potential security risks caused by them. If an inactive device falls into the wrong hands, it could be used to gain unauthorized access to your organization’s resources. Therefore, it’s essential to monitor inactive devices in Azure AD to identify devices that may pose a security risk and take appropriate action, such as removing them from your organization’s Azure AD or resetting their passwords.

No worries now! To locate all the inactive devices in your Azure AD environment, use the –InactiveDays parameter, and mention the minimum number of days. Therefore, it exports the device details that have been inactive for the specified period.

Enabled devices in Azure AD refer to devices that have been registered and authorized by organizations, which allows them to authenticate and access resources such as applications and data. Moreover, it permits access to the resources protected with conditional-based access.

It’s important to monitor enabled devices in Azure AD to identify the devices and users with most inclusive permissions. By monitoring enabled devices, you can identify potential security risks, identify the misuse of resources and detect the potential indicators of insider threats.

Easily spot all your enabled devices in the Azure AD environment by executing the script below after mentioning the required parameter –EnabledDevice in the script.

Devices are disabled as an immediate response of threat and cyber security problems instead of deleting them completely. Basically, disabled devices are devices which can’t access Microsoft 365 services at this state but can be enabled later if the reason for disabling is found to be false positive. Also, by monitoring disabled devices, you can identify devices that are no longer needed and remove them from your Azure AD, freeing up resources and reducing licensing costs.

Therefore, to identify the disabled devices in Azure AD, you can use the param –DisabledDevice and export the results into a CSV file.

Free Azure AD Device Reports from AdminDroid: Simplify Your Device Management

Despite giving reports on Azure AD devices, the Azure portal eventually failed to provide extensive reports on deleted devices, updated devices, credential changes, and many more. Aren’t you tired of finding those Azure AD devices report? Still, surfing the web for a perfect solution?

Don’t worry, AdminDroid is at your rescue! Yes, the AdminDroid’s Free Azure AD reporting tool provides comprehensive records and statistics on Azure AD devices.

With Azure AD device audit reports, you can gain insights into every aspect of devices and simplify Azure AD device management and monitoring. Reports includes,

• Added devices
• Updated devices
• Deleted devices
• Configuration changes
• Owner changes
• User changes
• Credential changes
• All device operations

Additionally, AdminDroid provides explicit dashboards and offers 190+ Free reports on user login, password changes, admin role changes, user audit, group audit, application audit, and the list goes on.

Overall, AdminDroid is the best solution for your Office management! It is a Microsoft 365 reporting tool that is easy to set up, user-friendly, and designed with advanced features of alerting, scheduling, and merging multiple reports. With these advanced reporting capabilities, AdminDroid facilitates you with 1800+ granular reports and 30+ dashboards on every service like Azure AD, Exchange Online, Microsoft Teams, SharePoint, OneDrive, and Yammer. Plus, it makes your administration easy with AI-powered graphical analysis.

Download AdminDroid now to find everything you desire within no time!

In conclusion, try this script to get your Azure AD devices report in minutes instead of searching for the details for the whole day in the portal.

Say goodbye to the endless hours of searching for device details and say hello to a comprehensive report at your fingertips.

Besides saving time, the output file is exported as a CSV file, so you can easily analyze and configure things easily with well-classified information. Enhance your security posture of your organization through continuous monitoring of devices and applications activity in Azure AD. We hope this blog has been helpful and eased your burden in obtaining the details of Azure devices. For any questions, reach us through the comments section.