Have you ever exported a file from Microsoft Intune or Microsoft Entra ID for a policy, group, or device assignment you created, only to find that the export mainly gives you hostnames?
That has been a frustration for me.
The export is useful, but often it does not immediately show the information I actually need as an administrator, such as:
- Who is the primary or associated user of the device?
- When did the device last sync with Intune?
- Is the laptop still active, or does it look stale?
- Is the device still present in Intune?
- Is the device company-owned?
- What operating system is Intune reporting?
When reviewing Intune policies, Entra ID groups, device assignments, or endpoint reports, having only the hostname can slow down troubleshooting and validation. You then have to manually search each device in the Intune admin center to understand who the device belongs to and whether it has checked in recently.
So I created a PowerShell script to make this easier.
The script takes a CSV file containing hostnames, checks each device against Microsoft Intune using Microsoft Graph, and then exports a clean report showing the hostname, primary or associated user, user principal name, last sync time, operating system, ownership type, and status.
You can find the script here:
The Problem
When working with Intune and Entra ID, exports are helpful, but they do not always provide enough operational detail.
For example, you may export a device group, policy assignment, or group membership and get something similar to this:
displayName
DEVICE-001
DEVICE-002
DEVICE-003
That gives you the device names, but it does not answer the questions that matter during day-to-day endpoint administration.
For example:
Who is using this device?
Has this device synced recently?
Is this device stale?
Is this device still managed by Intune?
Checking this manually can become time-consuming, especially when the export contains many devices.
Why I Created This Script
I created this script because I wanted a quicker way to take a basic hostname export and enrich it with useful Intune data.
The goal was simple:
Input: A CSV file containing device hostnames
Output: A CSV report showing the user, UPN, last sync time, OS, owner type, and status
This gives better visibility when reviewing Intune or Entra ID device data.
The report can help with:
- Intune policy validation
- Entra ID group reviews
- Device assignment checks
- Stale device investigation
- Endpoint cleanup
- Service desk investigations
- Device ownership reporting
What the Script Does
At a high level, the script does the following:
- Reads hostnames from a CSV file.
- Connects to Microsoft Graph using certificate-based authentication.
- Searches Intune managed devices for each hostname.
- Retrieves the associated user and device details.
- Exports the results to a new CSV file.
- Displays progress in the PowerShell console.
The script uses the Microsoft Graph PowerShell SDK. Microsoft Graph PowerShell supports app-only authentication using parameters such as tenant ID, client ID, and certificate details, which makes it suitable for automation and reporting scenarios.
GitHub Script Link
The script is available in my GitHub repository here:
Gets the primary user and last sync time
Before publishing or sharing your own version, make sure you remove any real tenant-specific values from the script.
Authentication Details
The script uses three important values:
$tenantId
$clientId
$thumbprint
These are used to authenticate to Microsoft Graph.
$tenantId
This is your Microsoft Entra tenant ID.
It tells Microsoft Graph which tenant the script should connect to.
Example:
$tenantId = '<YOUR_TENANT_ID>'
$clientId
This is the application, or client, ID from your Microsoft Entra app registration.
The app registration is what allows the script to authenticate and request access to Microsoft Graph.
Example:
$clientId = '<YOUR_APP_CLIENT_ID>'
$thumbprint
This is the certificate thumbprint used for certificate-based authentication.
The certificate must exist on the machine running the script, and the public certificate must be associated with the app registration.
Example:
$thumbprint = '<YOUR_CERTIFICATE_THUMBPRINT>'
The script then uses the certificate to connect to Microsoft Graph:
$cert = Get-Item "Cert:\CurrentUser\My\$thumbprint" -ErrorAction Stop
Connect-MgGraph -TenantId $tenantId -ClientId $clientId -Certificate $cert -NoWelcome
This means the script can run without an interactive sign-in prompt.
Required Microsoft Graph Permission
The app registration requires read access to Intune managed devices.
The permission used is:
DeviceManagementManagedDevices.Read.All
This allows the script to read Intune managed device information. The Microsoft Graph managed devices API supports this permission for reading managed device data.
This is important because the script is for reporting only. It does not change devices, users, policies, assignments, or Intune configuration.
