Difference between Intune device ID and Azure AD object ID.

IT administration, often face a recurring challenge where the User Principal Name (UPN) stored at the device level does not align with the UPN visible in the administrative portal. This discrepancy arises due to the issue in Intune structures as it is device object fields related to user identification. These fields, despite their names, do not always directly indicate the primary user associated with the device.

Understanding this complexity for IT admins to accurately retrieve the primary user UPN through PowerShell. It involves navigating through fields that may not explicitly match their expected role based solely on their names.

This article provides clear guidance on how to correctly identify and manage the primary user UPN within the context of Intune device management. It also addresses common inquiries about modifying this field, offering practical insights to streamline administrative tasks and ensure coherence between device-level data and portal records.

Intune device objects, specifically instances of /deviceManagement/managedDevices (represented as #microsoft.graph.managedDevice in OData), serve as the core entities for managing devices enrolled in Intune.

Both Azure AD and Intune utilize an “ID” attribute to uniquely identify objects. Specifically, the Azure AD ID corresponds to the object ID, while the Intune ID pertains to the device ID within the Intune system

Intune device ID objects represent an instance of a /deviceManagement/managedDevices

https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceID}

Azure AD has Entra Object ID

https://graph.microsoft.com/v1.0/devices/{Azure AD_Object ID}

Example 

Following attributes shows how to interact with Intune managed devices: 

• Intune device ID: fd7d96b9-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
• Azure AD device ID: 722db708-xxxx-xxxx-xxxx-xxxxxxxxxxx
• Azure AD object ID: 58d67143-xxxx-xxxx-xxxx-xxxxxxxxxxx

The corresponding Azure AD object:  https://graph.microsoft.com/v1.0/devices/58d67143-xxxx-xxxx-xxxx-xxxxxxxxxxx 

The device’s Intune URI:  https://graph.microsoft.com/beta/deviceManagement/managedDevices/fd7d96b9-xxxx-xxxx-xxxx-xxxxxxxxxxxx 

1. Azure AD Devices and Registered Owners:

• Azure AD devices have an associated registeredOwners object.
• This object represents either the user who joined the device to Azure AD (for corporate-owned devices) or the user who registered their personal device (for BYOD scenarios).
• Each device has only one registered owner.
• The URI syntax for the Azure AD registered owner is : https://graph.microsoft.com/v1.0/devices/58d67143-xxxx-xxxx-xxxx-xxxxxxxxxxx/registeredOwners.

2. Intune Registered Owner:

• In the Intune service, there’s an associated primary user for managedDevice objects.
• Additionally, there’s an ‘Enrolled by’ attribute.
• Each user object has a {userID}\managedDevices object associated with it, listing the devices associated with that user.

Retrieve the Intune device attributes 

Get-IntuneManagedDevice -managedDeviceId fd7d96b9-xxxx-xxxx-xxxx-xxxxxxxxxxxx  

# get device ids 

Get-IntuneManagedDevice -managedDeviceId fd7d96b9-xxxx-xxxx-xxxx-xxxxxxxxxxxx  | select id, managedDeviceId, azureADDeviceId 

# get primary user 

(Invoke-MSGraphRequest -HttpMethod GET -Url  https://graph.microsoft.com/beta/deviceManagement/managedDevices/fd7d96b9-xxxx-xxxx-xxxx-xxxxxxxxxxxx/users).value.userPrincipalName 

Azure AD PowerShell Cmdlets 

The Azure AD device object can be queried by display name, (Azure AD) device ID, or object ID. The object ID is commonly used. 

# retrieve the Azure AD device attributes 

Get-AzureADDevice -Filter “displayname eq ‘Testvm11-ENT-1’ ” | Select-Object displayname, objectid, deviceid, objecttype 

# get the registered owner from Azure AD 

Get-AzureADDevice -Filter “displayname eq ‘Testvm11-ENT-1′” | Get-AzureADDeviceRegisteredOwner 

# get registered user of Azure AD device 

Get-AzureADDevice -Filter “displayname eq ‘Testvm11-ENT-1′” | Get-AzureADDeviceRegisteredUser 

Let’s break down the key points about Intune and Azure AD device records:

1. Relationship Between Intune and Azure AD:
   • Intune inherits from Azure AD, and the two services are related.
   • Azure AD serves as the foundation, and Intune builds upon it for device management.
2. User Principal Name (UPN) Values in Intune:
   • In Intune, there are two UPN values associated with devices:
     • The userPrincipalName at the device level represents the ‘Enrolled by’ user.
     • The ‘Primary user’ account is found one level deeper at the managedDevices/{Device ID}/users level.
3. Display of Primary User and Enrolled By User:
   • Both the primary user and enrolled by user are shown on the deviceOverview blade in Intune.
   • However, only the “primary user” value is displayed in the deviceProperties blade.
   • Note that the primary user attribute of an Intune device is optional, and for multi-user scenarios, the value may be blank.
4. Changing Device Ownership:
   • To change the device ownership, an HTTP POST command to managedDevices/{'managedDeviceID'}/users/$ref is required.
   • Directly editing the value (e.g., using an HTTP patch command) is not possible.
5. Graph URIs for Records:
   • Graph URIs that begin with https://graph.microsoft.com/v1.0/devices correspond to Azure AD records.
   • Graph URIs that begin with https://graph.microsoft.com/v1.0/deviceManagement/managedDevices correspond to Intune records.