Skip to content

Instantly share code, notes, and snippets.

@okieselbach

okieselbach/Invoke-RetireDevice.ps1

Last active December 7, 2022 20:27
Show Gist options
  • Save okieselbach/41dd8c7f13434994bb7257a252cbf880 to your computer and use it in GitHub Desktop.
Save okieselbach/41dd8c7f13434994bb7257a252cbf880 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Invoke-RetireDevice.ps1
<#
Version: 1.0
Author: Oliver Kieselbach
Runbook: Invoke-RetireDevice
Description:
Delete device from Intune via Intune API and AAD from a Azure Automation runbook.
Release notes:
Version 1.0: Original published version.
Version 1.1: Bugfix, escaped ' on delete request, thanks Sandy!
The script is provided "AS IS" with no warranties.
#>
param(
[Parameter(Mandatory=$True)]
$DeviceName,
[Parameter(Mandatory=$True)]
$UserPrincipalName
)
# -------------------------------------------------------------------------------------------
# Intune cleanup
try {
$AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
}
catch {
throw 'AzureAD PowerShell module is not installed!'
}
$intuneAutomationCredential = Get-AutomationPSCredential -Name automation
$intuneAutomationAppId = Get-AutomationVariable -Name IntuneClientId
$tenant = Get-AutomationVariable -Name Tenant
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($intuneAutomationCredential.Username, "OptionalDisplayableId")
$userCredentials = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential -ArgumentList $intuneAutomationCredential.Username, $intuneAutomationCredential.Password
$authResult = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($authContext, $resourceAppIdURI, $intuneAutomationAppId, $userCredentials);
if ($authResult.Result.AccessToken) {
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer " + $authResult.Result.AccessToken
'ExpiresOn' = $authResult.Result.ExpiresOn
}
}
elseif ($authResult.Exception) {
throw "An error occured getting access token: $($authResult.Exception.InnerException)"
}
}
catch {
throw $_.Exception.Message
}
$graphApiVersion = "Beta"
try {
$Resource = "deviceManagement/managedDevices?filter=DeviceName eq '$DeviceName' and userPrincipalName eq '$UserPrincipalName'"
$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource"
$managedDevice = (Invoke-RestMethod -Uri $uri -Headers $authHeader -Method Get).Value
Write-Output "Found Intune managed device '$($managedDevice.deviceName)' with device id: $($managedDevice.id)"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Output "Response content: $responseBody" -f Red
Write-Output "GET request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
}
try {
$Resource = "deviceManagement/managedDevices/$($managedDevice.id)/retire"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($resource)"
Invoke-RestMethod -Uri $uri -Headers $authHeader -Method Post
Write-Output "=> retired Intune managed device with id: $($managedDevice.id)"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Output "Response content: $responseBody" -f Red
Write-Output "POST request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
}
try {
$Resource = "deviceManagement/managedDevices(`'$($managedDevice.id)`')"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($resource)"
Invoke-RestMethod -Uri $uri -Headers $authHeader -Method Delete
Write-Output "=> deleted Intune managed device with id: $($managedDevice.id)"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Output "Response content: $responseBody" -f Red
Write-Output "DELETE request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
}
# -------------------------------------------------------------------------------------------
# Azure AD cleanup
$intuneAutomationCredential = Get-AutomationPSCredential -Name automation
Import-Module -Name AzureAD
Connect-AzureAd -Credential $intuneAutomationCredential
try {
$aadDevices = Get-AzureADDevice -SearchString "$DeviceName"
$aadDevice = $aadDevices | ? { $_.DeviceId -eq $managedDevice.azureADDeviceId }
Write-Output "Found AAD device '$($aadDevice.DisplayName)' with device id: $($aadDevice.DeviceId)"
if ($aadDevice) {
Remove-AzureADDevice -ObjectId $aadDevice.ObjectId
Write-Output "=> deleted AAD device '$($aadDevice.DisplayName)'"
}
}
catch {
throw $_.Exception.Message
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment