Manage devices
Microsoft Entra PowerShell offers powerful cmdlets for managing device identities and monitoring related events. Effective device management is essential for maintaining security, ensuring compliance, and supporting smooth operations within an organization.
With Microsoft Entra PowerShell, you can add, update, and remove devices as needed, as well as retrieve device information, view detailed device data, and manage device settings. This article provides a comprehensive guide to managing devices using Microsoft Entra PowerShell.
In this article, you learn how to effectively manage device identities and settings using Microsoft Entra PowerShell. It covers tasks such as viewing, filtering, enabling, disabling, and deleting devices, and exporting device data.
Prerequisites
To manage devices with Microsoft Entra PowerShell, you need:
- A Microsoft Entra user account. If you don't have one, you can create an account for free.
- One of the following roles:
- Cloud Device Administrator (read and modify)
- Intune Administrator (read only)
- Windows 365 Administrator (read only)
- Microsoft Entra PowerShell module installed. Follow the Install the Microsoft Entra PowerShell module guide to install the module.
View and filter your devices
Use Microsoft Entra PowerShell to filter the device list by the following attributes:
Device ID, Display Name, Enabled State, Compliance State, Join Type, Activity Timestamp, OS Type, OS Version, Device Type, MDM, Autopilot, Extension Attributes, Administrative Unit, Owner, Manufacturer, Model, and Serial Number.
View all devices
To view all devices, use the following cmdlet:
Connect-Entra -Scopes 'Device.Read.All'
Get-EntraDevice -All | Select-Object AccountEnabled, DeviceId, OperatingSystem, ApproximateLastSignInDateTime, DisplayName | ft
AccountEnabled DeviceId OperatingSystem ApproximateLastSignInDateTime DisplayName
-------------- -------- --------------- ----------------------------- -----------
True aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Windows 10/16/2024 4:53:46 PM devicesTest2
True bbbbbbbb-1111-2222-3333-cccccccccccc Windows 10/15/2024 4:11:33 PM LAPTOP-2222
True cccccccc-4444-5555-6666-dddddddddddd Windows 9/13/2024 5:46:08 PM AdminTest
True dddddddd-5555-6666-7777-eeeeeeeeeeee Windows 10/15/2024 8:28:18 PM DESKTOP-1111
Get a device by ID
To retrieve a specific device by its ID, use:
Connect-Entra -Scopes 'Device.Read.All'
Get-EntraDevice -ObjectId 'bbbbbbbb-1111-2222-3333-cccccccccccc'
DeletedDateTime Id AccountEnabled ApproximateLastSignInDateTime ComplianceExpirationDateTime DeviceCategory DeviceId DeviceMetadata DeviceOwnership
--------------- -- -------------- ----------------------------- ---------------------------- -------------- -------- -------------- --------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb False 10/2/2024 10:26:38 AM eeeeeeee-5555-6666-7777-ffffffffffff
Get a device by display name
To find devices by display name, use:
Connect-Entra -Scopes 'Device.Read.All'
Get-EntraDevice -Filter "startsWith(DisplayName,'Woodgrove')"
DeletedDateTime Id AccountEnabled ApproximateLastSignInDateTime ComplianceExpirationDateTime DeviceCategory DeviceId DeviceMetadata DeviceOwnershi
p
--------------- -- -------------- ----------------------------- ---------------------------- -------------- -------- -------------- --------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True 10/1/2024 4:11:35 PM gggggggg-6666-7777-8888-hhhhhhhhhhhh
bbbbbbbb-1111-2222-3333-cccccccccccc False 10/2/2024 10:26:38 AM hhhhhhhh-7777-8888-9999-iiiiiiiiiiii
This example demonstrates how to retrieve all devices whose display name starts with "Woodgrove".
Get the number of devices grouped by Join Type
To find out all the types of devices joined to your directory using Microsoft Entra PowerShell, you can use the Get-EntraDevice cmdlet and group the results by the TrustType property.
