Microsoft Security – Get all users without a compliant device

When you want activate security it is useful to understand who will potentially be negatively impacted by your settings. For instance if your enabling compliant device requirement for certain applications, I would recommended knowing who will be blocked and doesn’t have a compliant device they can access the applications from.

If you are implementing Azure AD Conditional Access Rules, take some time to prepare users before, so they don’t get blocked out. Even if we are implementing security for good reasons, they wont be happy about it if they don’t get their job done. It creates a better reputation for IT if we take the time to be proactive and help our users before securing services with compliant device requirements.

Who in our organization doesn’t have a compliant device yet?

I recently got this question, as mentioned it can helpful when implementing security, but also to increase security awareness.

First I had to get a list of compliant devices and their primary users, still to find the right PS commands, but it can easily be exported from Azure Active Directory in the Azure Portal: Download devices.

Now you have a list of compliant devices and their owner, which we can exclude from a list of all users:

List of safe Users, users with a compliant Windows device

$excludedUsers = Import-Csv C:\temp\exportDevice_2022-8-29.csv

If you want, open the CSV-file exported from Azure AD in Excel and filter out objects you don’t want. For example, I filtered out MacOS and mobile devices.

List and Exclude users, giving a list of users without a compliant device

$UserPrincipalNames = Get-AzureAdUser -All $true | Where {$excludedUsers.userNames -notcontains $_.userPrincipalName} | select UserPrincipalName,AccountEnabled | Export-csv C:\temp\Result.csv -NoTypeInformation

This will give you a CSV-file of all enabled users without a compliant device in your tenant. Here I chose to select UserPrincipalName and AccountEnabled, in order to filter out disabled accounts.

Gradually implementing compliance rule

If you gradually implement compliance rules, application by application, you might stumble upon users that doesn’t require any primary device to be compliant.

Sometimes it seems users can live with a compliant mobile device for collaboration, and get their work done from a different device of their own choice. Because their work isn’t yet rule to require a compliant device.

I will follow up with an additional post, because its sometimes useful to match with last sign-in activity, as the user might be ready to be decommissioned. This is best found using MS Graph, but not out of the box easy to combine with PS.