Introduction:
In Intune world of device management, the concept of the primary user plays a crucial role, especially when it comes to application deployments.
In this blog post, we will explore the significance of the primary user and how it affects the installation of applications using the company portal in Intune. We will also discuss a practical scenario and share scripts that can help you manage and correct primary user assignments efficiently.
The Definition of Primary User:
According to Microsoft's article , https://learn.microsoft.com/en-us/mem/intune/remote-actions/find-primary-user#what-is-the-primary-user
The primary user property is used to map a licensed Intune user to their devices in:
- The Company Portal app
- End-user website
- IT pro experiences, like troubleshooting pages in the Azure portal. These pages map user accounts to devices by using the primary user.
In reality, the primary user's significance becomes particularly apparent when it comes to application installations using the company portal and also device reset behavior.
To install available apps from the company portal, the user must either be the primary user of the device or the device should be designated as shared. Without meeting these criteria, users will not be able to install the desired applications.
Reviewing Devices Managed by Intune:
During a recent review of Windows devices managed by Intune for configuration profiles, app deployments, and Windows Update for Business (WUfB) patching, I discovered a common issue.
Many devices were set with a primary user account with that was used for device provisioning (ASIAXXXX). Provisioning can be done through SCCM or Autopilot, and the first user who signs into the device during enrollment is typically tagged as the primary user.
I would encourage you to read through the Microsoft article on how the primary user is set https://learn.microsoft.com/en-us/mem/intune/remote-actions/find-primary-user#who-is-assigned-as-the-primary-user
Identifying and Correcting Primary User UPN:
To address this issue, I exported a list of devices that were assigned the common provisioning account as the primary user. There were over 4500 devices, mainly laptops or VDI instances, that needed to be corrected. Two potential solutions:
- Converting Devices to Shared: The first approach involved removing the existing primary user and converting the device to a shared device. This process is straightforward and involves syncing the policy to the device, triggering the conversion.
- Updating Primary User Assignments: The second option required identifying the correct user for each device and updating the primary user accordingly. In my search for an automation solution, I discovered a PowerShell script by Microsoft available on GitHub. Although the script sets the last logged-on user as the primary user for all devices in the tenant, I modified it to apply only to the specific devices that were wrongly assigned a primary user.
The Scripts: To aid in the process, I split the script into two parts:
- What-if Script: The "whatif_set_primaryuser.ps1" script helps visualize the outcome of running the script on the 4500+ devices. It generates an output that displays the device name, Intune device ID, current user, and expected user, giving you a preview of the primary user assignments.
- Primary User Correction: The "set_primaryuser.ps1" script is designed to update the primary user for the selected devices based on the data validated using the what-if script.
The script picks the most recently logged on user on a device as primary user. The following graph query help to provide the list of users that have logged to the specific device for validation.
Connect-Graph
$IntuneDeviceID = "897670c9-957c-4af1-c3fa-bd11bd30f1a9"
$data = Invoke-MSGraphRequest -Url https://graph.microsoft.com/beta/deviceManagement/managedDevices/$IntuneDeviceID/ -HttpMethod GET
$data.usersLoggedOn
How does the script function?
1. when you run the scripts, it first connect to Azure AD and Graph for authentication. Make sure you have the enough rights to get the data for both read and write.
2. If the authentication is successful, it ask for device name or list of devices (somedevices.txt). The txt file should be placed in the same folder where scripts are located.
3. You can enter 1 device name or txt file name and press enter
4. The script will read through the list of devices that are supplied and ask for confirmation before the script is executed. Press enter to proceed or N to cancel the script
5. Now the script run through the list of devices and writes output to csv file in the same folder where scripts placed.
Both scripts, along with detailed instructions, can be found in my GitHub repository.
Conclusion: Understanding the importance of the primary user in Intune is crucial for successful application deployments.
By addressing incorrect primary user assignments, you can ensure a seamless user experience and effective management of devices.
I hope you find this blog post valuable and that it helps you navigate primary user assignments in Intune for application deployments.
4 Comments
super relevant write up yet super outdated scripts. please either take down the GitHub links or update them with current scripts. The original script were written 4 years ago. Information is changing every day.
Hi,
Thank you for the feedback, appreciate your try.
As you rightly pointed out, the information or the powershell modules and the attributes for retrieving the data keep changing so often, i will try to update when available. The priorities were changing hence the delay.
Thanks for your understanding.
Eswar
i seem to receviing this errror after I enter the filename with the devices.
Total devices found : 1 . Press 'Enter' to report on all objects, or type 'n' then press 'Enter' to exit the script:
Input is recieved, Script execution is in progress...
Response content:
{"error":{"code":"Forbidden","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"Application is not authorized to perform this operatio
n. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.Al
l - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 8d194268-0002-43ef-ba0d-178468093475 - Url: h
ttps://fef.msua02.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=5023-07-17&$filter=de
viceName+eq+%27UPTEKAP00527277%27\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\
n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2023-09-19T19:36:38","request-id":"8d194268-0002-43ef-ba0d-178468093475","client-re
quest-id":"8d194268-0002-43ef-ba0d-178468093475"}}}
Get-Win10IntuneManagedDevice : Request to https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=deviceName eq
'UPTEKAP00527277' failed with HTTP Status Forbidden Forbidden
At D:\scripts\PrimaryUserfromLastLogIn-v1.1\Whatif-Set-PrimaryUserfromLastLogIn-v1.1.ps1:570 char:12
+ $Devices = Get-Win10IntuneManagedDevice
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-Win10IntuneManagedDevice
hi,
looks like you dont have permissions to run the script n. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.Al
Thanks,
Eswar