The Graph API and Intune portal(s) give insight into device compliance status, but what about a local equivalent? How can we locally detect from e.g. a script on a Windows 10 laptop if the device is compliant or not?
Azure Pipelines and Azure Functions (and Automation Accounts) can have managed identities, in other words, a service principal. This service principal can be assigned to Azure AD roles (e.g. to modify users / devices) or graph / Azure RM resources. A service principal could even be a global admin, and Service Principals don’t have to do MFA…. 🙂
In both Pipelines and Functions the new Az module is enabled and logged into your tenant by default as the service principal, how cool would it be to use that identity to do those (hopefully few) things that are still only supported by e.g. the AzureAD module?
Here’s an example on getting tokens for Azure AD and for Graph, obviously you could also get tokens for other audiences the same way:
As there is no ARM feature in Azure yet to provision an automation runas account when provisioning automation accounts, I had to code something up to do this on the fly while we’re waiting for a Uservoice article to get prioritized.
Use my script in your pipeline to automatically provision a RunAs account. Note, the account credentials you use there should not be MFA protected or it will fail to log in.
When you swap a device by reimaging or reinstalling, the Hardware ID stays the same. This results in multiple Device Entries in Azure AD and causes issues with Conditional Access as Intune thinks the older version isn’t actually compliant even though Intune just has 1 record.
Most methods (such as Nicola’s) to combat this is by cleaning up stale devices in Azure AD based on their last Active Date. However, the downside of this method is that it may touch devices which weren’t duplicates, just dormant during, e.g. a vacation. Additionally, a bug in AzureAD can cause the older duplicate’s active date to be updated instead of the correct device.
The following script detects duplicates based on the Hardware ID and registration date instead and disables all but the most recent entry. It can supplement stale device removal based on Last Activity.