Connect-Entra -Scopes 'Device.Read.All'
Get-EntraDevice -All | Group-Object -Property TrustType | Select-Object Name, Count
Get-EntraDevice -All: Retrieves all devices in your directory.Group-Object -Property TrustType: Groups the devices by theTrustTypeproperty, which indicates the type of join, for example, Microsoft Entra joined and Hybrid Microsoft Entra joined.Select-Object Name, Count: Selects the name of each group (the type of join) and the count of devices in each group.Join typerefers to how a device is connected, such as Microsoft Entra joined, Hybrid Microsoft Entra joined, and other types.
This example demonstrates how to retrieve the number of devices for each device type.
Name Count
---- -----
14
EntraID 66
ServerAd 18
Workplace 393
List duplicate devices
Connect-Entra -Scopes 'Device.Read.All'
Get-EntraDevice -All -Select DisplayName, OperatingSystem |
Group-Object DisplayName |
Where-Object { $_.Count -gt 1 } |
Select-Object Name, @{Name = "OperatingSystem"; Expression = { ($_.Group | Select-Object -First 1).OperatingSystem } }, Count | Sort-Object Count -Descending |
Format-Table Name, OperatingSystem, Count -AutoSize
The output lists duplicate devices by display name, operating system, and count.
Name OperatingSystem Count
---- --------------- -----
iPhone iOS 175
samsungSM-S928B Android 15
woodgrove-win11-client Windows 2
Search devices
Retrive specific device using
DeviceIdConnect-Entra -Scopes 'Device.Read.All' Get-EntraDevice -Filter "DeviceId eq 'dddddddd-5555-6666-7777-eeeeeeeeeeee'" | Select-Object Id, AccountEnabled,DeviceId, DisplayNameThe output shows device details based on a
DeviceIdsearch.Id AccountEnabled DeviceId DisplayName -- -------------- -------- ----------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True dddddddd-5555-6666-7777-eeeeeeeeeeee ADFS DeviceList non-compliant devices
Connect-Entra -Scopes 'Device.Read.All' Get-EntraDevice -Filter "isCompliant eq false" | Select-Object Id, isCompliant,DeviceId, DisplayNameThe output lists non-compliant devices.
Id IsCompliant DeviceId DisplayName -- ----------- -------- ----------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb False gggggggg-6666-7777-8888-hhhhhhhhhhhh ADFS Device bbbbbbbb-1111-2222-3333-cccccccccccc False hhhhhhhh-7777-8888-9999-iiiiiiiiiiii Woodgrove DeviceList jail broken devices
Connect-Entra -Scopes 'Device.Read.All' Get-EntraDevice -All | Where-Object { $_.isRooted -eq $true } | Select-Object Id, IsRooted,DeviceId, DisplayNameThe output lists jail broken devices.
Id IsRooted DeviceId DisplayName -- -------- -------- ----------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True gggggggg-6666-7777-8888-hhhhhhhhhhhh ADFS DeviceList managed devices
Connect-Entra -Scopes 'Device.Read.All' Get-EntraDevice -Filter "isManaged eq true" | Select-Object Id, isManaged,DeviceId, DisplayNameThe output lists managed devices.
Id IsManaged DeviceId DisplayName -- --------- -------- ----------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True gggggggg-6666-7777-8888-hhhhhhhhhhhh ADFS Device bbbbbbbb-1111-2222-3333-cccccccccccc True hhhhhhhh-7777-8888-9999-iiiiiiiiiiii Woodgrove DeviceList enabled devices
Connect-Entra -Scopes 'Device.Read.All' Get-EntraDevice -Filter "accountEnabled eq true" -All | Select-Object Id, AccountEnabled,DeviceId, DisplayNameThe output lists enabled devices.
