Test-AutopilotAzureADDeviceAssociation.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
<#PSScriptInfo
.VERSION 1.0.0
.GUID c30dcb72-e391-49ae-ad06-e5438b8c72a1
.AUTHOR NickolajA
.DESCRIPTION Validate that the configured Azure AD device record for all Autopilot device identities exist in Azure AD.
.COMPANYNAME MSEndpointMgr
.COPYRIGHT
.TAGS AzureAD Autopilot Windows Intune
.LICENSEURI
.PROJECTURI https://github.com/MSEndpointMgr/Intune/blob/master/Autopilot/Test-AutopilotAzureADDeviceAssociation.ps1
.ICONURI
.EXTERNALMODULEDEPENDENCIES
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
#>

#Requires -Module MSGraphRequest
#Requires -Module MSAL.PS
<#
.SYNOPSIS
    Validate that the configured Azure AD device record for all Autopilot device identities exist in Azure AD.
 
.DESCRIPTION
    This script will retrieve all Autopilot identities and foreach validate if the given Azure AD device record that's
    currently associated actually exist in Azure AD.
 
.PARAMETER TenantID
    Specify the tenant name or ID, e.g. tenant.onmicrosoft.com or <GUID>.
 
.EXAMPLE
    .\Test-AutopilotAzureADDeviceAssociation.ps1 -TenantID "tenantname.onmicrosoft.com"
 
.NOTES
    FileName: Test-AutopilotAzureADDeviceAssociation.ps1
    Author: Nickolaj Andersen
    Contact: @NickolajA
    Created: 2021-05-06
    Updated: 2021-05-06
 
    Version history:
    1.0.0 - (2021-05-06) Script created
#>

[CmdletBinding(SupportsShouldProcess = $true)]
param(
    [parameter(Mandatory = $true, HelpMessage = "Specify the tenant name or ID, e.g. tenant.onmicrosoft.com or <GUID>.")]
    [ValidateNotNullOrEmpty()]
    [string]$TenantID
)
Process {
    # Functions
    function Get-AutopilotDevice {
        <#
        .SYNOPSIS
            Retrieve all Autopilot device identities.
             
        .DESCRIPTION
            Retrieve all Autopilot device identities.
             
        .NOTES
            Author: Nickolaj Andersen
            Contact: @NickolajA
            Created: 2021-01-27
            Updated: 2021-01-27
 
            Version history:
            1.0.0 - (2021-01-27) Function created
        #>
    
        Process {
            # Retrieve all Windows Autopilot device identities
            $ResourceURI = "deviceManagement/windowsAutopilotDeviceIdentities"
            $GraphResponse = Invoke-MSGraphOperation -Get -APIVersion "Beta" -Resource $ResourceURI

            # Handle return response
            return $GraphResponse
        }
    }

    function Get-AzureADDeviceRecord {
        <#
        .SYNOPSIS
            Retrieve an Azure AD device record.
             
        .DESCRIPTION
            Retrieve an Azure AD device record.
 
        .PARAMETER DeviceId
            Specify the Device ID of the Azure AD device record.
             
        .NOTES
            Author: Nickolaj Andersen
            Contact: @NickolajA
            Created: 2021-05-05
            Updated: 2021-05-05
 
            Version history:
            1.0.0 - (2021-05-05) Function created
        #>
 
        param(
            [parameter(Mandatory = $true, HelpMessage = "Specify the Device ID of the Azure AD device record.")]
            [ValidateNotNullOrEmpty()]
            [string]$DeviceId
        )   
        Process {
            # Retrieve all Windows Autopilot device identities
            $ResourceURI = "devices?`$filter=deviceId eq '$($DeviceId)'"
            $GraphResponse = (Invoke-MSGraphOperation -Get -APIVersion "v1.0" -Resource $ResourceURI).value

            # Handle return response
            return $GraphResponse
        }
    }

    # Get access token
    $AccessToken = Get-AccessToken -TenantID $TenantID

    # Construct array list for all Autopilot device identities with broken associations
    $AutopilotDeviceList = New-Object -TypeName "System.Collections.ArrayList"

    # Gather Autopilot device details
    Write-Verbose -Message "Attempting to retrieve all Autopilot device identities, this could take some time"
    $AutopilotDevices = Get-AutopilotDevice

    # Measure detected Autopilot identities count
    $AutopilotIdentitiesCount = ($AutopilotDevices | Measure-Object).Count

    if ($AutopilotDevices -ne $null) {
        Write-Verbose -Message "Detected count of Autopilot identities: $($AutopilotIdentitiesCount)"

        # Construct and start a timer for output
        $Timer = [System.Diagnostics.Stopwatch]::StartNew()
        $AutopilotIdentitiesCurrentCount = 0
        $SecondsCount = 0

        # Process each Autopilot device identity
        foreach ($AutopilotDevice in $AutopilotDevices) {
            # Increase current progress count
            $AutopilotIdentitiesCurrentCount++

            # Handle output count for progress visibility
            if ([math]::Round($Timer.Elapsed.TotalSeconds) -gt ($SecondsCount + 30)) {
                # Increase minutes count for next output frequence
                $SecondsCount = [math]::Round($Timer.Elapsed.TotalSeconds)

                # Write output every 30 seconds
                Write-Verbose -Message "Elapsed time: $($Timer.Elapsed.Hours) hour $($Timer.Elapsed.Minutes) min $($Timer.Elapsed.Seconds) seconds"
                Write-Verbose -Message "Progress count: $($AutopilotIdentitiesCurrentCount) / $($AutopilotIdentitiesCount)"
                Write-Verbose -Message "Detected devices: $($AutopilotDeviceList.Count)"
            }

            # Handle access token refresh if required
            $AccessTokenRenew = Test-AccessToken
            if ($AccessTokenRenew -eq $false) {
                $AccessToken = Get-AccessToken -TenantID $TenantID -Refresh
            }

            # Get Azure AD device record for associated device based on what's set for the Autopilot identity
            $AzureADDevice = Get-AzureADDeviceRecord -DeviceId $AutopilotDevice.azureAdDeviceId
            if ($AzureADDevice -eq $null) {
                # Construct custom object for output
                $PSObject = [PSCustomObject]@{
                    Id = $AutopilotDevice.id
                    SerialNumber = $AutopilotDevice.serialNumber
                    Model = $AutopilotDevice.model
                    Manufacturer = $AutopilotDevice.manufacturer
                }
                $AutopilotDeviceList.Add($PSObject) | Out-Null
            }
        }

        # Handle output at script completion
        Write-Verbose -Message "Successfully detected a total of '$($AutopilotDeviceList.Count)' Autopilot identities with a broken Azure AD device association"
        Write-Output -InputObject $AutopilotDeviceList
    }
    else {
        Write-Warning -Message "Could not detect any Autopilot device identities"
    }
}