Unmanaged or personal devices accessing Microsoft 365 can lead to data leaks and unauthorized access. Identifying such devices is essential to revoke stale access and ensure only compliant devices connect to your organization. This guide shows you how to list all Entra ID devices in Microsoft 365 for better visibility and control.
Windows PowerShell Connect-MgGraph -Scopes "Device.Read.All" Windows PowerShell Get-MgDevice | Select-Object DisplayName, Id, OperatingSystem, TrustType 
The execution of the cmdlet displays all the Microsoft Entra devices with names, device id, operating system and its trust type.
AdminDroid’s Entra ID reporting tool allows you to effortlessly view all devices, track their activity and identify non-compliant endpoints. With granular device reports, you can enforce device policies, clean up inactive records, etc. This reduces security risks to ensure only trusted devices access your Microsoft 365 environment.
View device users report to easily map users to devices and use AI-powered filters to review properties, spot anomalies, and strengthen access control.
Keep track of unmanaged device sign-ins report to identify suspicious Entra ID device sign-in risks or other sign-ins from unusual locations.
Audit newly added devices with detailed insights, such as the added user, timestamp, and more to quickly identify and remove unauthorized personal device enrollments.
Remove devices that are inactive by analyzing M365 stale devices report to minimize risk, improve compliance, and maintain an accurate device record.
The mailbox device access state detector reminder notifies about the mobile devices that are blocked or quarantined in Exchange Online to quickly address potential security issues.
Evaluate device conditions in Entra Conditional Access policies to ensure there are no misconfigurations leading to the blocks of trusted devices in your organization.
Overall, AdminDroid’s Microsoft 365 management tool provides full visibility into devices, which helps to identify inactive, unmanaged, and risky endpoints. Customizable reports enable informed actions, simplify audits, and support strong governance and compliance.
This error occurs when using a personal Microsoft account or lacking proper directory permissions like Devices.Read.All, which are intended for Entra ID work accounts only.
Connect-MgGraph -Scopes "Device.Read.All"This error is faced while executing -ContentType parameter in Microsoft Graph PowerShell because it is provided without a value.
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations" -Body ($windowsConfig | ConvertTo-Json -Depth 3) -ContentType "application/json"This error occurs because PowerShell misinterprets the expression as a string or command due to the context within the Where-Object filter block.
Get-MgAuditLogSignIn -All | Where-Object {$_.DeviceDetail.DeviceId}This issue occurs when executing Get-MgBetaDevice cmdlet and module cannot be loaded due to corruption, missing dependencies, or version conflicts.
Install-Module Microsoft.Graph.Beta.DeviceManagement -Scope CurrentUserThis error occurs because your account lacks the required Azure AD role to access sign-in logs using the Microsoft Graph API.
Get-MgAuditLogSignIn -AllCorrelating device last sign-in activity with compliance status involves comparing the most recent access to Microsoft 365 services with the device’s current compliance state (e.g., compliant, noncompliant, or unknown).
This helps admins identify users accessing Microsoft 365 from non-compliant devices and access device activity and security posture. They can take action to reduce risk, clean up inactive licenses, and enforce Zero Trust policies.
Connect to the Microsoft Graph PowerShell module with required permissions and run the script below.
$devices = Get-MgDeviceManagementManagedDevice -All
$signIns = Get-MgAuditLogSignIn -All | Where-Object { $_.DeviceDetail.DeviceId }
$latest = $signIns | Sort-Object CreatedDateTime -Descending | Group-Object { $_.DeviceDetail.DeviceId } | ForEach-Object { $_.Group[0] }
$report = foreach ($s in $latest) { $d = $devices | Where-Object { $_.AzureADDeviceId -eq $s.DeviceDetail.DeviceId }
[PSCustomObject]@{ DeviceName = $s.DeviceDetail.DisplayName
LastSignIn = $s.CreatedDateTime
User = $s.UserPrincipalName
Compliance = if ($d) { $d.ComplianceState } else { "Unknown" } }}
$report | Format-Table -AutoSizeThis script obtains device name, user name and device’s last sign-in activity with compliance details. It helps you spot risky devices, compliant devices, etc. Also identify who used which device, when, and whether it met your organization’s security standards.
