|

Setting Azure AD Device Attribute Using PowerShell Script: An In-Depth Guide

Introduction

Managing and organizing devices within an Azure Active Directory (AAD) environment is crucial for effective administration. Azure AD offers a variety of built-in device attributes, including extensionAttributes 1-15, that provide valuable device metadata. However, there are times when custom attributes are needed to enhance device management capabilities. In this blog post, we will delve into the process of setting an Azure AD device attribute using a PowerShell script. By following the steps outlined, you will gain the ability to customize device attributes, including the extensionAttributes 1-15, to suit your specific requirements.

Understanding Azure AD Device Attributes

Azure AD provides a range of predefined device attributes, such as device ID, display name, device type, operating system, and more. These attributes offer valuable insights into device metadata and are readily available for device management purposes. In addition to these built-in attributes, Azure AD also includes extensionAttributes 1-15.

The extensionAttributes 1-15 are a set of customizable attributes that allow you to extend the default device metadata. They provide a flexible way to add custom fields and capture additional information about your devices. These attributes are particularly useful when you require specific device categorization or when you want to store organization-specific data.

Screenshot from Graph Explorer
Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph

Importance of Custom Device Attributes

Setting custom device attributes in Azure AD allows for the expansion of default device metadata, creating a more refined classification system. By assigning custom attributes, devices can be easily filtered and managed based on specific criteria. This level of device categorization improves device inventory management, reporting, and streamlines administrative tasks.

Using PowerShell to Set Azure AD Device Attributes

PowerShell, a versatile scripting language, provides a robust framework for programmatically managing Azure AD devices. By leveraging PowerShell, you can create a script that interacts with the Azure AD Graph API or Microsoft Graph API to set custom device attributes, including the extensionAttributes 1-15. These APIs offer methods to modify device attributes, granting full control over device management processes.

Steps to Set Azure AD Device Attribute via PowerShell

  1. Define the required variables
PowerShell
$ExtensionAttributeName = 'extensionAttribute1' # choose from extensionAttribute1 - extensionAttribute15
$ExtensionAttributeValue = 'Test123'
  1. Import the required modules
PowerShell
try{
    Import-Module Microsoft.Graph.Identity.DirectoryManagement -ErrorAction Stop
}
catch{
    "Error was $_"
    $line = $_.InvocationInfo.ScriptLineNumber
    "Error was in Line $line"
}
  1. Connect to Azure AD: Begin by establishing a connection to your Azure AD environment using Connect-mgGraph.
PowerShell
try{
    Connect-mgGraph -Scopes Device.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All -ErrorAction Stop
}
catch{
    "Error was $_"
    $line = $_.InvocationInfo.ScriptLineNumber
    "Error was in Line $line"
}
  1. Identify the Target Device: Utilize filters or search criteria to pinpoint the specific device(s) for which you wish to set custom attributes.
PowerShell
try{
    $AzureADJoinedDevice = Get-MgDevice -DeviceId '<Object ID of the Device>'
}
catch{
    "Error was $_"
    $line = $_.InvocationInfo.ScriptLineNumber
    "Error was in Line $line"
}

You can find the Object ID of the device in azure ad:

  1. Modify Device Attribute: Access the device object using PowerShell commands and update the desired attribute(s) with the desired value(s).
PowerShell
$uri = $null
$uri = "https://graph.microsoft.com/beta/devices/" + $AzureADJoinedDevice.id

$json = @{
    "extensionAttributes" = @{
    $ExtensionAttributeName = $ExtensionAttributeValue
        }
} | ConvertTo-Json


try{
    Invoke-MgGraphRequest -Uri $uri -Body $json -Method PATCH -ContentType "application/json"
}
catch{
    "Error was $_"
    $line = $_.InvocationInfo.ScriptLineNumber
    "Error was in Line $line"
}

The complete script can look like this

PowerShell
# define variables
$ExtensionAttributeName = 'extensionAttribute1' # choose from extensionAttribute1 - extensionAttribute15
$ExtensionAttributeValue = 'Test123'
$DeviceId = ''

# import modules
try{
    Import-Module Microsoft.Graph.Identity.DirectoryManagement -ErrorAction Stop
}
catch{
    "Error was $_"
    $line = $_.InvocationInfo.ScriptLineNumber
    "Error was in Line $line"
}

# connect to GraphApi
# access rights to connect
try{
    Connect-mgGraph -Scopes Device.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All -ErrorAction Stop
}
catch{
    "Error was $_"
    $line = $_.InvocationInfo.ScriptLineNumber
    "Error was in Line $line"
}

# get the device obj
try{
    $AzureADJoinedDevice = Get-MgDevice -DeviceId $DeviceId
}
catch{
    "Error was $_"
    $line = $_.InvocationInfo.ScriptLineNumber
    "Error was in Line $line"
}

# create json
$uri = $null
$uri = "https://graph.microsoft.com/beta/devices/" + $AzureADJoinedDevice.id

$json = @{
    "extensionAttributes" = @{
    $ExtensionAttributeName = $ExtensionAttributeValue
        }
} | ConvertTo-Json

# invoke Graph API request
try{
    Invoke-MgGraphRequest -Uri $uri -Body $json -Method PATCH -ContentType "application/json"
}
catch{
    "Error was $_"
    $line = $_.InvocationInfo.ScriptLineNumber
    "Error was in Line $line"
}

Set-ExtensionAttributeOnDevice.ps1 (github.com)

Required permissions

To perform the Connect-mgGraph cmdlet with the specified parameters, you will need the following access rights:

  1. Device.Read.All: This scope allows you to read all device objects in the directory, including their properties and relationships.
  2. Directory.ReadWrite.All: This scope grants you read and write access to directory objects, enabling you to view and modify directory data, including user and group information.
  3. Directory.AccessAsUser.All: This scope allows you to access the directory as the signed-in user, which means you can perform actions on behalf of the user, such as reading and writing their profile information or sending emails.

Ensure that you have the appropriate permissions and roles assigned to your account within the Microsoft Graph API or Azure Active Directory (Azure AD) to use these access rights successfully.

Conclusion

Setting custom device attributes in Azure AD, including the extensionAttributes 1-15, is a powerful technique for refining device management workflows. By following the steps outlined in this blog post and utilizing PowerShell, you can easily set custom attributes on Azure AD devices, enabling efficient categorization, filtering, and reporting. Embrace the flexibility and extensibility offered by Azure AD and PowerShell to tailor your device management processes to meet your organization’s unique requirements, including the ability to leverage the extensionAttributes 1-15 to capture and utilize additional device information.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *