'Azure Active Directory: How to check device membership?

I'm trying to find a way to display all groups that an Intune device is a member of. I cannot find this function for the sake of my life. I don't see this fucntion under the Intune blade, nor the Azure Active Directory one. Is there any other way to see group memberships of a device?

PS: devices are managed via Intune and Azure AD only joined.

Tried to find the information via Microsoft and Powershell.

Get-AzureADDeviceMembership doesn't exist

I expect an output to display groups that an AAD device is a member of.

azure-active-directoryintune


Solution 1:[1]

You can view the groups a device is a member of by searching for it from the Devices blade in Azure Active Directory.

enter image description here

Solution 2:[2]

I had the same problem and i was astonished that the Get-AzureADDeviceMembership cmdlet did not exists.

I used this as a work around:

Get-AzureADGroup -All 1 | ? {"COMPUTER_DISPLAY_NAME" -in (Get-AzureADGroupMember -ObjectId $_.ObjectId).DisplayName}

It works but is incredibly slow. So i also made a function which caches the groups and their member in a global variable. This functions runs instant from the second run since everything is cached. function:

function Get-AzureADDeviceMembership{
    [CmdletBinding()]
    Param(
        [string]$ComputerDisplayname,
        [switch]$UseCache
    )
    if(-not $Global:AzureAdGroupsWithMembers -or -not $UseCache){
        write-host "refreshing cache"
        $Global:AzureAdGroupsWithMembers = Get-AzureADGroup -All 1 | % {
            $members = Get-AzureADGroupMember -ObjectId $_.ObjectId
            $_ | Add-Member -MemberType NoteProperty -Name Members -Value $members
            $_
        }
    }
    $Global:AzureAdGroupsWithMembers | % {
        if($ComputerDisplayname -in ($_.Members | select -ExpandProperty DisplayName)){
            $_
        }
    } | select -Unique
}

use the function:

Connect-AzureAD    
Get-AzureADDeviceMembership -ComputerDisplayname "COMPUTER_DISPLAY_NAME" -UseCache

Solution 3:[3]

To add to Gerrit's answer, use -Filter groupTypes/any(c:c+ne+'Unified') with Get-AzureADGroup to filter out unified groups, as devices can't join them. This should speed up the query significantly.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Tweek
Solution 2
Solution 3 pl4nty

Related Questions

Synapse external table "Unauthorized"

How to redirect from VB.NET legacy web application login page to azure portal to validate azure ad with MFA

Receive a request when Azure AD User receive a call

Can I use SVG within a customized the Azure AD B2C user interface?

Connecting to Dynamics 365 TDS-enabled database with OLEDB Linked Server

How do I define the SignedOut page in Microsoft.Identity.Web?

Azure AD API request 401 Unauthorized

Using multiple authentication providers in C# .net core

Active directory check if user belongs to a group

Web API with Microsoft Identity Platform Authentication

azure ad authentication issue with razor handlers

How to open the file on browser instead of downloading in local that is stored in Azure Data lake Gen 2

Error - Intent filter for: BrowserTabActivity is missing. While using AzureAD MSAL Lilbary

Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

what is role of User did in Verifiable Credentials ? did:ion:username and when user did will generate?