Dex

๐Ÿ“ฑ Recipe ยท Intune & Device Management

List Intune managed devices for a specific user

Retrieve all Intune-enrolled devices assigned to a user, including OS, model, serial number, and compliance state

Complexity

Beginner

Impact

read-only + device-management + user-lookup + audit

Context

Why This Matters

When supporting an end user โ€” whether troubleshooting a device issue, preparing for offboarding, or auditing hardware โ€” IT admins frequently need to quickly answer the question: What devices does this person have enrolled in Intune?

Intune (Microsoft Endpoint Manager) tracks every enrolled device and associates it with a primary user (the user who enrolled it or was assigned via Autopilot). Listing those devices gives you a consolidated view of the user's mobile phones, laptops, and tablets, along with each device's compliance posture and identifying hardware details.

Common triggers for running this recipe:

  • User reports a problem and you need to identify which device to investigate
  • Offboarding โ€” you need to wipe or retire every device the user owns
  • Compliance audit โ€” confirming a user's devices meet policy
  • Hardware inventory / asset reconciliation
  • Investigating suspicious sign-ins from an unknown device

Expected Outcomes

After completing this recipe you will have:

  • A list of every Intune managed device where the target user is the primary user
  • For each device: device name, operating system and version, model, serial number, enrollment date, last check-in, and compliance state
  • The device ID (used as input to downstream actions like wipe, retire, sync, or remove primary user)
  • A reusable script you can rerun for any UPN on demand

Risks & Considerations

Things to watch for

  • Primary user vs. registered user: managedDevices filtered by userPrincipalName returns devices where the user is the primary user. A device shared across multiple users may not appear for every sign-in user. Use the users/{id}/managedDevices or registeredOwners/registeredUsers relationships if you need a different view.
  • Stale records: A device may appear even if it hasn't checked in for weeks. Always inspect lastSyncDateTime before taking destructive actions.
  • Permissions scope: DeviceManagementManagedDevices.Read.All is tenant-wide. Only grant it to accounts or apps that genuinely need Intune visibility.
  • PII: Device serial numbers and names can identify individuals. Treat exports as sensitive and store them accordingly.
  • Do not trigger a wipe or retire from this recipe โ€” it is read-only. Use a dedicated, reviewed workflow for destructive device actions.

Required Permissions

PermissionWhy It's Needed
DeviceManagementManagedDevices.Read.AllRequired to read Intune managed device records tenant-wide, including the devices associated with a specific user.
User.Read.AllRequired to resolve the target user's UPN to a directory object and confirm display name before listing their devices.

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

List all Intune managed devices for {user}. Include device name, OS and version, model, serial number, compliance state, and last check-in date.
Try in Dex CoAdmin