Change device owner of an Azure AD joined device

If you join devices to Azure AD, then you can see that each device has an owner. The owner is the user who joined the device to the Azure AD which is sometimes the account of the administrator. That’s why one probably wants to change the owner which is unfortunately not possible via the Azure portal. But, as usual, you can easily do it via PowerShell.

The main commands you need are:

Get-AzureADDevice   # returns all device
Get-AzureADUser     # returns all users

# add new device owner
Add-AzureADDeviceRegisteredOwner -ObjectId [DeviceObjectId] -RefObjectId [NewOwnerObjectId]
#remove previous device owner
Remove-AzureADDeviceRegisteredOwner -ObjectId [DeviceObjectId] -OwnerId [PreviousOwnerObjectId]

I created a simple script which has device name and new owner as input and simply does the job:

$deviceName = 'myDeviceName'   # configure device name
$newOwner = '[email protected]' # login name of the new user

Connect-AzureAD

# Get-AzureADDevice # if you want to list all devices
# Get-AzureADUser   # if you want to list all users

$device = Get-AzureADDevice | where { $_.DisplayName -eq $deviceName }
$aduser = Get-AzureADUser | where { $_.UserPrincipalName -eq $newOwner }
$oldowner = (Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId).ObjectId

"Change owner of device " + $device.DisplayName + " to " + $aduser.DisplayName
Add-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId -RefObjectId $aduser.ObjectId # add the new owner
Remove-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId -OwnerId $oldowner         # remove the previous owner
Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId                               # see the result

It’s important to mention that this does not work for the associate user in the Intune portal. This is a known issue and you can vote for it here: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/31356574-change-registereed-owner-for-corporate-owned-devic

Additional Information

Azure AD Device Powershell Commands: https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#devices

Categories:

7 Responses

  1. Hello,
    Great script but seem not to work anymore, I changed these 2 lines to:
    $device = Get-AzureADDevice | where { $_.DisplayName -eq $deviceName }
    $aduser = Get-AzureADUser | where { $_.UserPrincipalName -eq $newOwner }

    To:
    $device = Get-MSOLDevice -all | where { $_.DisplayName -eq $deviceName }
    $aduser = Get-MSOLUser | where { $_.UserPrincipalName -eq $newOwner }

    Don’t forget to execute a Connect-MSOLService

  2. Good morning, in the first case I get the following error:

    Get-AzureADDeviceRegisteredOwner : Cannot bind argument to parameter ‘ObjectId’ because it is null.
    At C:\Users\Desktop\Script.ps1:11 char:57
    + … (Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId).Object …
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Get-AzureADDeviceRegisteredOwner], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.GetDeviceRegisteredOwners

    if instead I use

    $ device = Get-MSOLDevice -all | where {$ _. DisplayName -eq $ deviceName}
    $ aduser = Get-MSOLUser | where {$ _. UserPrincipalName -eq $ newOwner}

    this error is generated

    WARNING: More results are available. Please specify one of the All or MaxResults parameters.
    Get-AzureADDeviceRegisteredOwner : Cannot bind argument to parameter ‘ObjectId’ because it is null.
    At C:\Users\Desktop\Script.ps1:11 char:57
    + … (Get-AzureADDeviceRegisteredOwner -ObjectId $device.ObjectId).Object …

    • Change following lines:

      $aduser = Get-AzureADUser | where { $_.UserPrincipalName -eq $newOwner }

      to

      $aduser = Get-AzureADUser -Filter “userPrincipalName eq ‘$newOwner'”

Leave a Reply

Your email address will not be published. Required fields are marked *