Many routine activities involving device objects in Microsoft 365 require you to filter out a subset of the available inventory so that you can perform an action or create a report. The following is intended to serve as a simple reference for listing, filtering, basic updates, or bulk editing, and tracking those attributes against the Inventory for Microsoft 365 Intune using the Graph SDK for PowerShell.
Overview
This quick reference will instruct you on how to manage Intune device extension attributes with Microsoft Graph PowerShell. This article will also inform you of the roles and permissions required to access and modify those attributes; how to authenticate and establish a session; and how to report against, filter, and update attribute values for your device inventory. We’ll also investigate common SDK oddities, bulk operations, and reliably query extension attributes with Graph PowerShell when the API’s reliability is questionable or inconsistent. Regardless of whether you manage your devices with Microsoft 365 Intune or other tools, cloud-based device management solutions can provide you with scalable and centralized management over your organization’s entire technology ecosystem. As an organization, you will be able to manage your inventory, configurations, and updates all in real time, allowing you to manage your devices more effectively with less time spent on manual methods.
Before you begin, you should ensure you have the proper permissions to read and update the Intune resources. The Graph PowerShell SDK requires either delegated or application permissions based on how you authenticate. You must have the following minimum permissions to read and update devices in Intune:
- Device.Read.All
- DeviceManagementManagedDevices.Read.All
- DeviceManagementManagedDevices.ReadWrite.All
If you are using application-based authentication, these permissions must be consented to in Azure Active Directory by an administrator. For interactive use, you should log into an account that has the necessary roles, such as Intune Administrator or Global Administrator.
Authentication with Microsoft Graph PowerShell
Connect to the Microsoft Graph PowerShell SDK. You can authenticate interactively or use an application registration with certificate-based authentication for automation-based scenarios.
Connect-MgGraph -Scopes “DeviceManagementManagedDevices.ReadWrite.All”
After you authenticate, it is helpful to verify that you have connected:
Get-MgContext
Retrieving Devices with Extension Attributes
Extension attributes on devices can be used to store your own metadata, such as department codes, support tiers, asset ownership, or lifecycle state. You can retrieve devices and their extensions in the following way:
$devices = Get-MgDeviceManagementManagedDevice -ExpandProperty “extensions”
To retrieve a specific device and have its extensions:
$device = Get-MgDeviceManagementManagedDevice -ManagedDeviceId “” -ExpandProperty “extensions”
Please note that the $device.Extensions property will only be populated if the extension schema was in place and is associated with that device object.
Creating and Updating Extension Attributes
To create or update device extension attributes, use the Add-MgDeviceManagementManagedDeviceExtension or Update-MgDeviceManagementManagedDeviceExtension cmdlets.
# Create an extension attribute
Add-MgDeviceManagementManagedDeviceExtension -ManagedDeviceId “” `
-ExtensionName “com.company.deviceInfo” `
-AdditionalProperties @{“location”=”Seattle”; “owner”=”IT Support”}
# Update an extension attribute
Update-MgDeviceManagementManagedDeviceExtension -ManagedDeviceId “” `
-ExtensionId “” `
-AdditionalProperties @{“location”=”San Francisco”}
Keep in mind that extension attribute schemas need to adhere to the openTypeExtension schema to be compatible with Graph API standards.
Filtering Devices by Extension Attribute
It is unfortunate that filtering by extension attribute values directly in Graph PowerShell is inconsistent. A workaround is to fetch all relevant devices and filter client-side:
$devicesWithExtensions = Get-MgDeviceManagementManagedDevice -ExpandProperty “extensions”
$filtered = $devicesWithExtensions | Where-Object {
$_.Extensions -match “Seattle”
}
While this may not be the best reason from a performance perspective, it’s as reliable as it gets until Microsoft enhances the ability to filter directly on extension attributes in Graph queries.
Bulk Editing Extension Attributes
Bulk editing is important for organizations managing hundreds or thousands of devices. Here is a simple approach using a CSV import:
$csv = Import-Csv “device_extensions.csv”
foreach ($row in $csv) {
$device = Get-MgDeviceManagementManagedDevice -Filter “deviceName eq ‘$($row.DeviceName)'” -ExpandProperty “extensions”
if ($device) {
Update-MgDeviceManagementManagedDeviceExtension -ManagedDeviceId $device.Id `
-ExtensionId “” `
-AdditionalProperties @{“owner”=$row.Owner; “location”=$row.Location}
}
}
This allows you to quickly update multiple devices simultaneously and can be easily integrated as part of a CI/CD or automation pipeline.
Troubleshooting and Reliability Suggestions
The Microsoft Graph API can be unpredictable when developing complex requests or working with large datasets. Here are some practical suggestions:
- Consider pagination when querying large inventories: the -Top and -SkipToken parameters can help manage large result sets.
- Always check for non-existent or null properties when working with extension attributes.
- If you need to read inventory repetitively for reporting, you can cache the results locally.
- Employed try/catch blocks in PowerShell scripts to handle unpredictable API failures with intermittent outcomes
Use Cases and Scenarios
Some example scenarios where device extension attributes offer benefits include:
- Scoped Configuration Profiles: Use your extension attributes to tag devices with environment-level metadata (i.e., “Test”, “Prod”) and scope your profiles appropriately.
- Audit and Compliance Reports: Create reports that will provide detailed information about which department or user owns a specific asset.
- Automation Hooks: Pre-fill metadata that can be used in conditional logic in downstream workflows (such as with Power Automate or Azure Automation).
Overall, your extension attributes offer structure and agility when managing the devices in your Intune device inventory. Learn more about other Microsoft solutions, such as Microsoft Graph PowerShell, to scale up your management with greater control and less effort.