When a Windows device is enrolled in Azure AD using an Azure AD join the following security principals will be added to the local administrators group on the device.
- Azure AD global administrator role
- Azure AD joined device local administrator role
- User performing the Azure AD join
More informaion can be found here https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
Every Azure AD joined device has an owner.
Note : Hybrid Azure AD Joined devices do not have an owner.
The Azure AD join types are:
- Azure AD registered,
- Azure AD joined or
- Hybrid Azure AD joined.
To see a list of all Azure AD devices in your organisation browse to the Azure AD portal and open Azure Active Directory –> Devices – > All devices.
https://aad.portal.azure.com/#blade/Microsoft_AAD_Devices/DevicesMenuBlade/Devices/menuId/
In this list is a column which shows the owner of the devices, the owner is the user who joined the device to Azure AD.
To change the device owner, you will first need to add a new owner to the device and after that remove the existing owner.
Change of the owner can only be achieved via PowerShell.
We need to determine 3 object IDs: object ID of the device, object ID of the new owner and the object ID of the existing owner.
- Open PowerShell as Administrator and run.
Install-module AzureADPreview -AllowClobber |
If you have this module installed already, you can skip this step.
- Login to Azure AD with your Global Admin account by using Connect-AzureAD cmdlet.
# Login Azure AD$credential = Get-CredentialConnect-AzureAD -Credential $credential |
- Get object IDs of all Azure AD joined devices in your tenant.
Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq “AzureAd”} |
Note : The object ID from the device you can also be found via the Azure AD Portal, search the device and lookup the Object id.
Run Add-AzureADDeviceRegisteredOwner -ObjectId 94b0b212-xxxx-xxxx-xxxx-xxxxxxxxxxxx -RefObjectId 86757ad2-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Where, -ObjectId is to specify the object id of the device and -RefObjectId is to specify the object ID of the user you want to add as registered owner.
- Get Object IDs of the existing and the new user (owner) account
Get-AzureADUser -SearchString [email protected] Get-AzureADUser -SearchString [email protected] |
Note: The object ID of the user can be found via the Azure AD Portal, search the user and lookup the Object id.
- Adding the new owner to the device
Add-AzureADDeviceRegisteredOwner -ObjectId 94b0b212-xxxx-xxxx-xxxx-xxxxxxxxxxxx -RefObjectId 86757ad2-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
-ObjectId is the object id of the device you want to change and
-RefObjectId is the object ID of the new owner.
- remove the existing owner from the device
Remove-AzureADDeviceRegisteredOwner -ObjectId 94b0b212-xxxx-xxxx-xxxx-xxxxxxxxxxxx -OwnerId 540b9c12-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
- ObjectID is the object id of the device you want to change
- OwnerId the object id of the existing user you want to remove.
- To confirm the new registered owner,
Get-AzureADDeviceRegisteredOwner -ObjectId 94b0b212-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
or login to Azure Portal and navigate to Azure AD > Devices > All devices.
Related information :
Manage device identities using the Azure portal
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
How to manage the local administrators group on Azure AD joined devices
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
Windows Autopilot
https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot
Join a new Windows 10 device with Azure AD during a first run
https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-joined-devices-frx
Manage stale devices in Azure AD
https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices
Azure Active Directory device management FAQ
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq
I found a script somewhere in a forum but have no idea who is the creator so I’m not able to give credits to the creator.
Install Module enable this on new system
Install-module AzureADPreview -AllowClobber
connect with Azure AD
Connect-AzureAD
get object ID of all Azure AD joined devices in your tenant
$DeviceObjectID = Get-AzureADDevice -SearchString $Device_Object |select id
$Device = Get-AzureADDevice -SearchString $Device_Object
$Device
Get current owner of device objectid
$CurrentOwnerRefObjectId = get-azureaduser -All $true | Where-Object {$_.UserPrincipalName -eq $CurrentRegOwner}
$CurrentOwnerRefObjectId
Get new owner of device objectid
$NewOwnerRefObjectId = get-azureaduser -All $true | Where-Object {$_.UserPrincipalName -eq $NewRegOwner}
$NewOwnerRefObjectId
getting device ownership
$GetRegCurrentOwner = Get-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId
add new owner to device Where,
-ObjectId is to specify the object id of the device
-RefObjectId is to specify the object ID of the user you want to add as registered owner.
If ($GetRegCurrentOwner.UserPrincipalName -eq $NewOwnerRefObjectId.UserPrincipalName){
Write-Host "Red on white text." -ForegroundColor red -BackgroundColor white
} Else {
Write-Host "Red on blue text." -ForegroundColor Blue -BackgroundColor white
$AddnewOwner = Add-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId -RefObjectId $NewOwnerRefObjectId.ObjectId
}
Remove Current owner from device Where,
-ObjectId is to specify the object id of the device
-OwnerId is to specify the Current registered owner.
$Device = Get-AzureADDevice -SearchString $Device_Object
$Owner = Get-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId #| Where-Object {$_.UserPrincipalName -eq $CurrentRegOwner}
If ($Owner.UserPrincipalName -match $CurrentRegOwner){
$RemCurrentOwner = Remove-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId -OwnerId $CurrentOwnerRefObjectId.ObjectId
1. Write-Host "Red on white text." -ForegroundColor red -BackgroundColor white
2. } Else {
3. Write-Host "Red on blue text." -ForegroundColor Blue -BackgroundColor white