Mike's MDM Blog

Automatically set Intune Primary User based on the logged on User

Searching for an easy solution to set the Intune Primary User automatically for a subset of devices? We have a simply solution for you.

In our case we needed a solution to automatically set the Primary User for our Intune managed VDI. The VMs were all automatically AzureAD Joined via a Windows Configuration Designer PPKG, these devices will initially have an empty EnrolledBy and PrimaryUser Field in Intune and make it pretty hard to search for a specific VM if you don’t know the Device Name and want to search via Username or UPN.

To automatically set the Primary User we are using the loggedonUser(s) filed that is populated via Graph API (Get managedDevice – Microsoft Graph beta | Microsoft Learn)

We are again using an Intune Automation Account to run our script on a regular basis. If you want to know more about how to create an Automation Account or how to assign Permissions to the Managed Identity that we will use here, check out my Blog Entry about automatic Autopilot Uploads: Automate Autopilot Uploads with Azure Automation Runbooks – Mike’s MDM Blog (mikemdm.de)

For our Primary User Script we will need the following GraphAPI Permission assigned to our managed Identity:
– DeviceManagementManagedDevices.ReadWrite.All

The Script itself if again hosted on my GitHub: Scripts/Set-PrimaryUser.ps1 at main · mmeierm/Scripts (github.com)
You can pretty much simply copy paste the script to a fresh Runbook and just have to edit the way, how to detect the subset of devices that should be checked. In the script i’m searching for devices which device names starts with “VM-“. A search query to search for all Hyper-V VMs is also presented but commented out:

Posted

in

by

mmeierm

Tags:

Comments

9 responses to “Automatically set Intune Primary User based on the logged on User”

  1. SAMEER

    Hi Mike,
    The script looks great. Im an intune admin and have a task to change the primary user based on the last logged on user.

    I dont have much exp with Intune related PS scripting.

    Would you be kind enough to help me out with the exact process execute the script to update the primary user.

    Reply
    1. mmeierm

      Hi,
      thanks that you like my solution.
      I would create an Azure Autmation Account in a Azure Subscription like described in this Blog: https://mikemdm.de/2023/04/02/user-driven-device-group-membership/
      Once you have the Automation Account ready, use the linked Script from Github, modify line 19 of the script to match which devices should be modified, in my example only devices were modified that had a Device Name thats starts with “VM-“, if you want to modify all devices you can also run it without filter, which will look something like this

      $uri = “https://graph.microsoft.com/beta/deviceManagement/managedDevices?`$select=id,usersLoggedOn”

      After you have to assign the needed permission (DeviceManagementManagedDevices.ReadWrite.All) to the Managed Identity using for example the Script from the User-driven Groupmembership here, just modify the line 5 to use the correct permission and delete line 6, 11 and 14, since you only need one permission for this task.

      Let me know, if this helps you or if you need to add more details in my blog at a specific point

      Reply
  2. Ramees

    Thanks alot for this and I have been looking for this along :). It will be better for me if I can filter the autopilot enrolled devices as i have mobile devices, and personal devices under the managed, it’s giving little hard time 🙂

    Would you be kind to help apply this only for the autopilot enrolled devices

    Reply
    1. mmeierm

      Depending on your design, you can choose different options to filter the devices that you want to target. If you are using a Device Name Template in your Autopilot Enrollment Profile, you can target for this in line 19 of the script.

      If you can’t use a Device Name, you can use multiple filters to for example, filter for Corporte owned Windows devices:

      https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=managedDeviceOwnerType eq ‘company’ and operatingSystem eq ‘Windows’

      In the Script line 19 could then look something like this:

      $uri = https://graph.microsoft.com/beta/deviceManagement/managedDevices?`$filter=managedDeviceOwnerType eq ‘company’ and operatingSystem eq ‘Windows’&`$select=id,usersLoggedOn

      Reply
      1. Guru8

        Hi Mike,

        The script is great.
        How can i modify the script to update devices without primary users as well. Currently, it is only updating devices with wrong primary users.

        Thanks

        Reply
        1. mmeierm

          Hi, the script should also add the primary user, this was basically my initaial goal, as my VDI Machines all came without Primary User.
          Can you check via graph explorer if the affected devices have the filed “usersLoggedOn” is filled? We are using this field to determine if and what we should set the primary user.

          https://learn.microsoft.com/graph/api/intune-devices-manageddevice-get?view=graph-rest-beta&WT.mc_id=317638

          Reply
  3. OP

    Hi Mike,
    we´ve followed the steps you described and we have come across an error 403 (forbidden) when running a script from runbook.
    Checking Device with LoggedonUser

    Got PrimaryUser of Device with ID Error : The remote server returned an error: (403) Forbidden.

    LoggedonUser is different from Primary User, setting Primary User

    Hence the primary user was successfully updated with logged-on user field.
    Could you please have a look and advise what´s the possible cause?

    Reply
    1. mmeierm

      Hi, i would suggest to check if the needed App permissions are assigned to the managed identity. Maybe also add “User.Read.All” Permission, I think it should not be needed, but it is worth a try.

      Reply
      1. OP

        Hi, it looks like this permission did the trick. Many thanx!

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *