This article is part of the #GoIntune series that describes endpoint management and protection with use of the Microsoft Intune platform.
Active Directory and computer objects
In the on-premises only world, Windows device is joined to the domain or workgroup. Computer object joined to the on-premises Active Directory domain has SID (Security IDentifier) that uniquely identifies it. IT administrator creates GPOs to configure the OS and sometimes needs to fix the trust relationship with the domain, but the device identity itself is simple. Active Directory domain membership allows issue of the PKI certificate for the device and certificate-based authentication to e.g. VPN device tunnel or Wi-Fi network. The devices are managed by the IT department and protected in perimeter network by firewall and other network devices. The traffic from the Internet is usually blocked and we can access only a few services like Outlook Web Access or some external SharePoint sites. That is the picture of the old on-premises environment with devices being just terminals for end users. And this only applies to the Windows based and in some cases to MacOS and Linux devices. No place for mobile devices and smartphones. But the time has changed and cloudification of the devices became reality. Everyone is connecting from multiple devices and from different places: office, home, cafe etc. And the old device identity in Active Directory is not sufficient. And that’s where Azure Active Directory comes to the picture.
Azure Active Directory and MS Graph
Azure Active Directory (Azure AD), recently added to the new Microsoft Entra platform, is an enterprise identity service on which all 3 Microsoft clouds rely:
- Microsoft 365
- Microsoft Azure
- Dynamics 365
Azure AD manages similar objects as on-premises Active Directory: users, groups, devices but also many others like applications, meetings, files, etc. What is important the objects are not managed centrally with Azure AD but through Microsoft Graph API. Microsoft Graph is the gateway to data in Microsoft 365, Windows, and Enterprise Mobility + Security that provides a unified programmability model that can be used to access it. MS Graph consists of multiple entities that group specific objects or services. As you can see on the below image the nodes that are available in Microsoft Graph are connected and dependent but not having the same scheme as in Active Directory case. Each node has its own list of attributes/values present.
You can read more about the Microsoft Graph and major services and features here.
Each entity in MS Graph might contain the same object. And the best example is a device which might be part of the below two entities:
- devices
- deviceManagement
Device Identity in Azure Active Directory and Intune
At this point, we know that device identity is stored in MS Graph nodes as described in the previous section. But why we cannot see the node Intune or Azure AD? The answer is simple. Azure Active Directory relies on multiple nodes from MS Graph like users, groups, applications and devices. As per example below for my test computer account Pawel-001 I can find two IDs:
- Device ID
- Object ID
There are three ways to get a device identity in Azure AD:
- Azure AD registration (Workplace joined) – registered to Azure AD without requiring an organizational account to sign into the device, which happens when you access the resources from the personal device (BYOD) and use for authentication the credentials associated with specific Azure AD tenant
- Azure AD join (Cloud Only joined) – joined only to Azure AD requiring an organizational account to sign into the device, which happens when organization manages the device (both corporate and/or personal) and only allows log to the device using the credentials associated with specific Azure AD tenant. In this case, the device object is created only in the cloud service and can be managed only using Intune.
- Hybrid Azure AD join (Cloud and on-premises joined) – joined to on-premises Active Directory and Azure AD requiring an organizational account to sign into the device. In this case device identity is synced between the on-premises Active Directory and Azure AD. So we have a computer object in the on-premises Active Directory which still might be managed either by AD GPOs or Intune. This one allows issue of the device certificate from the on-premises PKI system.
To find more about the different ways to get a device identity check this article.
Azure AD join: Understanding device identity (quest.com)
All devices that are registered in Azure AD (Azure AD registered, Hybrid Azure AD join and Azure AD join) can be also found in the MS Graph under entity devices. To get the details just run the below query:
Note:
Before running the query in MS Graph Explorer or via PowerShell you might first need to give consent to access specific data with actions like read/get/etc.
To find a specific device add the Object ID in the query, but please remember a few things:
- If device is managed by Intune then to find the object under the Devices entity you need to provide the Object ID. But to find it under the DeviceManagement you need to provide the Device ID. Trying to find it via Object ID will give you an error.
- In Azure AD the same device might be registered multiple times with the same name e.g. as AAD registered and AAD joined like on the below screenshot. That is why it is so important to check Object ID whenever you are running any scripts. Sometimes you might find few results of your query and the final result might be different than expected e.g. deleting specific device objects. You can read more interesting details in the below article: Understanding the Intune device object and User Principal Name – Microsoft Community Hub
3. You might get also puzzled to see that the Device ID shown in Intune might be presented as: Intune Device ID and Azure AD Device ID. I saw cases when both values were the same, but unfortunately, I do not know why this happens and under which conditions.
Finding Device ID
To find the Device ID on the Windows machine check the value in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo
or you can run below script:
$AzureADDeviceDeviceID = (Get-ChildItem -Path "hklm:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\" | select pschildname).PSChildName
$AzureADDeviceObjectID= (Get-AzureADDevice | Where-Object {$_.DeviceId -match $AzureADDeviceDeviceID}).ObjectId
Summary
As you see device identity is quite complex in the current cloud world and it is important to understand it, especially if you are working in the security department. Device identity might be used for example as a condition in the Conditional Access policy. The number of metadata available in MS Graph is significant but you have to understand where to find it.
- #GoIntune #2 Cloud Attach and Co-Management - January 19, 2023
- #GoIntune #1 Device identity in Azure AD and Intune - November 23, 2022
- Azure MFA licensing explained - May 24, 2022