Id AccountEnabled DeviceId DisplayName -- -------------- -------- ----------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True gggggggg-6666-7777-8888-hhhhhhhhhhhh ADFS Device bbbbbbbb-1111-2222-3333-cccccccccccc True hhhhhhhh-7777-8888-9999-iiiiiiiiiiii Woodgrove DeviceList devices with specific operating system and version
Connect-Entra -Scopes 'Device.Read.All' Get-EntraDevice -Filter "operatingSystem eq 'Windows Server' and operatingSystemVersion eq '10.0.20348.3091'" | Select-Object Id, AccountEnabled,DeviceId, DisplayName, operatingSystem, operatingSystemVersion | Format-Table -AutoSizeThe output shows user details based on a
operatingSystemandoperatingSystemVersionsearch.Id AccountEnabled DeviceId DisplayName OperatingSystem OperatingSystemVersion -- -------------- -------- ----------- --------------- ---------------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True gggggggg-6666-7777-8888-hhhhhhhhhhhh ADFS Device Windows Server 10.0.20348.3091 bbbbbbbb-1111-2222-3333-cccccccccccc True hhhhhhhh-7777-8888-9999-iiiiiiiiiiii Woodgrove Device Windows Server 10.0.20348.3091
Enable or disable a Microsoft Entra device
To enable or disable a device, use the Set-EntraDevice cmdlet and set the -AccountEnabled property to true (enable) or false (disable).
Important
- You must be an Intune Administrator or Cloud Device Administrator to enable or disable a device.
- Disabling a device prevents it from authenticating via Microsoft Entra ID, accessing resources protected by device-based Conditional Access, and using Windows Hello for Business credentials.
- Disabling a device revokes the Primary Refresh Token (PRT) and any refresh tokens on the device.
- Printers can't be enabled or disabled in Microsoft Entra ID.
To enable a device, run the following cmdlet:
Connect-Entra -Scopes 'Device.ReadWrite.All'
Set-EntraDevice -ObjectId 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb' -AccountEnabled $true
Delete a Microsoft Entra device
To maintain a clean and secure environment, delete devices that are no longer in use. If a device is managed by another system, such as Microsoft Intune, ensure you wipe or retire it before deleting. See How to manage stale devices before you delete a device.
Important
- You must be a Cloud Device Administrator, Intune Administrator, or Windows 365 Administrator to delete a device.
- Printers can't be deleted before they're deleted from Universal Print.
- Windows Autopilot devices can't be deleted before they're deleted from Intune.
- Deleting a device:
- Prevents it from accessing your Microsoft Entra resources.
- Removes all details attached to the device, such as BitLocker keys for Windows devices.
- Is a nonrecoverable activity. We don't recommend it unless it's required.
Connect-Entra -Scopes 'Device.ReadWrite.All'
$Device = Get-EntraDevice -Filter "DisplayName eq 'Woodgrove Desktop'"
Remove-EntraDevice -ObjectId $Device.ObjectId
Export devices
Cloud Device Administrators and Intune Administrators can export a CSV file listing devices. You can apply filters to refine the list of devices. If no filters are applied, all devices are included. The export task might take up to an hour to complete, depending on your selections. If the export task exceeds 1 hour, it fails, and no file is output.
The exported list includes these device identity attributes:
displayName,accountEnabled,operatingSystem,operatingSystemVersion,joinType (trustType),registeredOwners,userNames,mdmDisplayName,isCompliant,registrationTime,approximateLastSignInDateTime,deviceId,isManaged,objectId,profileType,systemLabels,model
The following filters can be applied for the export task:
- Enabled state
- Compliant state
- Join type
- Activity timestamp
- OS type
- Device type
Export all devices
To retrieve all devices and save the data to a CSV file, use the following cmdlet:
Get-EntraDevice -All `
| Select-Object -Property AccountEnabled, DeviceId, OperatingSystem, OperatingSystemVersion, DisplayName, TrustType, ApproximateLastSignInDateTime `
| Export-Csv "$env:UserProfile\Downloads\deviceList.csv" -NoTypeInformation
Ensure to replace $env:UserProfile with the path where you want to save the file based on your environment. This example saves the CSV file directly to your Downloads folder.
Related content
[Manage stale devices][stale-devices]