Get Users from Azure AD with a large number of Registered Devices

The Challenge

One of the challenges when managing an Azure AD Hybrid Join implementation is monitoring the number of devices registered to each Azure AD user.

The default “limit” in Azure AD is 20 devices for each user. This number can quickly be reached in a shared computer environment, especially for your power user accounts that log on to multiple “down-level” devices.

Default User Device Limit in Azure Active Directory

Every time you log on to a “down-level” device that is using Workplace Join, it will register in Azure AD as new device registration for the logged on user. To learn more about “down-level devices e.g. Windows 7, check out this doc:-

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

Once a user reaches the defined “Device Limit”, no further device registrations can take place. This limitation will not always present itself with the same error for each different type of device. It should always be at the back of our minds, as admins, that a device registration may have been unsuccessful because the user “Device Limit” was reached.

This image shows 17 Windows 7 Devices Registered for a particular user in a shared computer environment

The Workaround

We have two options:-

  1. Delete devices for the User
  2. Increase the Registered Device Quota

Both options are valid and the procedure for either option can be found in the following troubleshooting article:-

https://support.microsoft.com/en-hk/help/3045379/the-maximum-number-of-devices-that-can-be-joined-to-the-workplace-by-t

A Better Way

I believe we can tackle the problem differently. I personally think it would be better to understand the device registration activity in our environment so we can be proactive in dealing with the issues before they arise.

I have written a small script that leverages the cmdlets Get-MsolUser and Get-MsolDevice to report any users that are nearing the device registration limit.

The Script

The Script will find and count all registered Azure AD devices for our users and report back any users with a large device registration count.

The first draft of the script allows you to pass two parameters:-

  1. MaxResults – Limits the number of users queried
  2. HighDeviceCount – Set the number for what is deemed a large number of device registrations for your tenant

The script “Get-UserDevices.ps1” can be found in my GitHub repo:-

https://github.com/byteben/AzureAD

*There is an assumption you are already connected to the MsolService in your PowerShell session. If not, do this first:-

Example of the Output of the Script

To view the devices registered to the affected users, you can use the command:-

Get-MsolDevice -RegisteredOwnerUpn <UserPrincipalName>

Conclusion

I am working on refining the code, it takes a while to return the results when dealing with large numbers of users. There is probably a cmdlet that can look at the Microsoft Graph that I haven’t found yet!

The results will be put into an array for you to play with. In the next version of the script I hope to handle device registration deletions for inactive devices.

4.5/5 - (2 votes)

2 thoughts on “Get Users from Azure AD with a large number of Registered Devices”

  1. Pingback: ICYMI: PowerShell Week of 19-April-2019 | PowerShell.org

  2. Great stuff. The device limit (or should I say how it works) drives me nuts as the de facto laptop setter upper at my office. How can I AAD join a fresh machine after doing software installs so that it can be used by another employee without having to have myself registered in the process! I add myself so that I don’t have to create a local admin account to do software setup, then I add the other employees as admins. But I cannot remove myself afterwards/ also want to keep myself so that I can manage the computer when its returned to be setup for the next user. Lame that the device limit has to be changed for all users.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.