Many organizations are adopting Azure AD Join as the mechanism to create a trust relationship between their Windows 10-based devices and their Identity solution. In the obligatory joiners/workers/leavers processes, however, it might make sense to repurpose an Azure AD-joined devices to another person in the organization.
In this blogpost I’ll explain how to achieve this goal in an environment without Microsoft Intune or any 3rd party mobile device management (MDM) solution that kicks in at Azure AD Join, and also without reinstalling or resetting the device.
Steps
Repurposing consists of two steps:
- Specifying the new owner for the Azure AD Device object
- Providing local admin privileges to the new owner on the device (Optional)
Specifying the new owner for the Azure AD Device object
To specify the new owner for the Azure AD Device object, we need to provide a device name and the userPrincipalName attribute for the new owner. Then, we add the new owner to the device object in Azure AD and remove the current owner.
Run the following lines of Windows PowerShell on a device that has the AzureAD PowerShell module installed, and sign in with an account with sufficient permissions to change ownerships of devices, when prompted:
# Change these values
$DeviceName = ‘WIN-4ZUR4DR0CK5’
$NewOwnerUPN = ‘joshaarbos@domain.tld’
# Do not change the script below this line
Import-Module AzureAD
Connect-AzureAD
$Device = Get-AzureADDevice | where {$_.DisplayName –eq $DeviceName}
$NewOwner = Get-AzureADUser | where {$_.UserPrincipalName –eq $NewOwnerUPN}
$OldOwner = (Get-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId)
Add-AzureADDeviceRegisteredOwner –ObjectID $Device.ObjectId -RefObjectId $NewOwner.ObjectId
Remove-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId -OwnerId $OldOwner.ObjectId
Providing local admin privileges to the new owner
In Azure AD, by default, the owner of the device is assigned local administrator privileges. However, when ownership is transferred, the privileges are not assigned.
Perform these steps to assign local administrator privileges to the new owner:
- Start the device, if it’s not already started.
- Sign in with the Azure AD credentials of the new device owner. Allow the device ample time to configure the profile. However, since the new owner doesn’t have administrative privileges, he/she can’t yet fully customize the device to their liking.
- Sign out.
- Sign in with the Azure AD credentials of the previous device owner.
- Make any backups of local files to preserve for the previous owner.
- Go to the advanced system properties, using one of the below methods:
- Press the Win button or Windows flag. In the Start Screen, search for View Advanced System Settings. Click the search result.
- Press Win + R simultaneously. Type in sysdm.cpl . Click the OK button. Navigate to the Advanced tab.
- Press Win + Pause/Break simultaneously. Click the Advanced system settings link in the left navigation pane of the System window.
- Right-click the Windows flag. Select System from the context menu. In the right pane of the Settings app, click the System info link. Click the Advanced system settings link in the left navigation pane of the System window.
- In the User Profiles area, click the Settings… button.
The User Profiles dialog window appears. - From the Name column, note the names of the user profiles. The names in AzureAD\* format match the Azure AD user definitions of (at least) the old owner and the new owner.
- Close the User Profiles dialog window and the System Properties window.
- Start an elevated Command Prompt window.
- Run the following line to add the new owner to the local Administrators group on the device:
net.exe localgroup administrators "AzureAD\JosHaarbos" /add
- Sign out.
- Sign in with the user object of the new owner again.
- Go to the advanced system properties again.
- In the User Profiles area, click the Settings… button.
The User Profiles dialog window appears. - Delete the user profile of the previous owner by selecting it and then clicking the Delete button.
- Start an elevated Command Prompt window.
- Run the following line to remove the previous owner from the local Administrators
group on the device:
net.exe localgroup administrators "AzureAD\HansWorst" /delete
- Close the Command Prompt window.
Concluding
Repurposing an Azure AD-joined device requires specific steps. Not every action is possible from the graphical user interface or Azure Portal, so there is some command line fiddling required to get it right.
A reinstall or reset of Windows is not necessary in this scenario. This should save you an hour per device, apart from installing your organization's specific software packages.
Good stuff ! helped me a lot !!
to prevent error messages for newbies (as i am)
Perhaps change "Import-module AzureAD" into
$Module = "AzureAD"
# if not installed , Install it now
if(!(Get-InstalledModule -Name "$Module" -ea SilentlyContinue)) { Install-Module -Name "$Module" -Force }
# use it
Import-Module -Name "$Module"
Just a check if that Module is available first.
I get the following error messages when trying to use this.
$DeviceName = ‘Dekstop-13’
$NewOwnerUPN = ‘crystalw@company.com’
$Device = Get-AzureADDevice | where {$_.DisplayName –eq $DeviceName}
$NewOwner = Get-AzureADUser | where {$_.UserPrincipalName –eq $NewOwnerUPN}
$OldOwner = Get-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId
Get-AzureADDeviceRegisteredOwner: Cannot bind argument to parameter 'ObjectId' because it is null.
Add-AzureADDeviceRegisteredOwner –ObjectID $Device.ObjectId -RefObjectId $NewOwner.ObjectId
Add-AzureADDeviceRegisteredOwner: Cannot bind argument to parameter 'ObjectId' because it is null.
Remove-AzureADDeviceRegisteredOwner -ObjectId $Device.ObjectId -OwnerId $OldOwner.ObjectId
Remove-AzureADDeviceRegisteredOwner: Cannot bind argument to parameter 'ObjectId' because it is null.