Powershell Graph query not returning group members

Question

Powershell Graph query not returning group members

Riki Gay 0

Hello! I'm encountering problems making device status queries via the Powershell Graph module. We’re trying to retrieve a list of devices and their compliance status from an Intune/Azure group. This is a security group, and these devices are direct group members.

Note that my app registration has Device.Read.All, DeviceManagementManagedDevices.Read.All, Directory.Read.All, Group.Read.All & User.Read

If I run the following query, it returns all devices in Intune with their compliance status:

connect-mggraph -ClientId ``xxx`` -tenantid ``xxx

$devices = Get-MgDeviceManagementManagedDevice # Output devices and their compliance states

$devices | Select-Object deviceName, complianceState

If I attempt to filter the request to return only the devices in the desired group, I get no results:

connect-mggraph -ClientId ``xxx`` -tenantid ``xxx

$groupId = "your-group-id-here"

# Get the devices in the group

$groupMembers = Get-MgGroupMember -GroupId $groupId

# Filter to show only devices

$deviceMembers = $groupMembers | Where-Object { $_.OdataType -eq "#microsoft.graph.device" }

# Get the compliance state of each device

$deviceCompliance = $deviceMembers | ForEach-Object {

$device = Get-MgDeviceManagementManagedDevice -DeviceId $_.Id

[PSCustomObject]@{

DeviceName = $device.deviceName

ComplianceState = $device.complianceState

}

# Display the results

$deviceCompliance | Format-Table -Property DeviceName, ComplianceState

What should I modify on this request?

1 answer

Your answer

Answer 1

Vasil Michev 115.3K MVP

The Id value you are retrieving via the Get-MgGroupMember cmdlet is not the same thing as the value the Get-MgDeviceManagementManagedDevice cmdlet expects. You cannot pass this value, as you are doing in your example. Moreover, the Get-MgDeviceManagementManagedDevice cmdlet will only accept the device Id from Intune, not the one returned via Entra ID (i.e. the Get-MgGroupMember cmdlet).

Instead, what you need to do is filter by the device's Entra ID identifier, which you can do as follows:

Get-MgDeviceManagementManagedDevice -Filter "azureADDeviceId eq '05ab7c00-ea9d-4c1b-8dc2-ef539bf2a27b'"

Adapted to your example, it will looks something like this:

$deviceCompliance = $deviceMembers | ForEach-Object {
    $device = Get-MgDeviceManagementManagedDevice -Filter "azureADDeviceId eq `'$($_.DeviceId)`'"
    [PSCustomObject]@{
        DeviceName      = $device.deviceName
        ComplianceState = $device.complianceState
    }
}

Riki Gay 0 Reputation points

2025-03-12T15:44:26.9366667+00:00

Hello Vasil,

After substituting your $deviceCompliance cmdlet, the script still returns no results.

Thanks - Riki

Vasil Michev 115.3K MVP

Right, I also used a server-side filter for getting device members only, which changes the output. So this:

$deviceMembers = Get-MgGroupMemberAsDevice -GroupId $groupId
$deviceCompliance = $deviceMembers | ForEach-Object {
    $device = Get-MgDeviceManagementManagedDevice -Filter "azureADDeviceId eq `'$($_.DeviceId)`'"
    [PSCustomObject]@{
        DeviceName      = $device.deviceName
        ComplianceState = $device.complianceState
    }
}

Riki Gay 0 Reputation points

2025-03-12T22:55:45.2733333+00:00

Hey Vasil - Thank you, that is awesome; the script is now generating a table. What I'm seeing is less than 100 devices returned, whereas in the console, there are 156 group members listed (all devices). Not sure where the discrepancy might be.
Vasil Michev 115.3K Reputation points MVP

2025-03-13T07:09:43.0833333+00:00

That's because now every device in Entra ID is represented in Intune.

Share via

Powershell Graph query not returning group members

1 answer

Your answer