Sync Devices
This script connects to Microsoft Graph and triggers synchronization operations on targeted devices. You can target devices by specific names, device IDs, or by Entra ID group membership. The script provides real-time feedback on sync operations and handles errors gracefully.
OperationalDevices
Author: Ugur Koc
Version: 1.1
Quality checks
All checks pass- ParsePass
- LintPass
- MetadataPass
- Runbook-readyPass
- Module depsPass
Tests run automatically on every change. What does each check mean?
Required Permissions
DeviceManagementManagedDevices.ReadWrite.AllAllows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device's owner
DeviceManagementManagedDevices.Read.AllAllows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.
Group.Read.AllAllows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user.
GroupMember.Read.AllAllows the app to read memberships and basic group properties for all groups without a signed-in user.
sync-devices.ps1
<#
.TITLE
Sync Devices
.SYNOPSIS
Trigger synchronization on specific managed devices in Intune or devices in an Entra ID group.
.DESCRIPTION
This script connects to Microsoft Graph and triggers synchronization operations on targeted devices.
You can target devices by specific names, device IDs, or by Entra ID group membership.
The script provides real-time feedback on sync operations and handles errors gracefully.
.TAGS
Operational,Devices
.MINROLE
Intune Administrator
.PERMISSIONS
DeviceManagementManagedDevices.ReadWrite.All,DeviceManagementManagedDevices.Read.All,Group.Read.All,GroupMember.Read.All
.AUTHOR
Ugur Koc
.VERSION
1.1
.CHANGELOG
1.0 - Initial release
1.1 - Improved authentication scopes and fixed group device members search
- added `DeviceManagementManagedDevices.PrivilegedOperations.All` scope for interactive Graph auth
- fixed `Get-DevicesByEntraGroup` to correctly match devices by `azureADDeviceId`
- replaced `+=` with `[System.Collections.Generic.List[Object]]` for faster result handling
- standardized string quoting to single quotes
- optimized `Get-MgGraphAllPage` with strongly typed list
- replaced `Out-Null` with `$null =` assignment for cleaner output suppression
- improved consistency in logging and error handling
.LASTUPDATE
2025-09-24
.EXAMPLE
.\sync-devices.ps1 -DeviceNames "LAPTOP001","DESKTOP002"
Synchronizes specific devices by name
.EXAMPLE
.\sync-devices.ps1 -DeviceIds "12345678-1234-1234-1234-123456789012","87654321-4321-4321-4321-210987654321"
Synchronizes specific devices by their Intune device IDs
.EXAMPLE
.\sync-devices.ps1 -EntraGroupName "IT Department Devices"
Synchronizes all devices belonging to users in the specified Entra ID group
.EXAMPLE
.\sync-devices.ps1 -EntraGroupName "Sales Team" -ForceSync
Forces synchronization of all devices for users in the Sales Team group
.NOTES
- Supports both local execution and Azure Automation Runbook environments
- Automatically detects execution environment and uses appropriate authentication method
- Local execution: Uses interactive authentication with specified scopes
- Azure Automation: Uses Managed Identity authentication
- Requires Microsoft.Graph.Authentication module (auto-installs if missing in local environment)
- Use -ForceModuleInstall to skip installation prompts in local environment
- Requires appropriate permissions in Azure AD
- Sync operations are triggered immediately but may take time to complete on the device
- Use -ForceSync to override the 1-hour sync threshold
- The script will show real-time progress and results
#>
[CmdletBinding(DefaultParameterSetName = 'DeviceNames')]
param(
[Parameter(Mandatory = $true, ParameterSetName = 'DeviceNames')]
[string[]]$DeviceNames,
[Parameter(Mandatory = $true, ParameterSetName = 'DeviceIds')]
[string[]]$DeviceIds,
[Parameter(Mandatory = $true, ParameterSetName = 'EntraGroup')]
[string]$EntraGroupName,
[Parameter(Mandatory = $false)]
[switch]$ForceSync,
[Parameter(Mandatory = $false)]
[int]$SyncDelaySeconds = 2,
[Parameter(Mandatory = $false, HelpMessage = 'Force module installation without prompting')]
[switch]$ForceModuleInstall
)
# ============================================================================
# ENVIRONMENT DETECTION AND SETUP
# ============================================================================
function Initialize-RequiredModule {
<#
.SYNOPSIS
Ensures required modules are available and loaded
#>
param(
[string[]]$ModuleNames,
[bool]$IsAutomationEnvironment,
[bool]$ForceInstall = $false
)
foreach ($ModuleName in $ModuleNames) {
Write-Verbose "Checking module: $ModuleName"
# Check if module is available
$module = Get-Module -ListAvailable -Name $ModuleName | Select-Object -First 1
if (-not $module) {
if ($IsAutomationEnvironment) {
$errorMessage = @"
Module '$ModuleName' is not available in this Azure Automation Account.
