Change Owner for Azure AD joined Windows 10 Devices
Under Azure Active Directory – Devices – All devices you will get a list of all devices which are Azure AD registered, Azure AD joined or Hybrid Azure AD joined.
Also you can see the owner of the devices, which is the user who joined the device to Azure AD.
Device owners are granted local administrator rights by default.
Hybrid Azure AD Joined Windows 10 devices do not have an owner. If you are looking for a device by owner and didn’t find it, search by the device ID.
In order to change the device owner, you will first need to add the new owner to the device and after that you have to remove the existing owner.
To achieve this we have to execute some PowerShell commands.
First we need to determine the object ID of the device we want to change the owner and also the object ID from the new owner and existing owner.
The object ID from the device you can determine either by the Azure Portal above and by clicking on the device you want to change the owner for or by using the Get-AzureADDevice PowerShell cmdlet.
# Login Azure AD
$credential = Get-Credential
Connect-AzureAD -Credential $credential
Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq “AzureAd”}!! Note !!
PowerShell version 7 and later don’t support the Microsoft Azure Active Directory Module for Windows PowerShell and cmdlets with Msol in their name. For PowerShell version 7 and later, you must use the Microsoft Graph PowerShell SDK.
The object ID from the user’s you can also determine either by the Azure Portal and by clicking on the user or by using the Get-AzureADUser PowerShell cmdlet.
# Login Azure AD
$credential = Get-Credential
Connect-AzureAD -Credential $credential
Get-AzureADUser -SearchString jdoe@braintesting.de
Now we have all information to change the owner for the device.
# Login Azure AD
$credential = Get-Credential
Connect-AzureAD -Credential $credential
# adding the new owner to the device where ObjectId is the object id from the device you want to change and RefObjecteID is the object id from the new user and owner.
Add-AzureADDeviceRegisteredOwner -ObjectId 9cfabe6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx -RefObjectId 35b57bc1-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# remove the existing/old owner from the device where ObjectID is the object id from the device you want to change and OwnerId the object id from the existing/old user.
Remove-AzureADDeviceRegisteredOwner -ObjectId 9cfabe6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx -OwnerId 2d2c5e37-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Some more information about managing Azure AD joined devices
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:
- The Azure AD global administrator role
- The Azure AD joined device local administrator role
- The user performing the Azure AD join
By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been only assigned the device administrator role to manage a device.
Manage the global administrators role
To view and update the membership of the global administrator role, see:
View all members of an administrator role in Azure Active Directory
Assign a user to administrator roles in Azure Active Directory
Manage the device administrator role
Sign in to your Azure portal as a global administrator.
Search for and select Azure Active Directory.
In the Manage section, click Devices.
On the Devices page, click Device settings.
To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
This option requires an Azure AD Premium tenant.
Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a specific set of devices. Updating the device administrator role doesn’t necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when both the below actions happen:
- Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.
- User signs out and signs back in, not lock/unlock, to refresh their profile.
- Users will not be listed in the local administrator group, the permissions are received through the Primary Refresh Token.
Source: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
Intune Primary user and Azure AD device owner
In some cases, the Intune primary user may be different from the Azure AD Device’s Owner property (viewable under Devices > Azure AD Devices). The Azure AD Device owner is added during a device’s registration into Azure Active Directory.
For newly-enrolled Azure AD devices, the Azure AD Owner property is automatically set at the same time that the Intune primary user is set.
Links
Manage device identities using the Azure portal
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portalHow to manage the local administrators group on Azure AD joined devices
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin