2

I'm trying to find a way to display all groups that an Intune device is a member of. I cannot find this function for the sake of my life. I don't see this fucntion under the Intune blade, nor the Azure Active Directory one. Is there any other way to see group memberships of a device?

PS: devices are managed via Intune and Azure AD only joined.

Tried to find the information via Microsoft and Powershell.

Get-AzureADDeviceMembership doesn't exist

I expect an output to display groups that an AAD device is a member of.

Braa
  • 35
  • 1
  • 8

3 Answers3

1

You can view the groups a device is a member of by searching for it from the Devices blade in Azure Active Directory.

enter image description here

Tweek
  • 895
  • 6
  • 7
0

I had the same problem and i was astonished that the Get-AzureADDeviceMembership cmdlet did not exists.

I used this as a work around:

Get-AzureADGroup -All 1 | ? {"COMPUTER_DISPLAY_NAME" -in (Get-AzureADGroupMember -ObjectId $_.ObjectId).DisplayName}

It works but is incredibly slow. So i also made a function which caches the groups and their member in a global variable. This functions runs instant from the second run since everything is cached. function:

function Get-AzureADDeviceMembership{
    [CmdletBinding()]
    Param(
        [string]$ComputerDisplayname,
        [switch]$UseCache
    )
    if(-not $Global:AzureAdGroupsWithMembers -or -not $UseCache){
        write-host "refreshing cache"
        $Global:AzureAdGroupsWithMembers = Get-AzureADGroup -All 1 | % {
            $members = Get-AzureADGroupMember -ObjectId $_.ObjectId
            $_ | Add-Member -MemberType NoteProperty -Name Members -Value $members
            $_
        }
    }
    $Global:AzureAdGroupsWithMembers | % {
        if($ComputerDisplayname -in ($_.Members | select -ExpandProperty DisplayName)){
            $_
        }
    } | select -Unique
}

use the function:

Connect-AzureAD    
Get-AzureADDeviceMembership -ComputerDisplayname "COMPUTER_DISPLAY_NAME" -UseCache
Gerrit Geeraerts
  • 924
  • 1
  • 7
  • 14
0

To add to Gerrit's answer, use -Filter groupTypes/any(c:c+ne+'Unified') with Get-AzureADGroup to filter out unified groups, as devices can't join them. This should speed up the query significantly.

pl4nty
  • 66
  • 5