Associate user sign-ins with compliance status using AdminDroid to avoid security risks!
AdminDroid reports unify device compliance, user details, and sign-in activities into a single view that eliminates the need to manually correlate data from multiple sources. This saves time, reduces errors, and provides actionable insights without complex scripting.
Imagine a scenario where an employee steps away from their workstation to attend a quick discussion and unintentionally leaves their laptop unlocked in a shared space. During this time, the unattended device could be unintentionally accessed, potentially exposing confidential client data or internal systems. Automatically locking the device after a few minutes of inactivity ensures the session is secured. This helps to protect sensitive information even when users forget to manually lock their screen.
Using the Intune portal, an admin would need to manually create and assign this policy for each group or tenant. With PowerShell, the same policy can be scripted, reused, and applied across hundreds of devices or multiple tenants in seconds. So, here is how to configure auto-lock device property using PowerShell.
Connect to the Microsoft Graph PowerShell module with required permissions and run the below script to configure auto-lock device settings.
$windowsConfig = @{ "@odata.type" = "#microsoft.graph.windows10GeneralConfiguration"
displayName = "<displayname>"
inactivityTimeoutInSeconds = 300
requirePasswordWhenResumeFromIdle = $true }
$windowsPolicy = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations" -Body ($windowsConfig | ConvertTo-Json -Depth 3) -ContentType "application/json"
$assignment = @{ target = @{ "@odata.type" = "#microsoft.graph.groupAssignmentTarget"
groupId = "<groupId>" }}
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$($windowsPolicy.id)/assignments" -Body ($assignment | ConvertTo-Json -Depth 3) -ContentType "application/json"
Note: During execution, you must assign a group ID to configure the rule. Get group ID by using Get- MgGroup. Replace <displayName> and <groupID> with a suitable policy name and specific group ID. Set “inactivityTimeoutInSeconds” with any desired duration for inactivity locking (i.e., 300=5 minutes).
Jailbroken or rooted devices are mobile devices that have been modified to bypass the built-in security controls of their operating systems like iOS or Android. Blocking these devices is important because they can compromise the security of your organization by exposing sensitive apps and data to high risk.
You can block such devices using Intune compliance policies or Conditional Access rules to ensure that only trusted devices can access your Microsoft 365 organization.
Tip: Blocking jailbroken or rooted devices protects your organization from major security breaches and unauthorized access. It’s one of the Microsoft recommended practices which increases the secure score for devices.
Using Microsoft Graph PowerShell, you can block rooted devices in Microsoft 365 by creating a compliance policy with the appropriate settings.
Use the PowerShell cmdlet below to define the policy and set the rule to block jailbroken or rooted devices.
Connect-MgGraph -Scopes DeviceManagementConfiguration.ReadWrite.All
$androidPolicy = @{ "@odata.type" = "#microsoft.graph.androidCompliancePolicy"
displayName = "<Android Block Rooted Devices>"
securityThreatProtectionRequired = $true
deviceThreatProtectionEnabled = $true
deviceThreatProtectionRequiredSecurityLevel = "secured"
rootedDeviceBlocked = $true
scheduledActionsForRule = @( @{ ruleName = "BlockRooted"
scheduledActionConfigurations = @( @{ actionType = "block"
gracePeriodHours = 0 } ) } ) }
New-MgDeviceManagementDeviceCompliancePolicy -BodyParameter $androidPolicy
Unmanaged devices are devices that are not enrolled in your organization’s management system, such as Microsoft Intune or another MDM (Mobile Device Management) solution. These devices may have access to organizational resources, but they operate outside admin control. On the other hand, non-compliant devices are the ones that fail to meet security requirements like encryption or antivirus required by the organization.
To make sure that only safe and reliable devices can access the data of your company, it's crucial to block unmanaged and non-compliant devices from using Microsoft 365. By blocking these, you can reduce the risk of data leaks, malware, and unauthorized access.
Get AdminDroid Office 365 Reporter Now!