Input CSV Format
The input CSV should contain a column called:
displayName
Example:
displayName
DEVICE-001
DEVICE-002
DEVICE-003
The script reads that column and treats each value as a hostname:
$devices = Import-Csv -Path $csvInput |
Select-Object -ExpandProperty displayName |
Where-Object { $_ }
This works well when your export from Intune or Entra ID contains device display names.
Querying Intune
For each hostname, the script searches Intune managed devices using the device name.
Example logic:
$filter = "deviceName eq '$hostname'"
It then selects useful properties such as:
deviceName
userDisplayName
userPrincipalName
lastSyncDateTime
operatingSystem
managedDeviceOwnerType
The managedDevice resource in Microsoft Graph includes properties such as deviceName, lastSyncDateTime, operatingSystem, userPrincipalName, userDisplayName, and managedDeviceOwnerType, which are the key fields used for this report.
PowerShell Console Output
When the script runs, you will see progress in PowerShell.
Example:
Loaded 1 hostnames from CSV.
Querying: DEVICE-001
Done. Results saved to: C:\Temp\DevicePrimaryUser_2026-05-18.csv
This confirms that:
The CSV was loaded.
The device was queried.
The output file was created.
This is useful because you can quickly confirm that the script is running correctly and where the final report has been saved.
Excel / CSV Output
The script exports the results to a CSV file that can be opened in Excel.
Example output:
Hostname,PrimaryUser,UserPrincipalName,LastSyncTime,OS,OwnerType,Status
DEVICE-001,Example User,user@contoso.com,15/05/2026 14:31,Windows,company,Found
The output includes the following columns:
| Column | Description |
|---|---|
Hostname | The device name found in Intune |
PrimaryUser | The associated user display name from Intune |
UserPrincipalName | The user principal name associated with the device |
LastSyncTime | The last time the device synced with Intune |
OS | The operating system reported by Intune |
OwnerType | Device ownership type, such as company |
Status | Shows whether the device was found, not found, or had an error |
This gives much better visibility than a basic hostname-only export.
Identifying Active or Stale Devices
The most useful field for identifying whether a device is active or stale is:
LastSyncTime
If a device has synced recently, it is likely active.
If a device has not synced for a long time, it may need investigation.
For example:
| Last Sync Time | Possible Meaning |
|---|---|
| Within the last few days | Device is likely active |
| Older than 30 days | Device may need review |
| Older than 60 or 90 days | Device may be stale |
| Blank or not found | Device may not exist in Intune or the hostname may be incorrect |
The script gives you the data needed to make that decision quickly.
Handling Devices Not Found in Intune
If a hostname exists in the CSV but cannot be found in Intune, the script records it in the output file with this status:
NotFoundInIntune
This is helpful because a missing device can be just as important as a found device.
A device may not be found because:
- The hostname is incorrect.
- The device was renamed.
- The device is no longer enrolled in Intune.
- The Intune device record was deleted.
- The device exists in Entra ID but not as an Intune managed device.
- The export contains old or stale data.
Instead of ignoring the device, the script clearly reports it for review.
Security Notes Before Sharing on GitHub
Before sharing the script publicly, remove any real environment values.
Do not publish real values for:
$tenantId
$clientId
$thumbprint
Use placeholders instead:
$tenantId = '<YOUR_TENANT_ID>'
$clientId = '<YOUR_APP_CLIENT_ID>'
$thumbprint = '<YOUR_CERTIFICATE_THUMBPRINT>'
Also make sure you do not upload certificate private key files, such as:
.pfx
A clean GitHub structure could look like this:
Get-DevicePrimaryUserAndSyncTime/
│
├── Get-DevicePrimaryUserAndSyncTime.ps1
├── sample-input.csv
├── README.md
└── .gitignore
Suggested .gitignore entries:
*.pfx
config.ps1
Final Thoughts
This script came from a real Intune and Entra ID reporting frustration.
Sometimes an export gives you the hostnames, but not the full context you need to understand the device. You still need to know who the device is associated with, when it last synced, and whether it looks active or stale.
By using PowerShell and Microsoft Graph, this script turns a simple hostname export into a useful Intune report.
The final report shows:
Hostname
Primary user
User principal name
Last Intune sync time
Operating system
Owner type
Status
For anyone working with Intune or Entra ID device exports, this can save time and make device reviews much easier.
0 Comments