Change device owner of an Azure AD joined device

If you join devices to Azure AD, then you can see that each device has an owner. The owner is the user who joined the device to the Azure AD which is sometimes the account of the administrator. That’s why one probably wants to change the owner which is unfortunately not possible via the Azure portal. But, as usual, you can easily do it via PowerShell.

The main commands you need are:

Get-AzureADDevice   # returns all device
Get-AzureADUser     # returns all users
 
# add new device owner
Add-AzureADDeviceRegisteredOwner -ObjectId [DeviceObjectId] -RefObjectId [NewOwnerObjectId]
#remove previous device owner
Remove-AzureADDeviceRegisteredOwner -ObjectId [DeviceObjectId] -OwnerId [PreviousOwnerObjectId]

I created a simple script which has device name and new owner as input and simply does the job:

$deviceName = 'myDeviceName'   # configure device name
$newOwner = '[email protected]' # login name of the new user
 
Connect-AzureAD
 
# Get-AzureADDevice # if you want to list all devices
# Get-AzureADUser   # if you want to list all users
 
$device = Get-AzureADDevice | where { $_.DisplayName -eq $deviceName }
$aduser = Get-AzureADUser | where { $_.UserPrincipalName -eq $newOwner }
$oldowner = (Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId).ObjectId
 
"Change owner of device " + $device.DisplayName + " to " + $aduser.DisplayName
Add-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId -RefObjectId $aduser.ObjectId # add the new owner
Remove-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId -OwnerId $oldowner         # remove the previous owner
Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId                               # see the result

It’s important to mention that this does not work for the associate user in the Intune portal. This is a known issue and you can vote for it here: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/31356574-change-registereed-owner-for-corporate-owned-devic

Additional Information

Azure AD Device Powershell Commands: https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#devices

Categories:

12 Responses

  1. Hello,
    Great script but seem not to work anymore, I changed these 2 lines to:
    $device = Get-AzureADDevice | where { $_.DisplayName -eq $deviceName }
    $aduser = Get-AzureADUser | where { $_.UserPrincipalName -eq $newOwner }

    To:
    $device = Get-MSOLDevice -all | where { $_.DisplayName -eq $deviceName }
    $aduser = Get-MSOLUser | where { $_.UserPrincipalName -eq $newOwner }

    Don’t forget to execute a Connect-MSOLService

    • To get these commands to work, you must first install AzureAD in PowerShell:

      PS> Install-Module AzureAD -Force

      then

      PS> Connect-AzureAD

      And enter the tenant global admin credentials

      • #add new device owner:

        PS C:\Users\info\Desktop> Add-AzureADDeviceRegisteredOwner
        cmdlet Add-AzureADDeviceRegisteredOwner at command pipeline position 1
        Supply values for the following parameters:
        ObjectId: “Object ID of Device to be moved”
        RefObjectId: “Object ID of new Owner”

        #remove old device owner:

        PS C:\Users\info\Desktop> Remove-AzureADDeviceRegisteredOwner
        cmdlet Remove-AzureADDeviceRegisteredOwner at command pipeline position 1
        Supply values for the following parameters:
        ObjectId: “Object ID of Device to be moved”
        OwnerId: “Object ID of old Owner”

  2. Good morning, in the first case I get the following error:

    Get-AzureADDeviceRegisteredOwner : Cannot bind argument to parameter ‘ObjectId’ because it is null.
    At C:\Users\Desktop\Script.ps1:11 char:57
    + … (Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId).Object …
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Get-AzureADDeviceRegisteredOwner], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.GetDeviceRegisteredOwners

    if instead I use

    $ device = Get-MSOLDevice -all | where {$ _. DisplayName -eq $ deviceName}
    $ aduser = Get-MSOLUser | where {$ _. UserPrincipalName -eq $ newOwner}

    this error is generated

    WARNING: More results are available. Please specify one of the All or MaxResults parameters.
    Get-AzureADDeviceRegisteredOwner : Cannot bind argument to parameter ‘ObjectId’ because it is null.
    At C:\Users\Desktop\Script.ps1:11 char:57
    + … (Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId).Object …

    • Change following lines:

      $aduser = Get-AzureADUser | where { $_.UserPrincipalName -eq $newOwner }

      to

      $aduser = Get-AzureADUser -Filter “userPrincipalName eq ‘$newOwner'”

  3. Hey Armin,
    thanks for the hint and your script.

    Maybe you can add the information, that you can run this command also with hybrid joined devices, which saved my ass.

  4. So, it seems Microsoft have taken this design flaw/bug and used it to drive upgrades in their ecosystem. They have fixed this behaviour but only through the InTune UI. So, unless you have one of the premium services or a subscription that includes InTune you’re stuck messing around with scripts. This should be fixed for Azure AD and not just InTune!

  5. Works great, noting that with the amount of objects in my AAD, I had to add ‘-All $true’ to search through more that the first 100 objects.

    So…
    $device = Get-AzureADDevice -All $true | where { $_.DisplayName -eq $deviceName }
    $aduser = Get-AzureADUser -All $true | where { $_.UserPrincipalName -eq $newOwner }

Leave a Reply

Your email address will not be published. Required fields are marked *

About
about armin

Armin Reiter
Azure, Blockchain & IT-Security
Vienna, Austria

Reiter ITS Logo

Cryptix Logo

Legal information