EntraID MSGraph Powershell Set or Query Device extensionAttributes
I was recently tasked with using the EntraID SDK (think get-mgDevice and update-MgDevice) to query, clear, or update any one of the 15 extensionAttributes which are available for Azure / EntraID devices.
Devices. Not users. There were lots of examples out there on setting attributes for users in EntraID, but the examples for devices were sparse, or no longer valid.
In case someone is tasked with doing something similar in the future, as of February, 2024... this "worked for me". Obviously the account running this needs to be able to affect devices (like Devices.ReadWrite.All) or similar permissions and scope on your tenant.
See the code below.
How to run the script:
Pre-requisites: hard code in your $ClientID, $ClientSecret, and $TenantId (or add them to the parameter line when you call the script)
Example:
To Populate if null or Modify extensionAttribute7
ThisScript.ps1 -ComputerName 'SomeComputerInAzure' -ExtensionID 'extensionAttribute7' -ExtensionValue 'Hawaii' -Action 'Set'
To clear extensionAttribute7
ThisScript.ps1 -ComputerName 'SomeComputerInAzure' -ExtensionID 'extensionAttribute7' -ExtensionValue '' -Action 'Set'
To query extensionAttribute7 for a device
ThisScript.ps1 -ComputerName 'SomeComputerInAzure' -ExtensionID 'extensionAttribute7' -Action 'Query'
What does the script actually "do"
- NuGet if not already there
- Import the module Microsoft.Graph.DeviceManagement if not already imported.
- Connect to msgraph with your credentials for your client and tenant
- Build the $Attributes variable you will need to Set or Clear (if that is what you are going to do later)
- Find the Device in azure (fail if not found by the name you passed in)
- If found, and you said "Set", set the attribute you said to the value you said.
- If found, and you said "Query", ask EntraID for the value of that extensionAttribute[x]
Script:
<# .SYNOPSIS Using MSGraph, connect to your Azure Tenant, and set (or remove) any one of the 15 'extensionAttribute' for a Device. .DESCRIPTION With Paramters for ComputerName, extensionAttribute, and Value, set or remove a value of that extensionAttribute, only for Devices (not users) .NOTES 2024-02-06 Sherry Kissinger Code lovingly stolen from multiple sources, like Christian Smit, and sources like these:https://office365itpros.com/2022/09/06/entra-id-registered-devices/, https://www.michev.info/blog/post/3472/configuring-extension-attributes-for-devices-in-azure-ad 2024-02-08 Sherry Kissinger and Benjamin Reynolds Get the -Action 'Query' part to work successfully. Thanks Benjamin!!! Examples: To Populate if null or Modify extensionAttribute7 ThisScript.ps1 -ComputerName 'SomeComputerInAzure' -ExtensionID 'extensionAttribute7' -ExtensionValue 'Hawaii' -Action 'Set' To clear extensionAttribute7 ThisScript.ps1 -ComputerName 'SomeComputerInAzure' -ExtensionID 'extensionAttribute7' -ExtensionValue '' -Action 'Set' To list extensionAttributes for a device (Does not work...) ThisScript.ps1 -ComputerName 'SomeComputerInAzure' -ExtensionID 'extensionAttribute7' -ExtensionValue '' -Action 'Query'#>param ( [string]$ClientID = "12345678-1234-1234-1234-12345678901234", [string]$ClientSecret = "SuperSecretSecretySecretHere", [string]$TenantId = "87654321-4321-4321-4321-210987654321", [Parameter(Mandatory)][string]$ComputerName, [Parameter(Mandatory)][ValidateSet("extensionAttribute1","extensionAttribute2","extensionAttribute3","extensionAttribute4","extensionAttribute5","extensionAttribute6","extensionAttribute7","extensionAttribute8","extensionAttribute9","extensionAttribute10","extensionAttribute11","extensionAttribute12","extensionAttribute13","extensionAttribute14","extensionAttribute15", IgnoreCase=$false)][string]$ExtensionID, [AllowNull()][AllowEmptyCollection()][string]$ExtensionValue, [Parameter(Mandatory)][string][ValidateSet("Query","Set")]$Action)## IMPORTING MODULES# Write-Host "Importing modules" # Get NuGet $provider = Get-PackageProvider NuGet -ErrorAction Ignore if (-not $provider) { Write-Host "Installing provider NuGet..." -NoNewline try { Find-PackageProvider -Name NuGet -ForceBootstrap -IncludeDependencies -Force -ErrorAction Stop Write-Host "Success" -ForegroundColor Green } catch { Write-Host "Failed" -ForegroundColor Red throw $_.Exception.Message return }}$module = Import-Module Microsoft.Graph.DeviceManagement -PassThru -ErrorAction Ignore if (-not $module) { Write-Host "Installing module Microsoft.Graph.DeviceManagement..." -NoNewline try { Install-Module Microsoft.Graph.DeviceManagement -Scope CurrentUser -Force -ErrorAction Stop Write-Host "Success" -ForegroundColor Green } catch { Write-Host "Failed" -ForegroundColor Red throw $_.Exception.Message return } }## CONNECT TO GRAPH#$credential = [PSCredential]::New($ClientID, ($ClientSecret | ConvertTo-SecureString -AsPlainText -Force))Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $credential -verbose If ([string]::IsNullOrEmpty($ExtensionValue)){$Attributes = @{ "extensionAttributes" = @{ $ExtensionID = "" } }}else{$Attributes = @{ "extensionAttributes" = @{ $ExtensionID = $ExtensionValue } }}# COMPUTER ################################## Write-Host "Locating device in" -NoNewline Write-Host " Azure AD" -NoNewline -ForegroundColor Yellow Write-Host "..." -NoNewline try { $AADDevice = Get-MgDevice -Search "displayName:$ComputerName" -CountVariable CountVar -ConsistencyLevel eventual -ErrorAction Stop } catch { Write-Host "Fail" -ForegroundColor Red Write-Error "$($_.Exception.Message)" $LocateInAADFailure = $true } If ($LocateInAADFailure -ne $true) { If ($AADDevice.Count -eq 0) { Write-Host "Fail" -ForegroundColor Red Write-Warning "Device not found in Azure AD" } else { ForEach ($AADDeviceObj in $AADDevice) { Write-Host "Success" -ForegroundColor Green Write-Host " DisplayName: $($AADDeviceObj.DisplayName)" Write-Host " ObjectId: $($AADDeviceObj.Id)" Write-Host " DeviceId: $($AADDeviceObj.DeviceId)" Write-Host "..." -NoNewline if ($Action -eq 'Set') { try { Write-Host " Azure AD trying to add Value to extensionAttribute" -ForegroundColor Yellow $Result = update-MgDevice -DeviceId $($AADDeviceObj.Id) -BodyParameter $Attributes } catch { Write-Host "Fail" -ForegroundColor Red Write-Error "$($_.Exception.Message)" } } if ($Action -eq 'Query') { try { Write-Host " Azure AD query extensionAttributes" -ForegroundColor Yellow $TheIDValue = (Get-MgDevice -DeviceId $($AADDeviceObj.Id) -Property id,deviceId,displayName,extensionAttributes -ErrorAction Stop).AdditionalProperties.extensionAttributes.$ExtensionID Write-Host " $ExtensionID is: $TheIDValue" -ForegroundColor Yellow } catch { Write-Host "Fail" -ForegroundColor Red Write-Error "$($_.Exception.Message)" } } } } }
- Created on .