To resolve this issue:
1. Go to Azure Portal
2. Navigate to your Automation Account
3. Go to 'Modules' > 'Browse Gallery'
4. Search for '$ModuleName'
5. Click 'Import' and wait for installation to complete
Alternative: Use PowerShell to import the module:
Import-Module Az.Automation
Import-AzAutomationModule -AutomationAccountName "YourAccount" -ResourceGroupName "YourRG" -Name "$ModuleName"
"@
throw $errorMessage
}
else {
# Local environment - attempt to install
Write-Information "Module '$ModuleName' not found. Attempting to install..." -InformationAction Continue
if (-not $ForceInstall) {
$response = Read-Host "Install module '$ModuleName'? (Y/N)"
if ($response -notmatch '^[Yy]') {
throw "Module '$ModuleName' is required but installation was declined."
}
}
try {
# Check if running as administrator for AllUsers scope
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')
$scope = if ($isAdmin) { 'AllUsers' } else { 'CurrentUser' }
Write-Information "Installing '$ModuleName' in scope '$scope'..." -InformationAction Continue
Install-Module -Name $ModuleName -Scope $scope -Force -AllowClobber -Repository PSGallery
Write-Information "✓ Successfully installed '$ModuleName'" -InformationAction Continue
}
catch {
throw "Failed to install module '$ModuleName': $($_.Exception.Message)"
}
}
}
# Import the module
try {
Write-Verbose "Importing module: $ModuleName"
Import-Module -Name $ModuleName -Force -ErrorAction Stop
Write-Verbose "✓ Successfully imported '$ModuleName'"
}
catch {
throw "Failed to import module '$ModuleName': $($_.Exception.Message)"
}
}
}
# Detect execution environment
if ($PSPrivateMetadata.JobId.Guid) {
Write-Output 'Running inside Azure Automation Runbook'
$IsAzureAutomation = $true
}
else {
Write-Information 'Running locally in IDE or terminal' -InformationAction Continue
$IsAzureAutomation = $false
}
# Initialize required modules
$RequiredModules = @(
'Microsoft.Graph.Authentication'
)
try {
Initialize-RequiredModule -ModuleNames $RequiredModules -IsAutomationEnvironment $IsAzureAutomation -ForceInstall $ForceModuleInstall
Write-Verbose '✓ All required modules are available'
}
catch {
Write-Error "Module initialization failed: $_"
exit 1
}
# ============================================================================
# AUTHENTICATION
# ============================================================================
try {
if ($IsAzureAutomation) {
# Azure Automation - Use Managed Identity
Write-Output 'Connecting to Microsoft Graph using Managed Identity...'
Connect-MgGraph -Identity -NoWelcome -ErrorAction Stop
Write-Output '✓ Successfully connected to Microsoft Graph using Managed Identity'
}
else {
# Local execution - Use interactive authentication
Write-Information 'Connecting to Microsoft Graph with interactive authentication...' -InformationAction Continue
$scopes = @('DeviceManagementManagedDevices.ReadWrite.All', 'DeviceManagementManagedDevices.Read.All', 'DeviceManagementManagedDevices.PrivilegedOperations.All')
if ($PSCmdlet.ParameterSetName -eq 'EntraGroup') {
$scopes += @('Group.Read.All', 'GroupMember.Read.All')
}
Connect-MgGraph -Scopes $scopes -NoWelcome -ErrorAction Stop
Write-Information '✓ Successfully connected to Microsoft Graph' -InformationAction Continue
}
}
catch {
Write-Error "Failed to connect to Microsoft Graph: $($_.Exception.Message)"
exit 1
}
# Function to get all pages of results
function Get-MgGraphAllPage {
param(
[string]$Uri,
[int]$DelayMs = 100
)
[System.Collections.Generic.List[PSCustomObject]]$allResults = @()
$nextLink = $Uri
$requestCount = 0
do {
try {
# Add delay to respect rate limits
if ($requestCount -gt 0) {
Start-Sleep -Milliseconds $DelayMs
}
$response = Invoke-MgGraphRequest -Uri $nextLink -Method GET
$requestCount++
if ($response.value) {
$response.value | ForEach-Object {
$allResults.Add($_)
}
}
else {
$allResults.Add($response)
}
$nextLink = $response.'@odata.nextLink'
}
catch {
if ($_.Exception.Message -like '*429*' -or $_.Exception.Message -like '*throttled*') {
Write-Information "`nRate limit hit, waiting 60 seconds..." -InformationAction Continue
Start-Sleep -Seconds 60
continue
}
Write-Warning "Error fetching data from $nextLink : $($_.Exception.Message)"
break
}
} while ($nextLink)
return $allResults
}
# Function to trigger device sync
function Invoke-DeviceSync {
param(
[string]$DeviceId,
[string]$DeviceName
)
try {
$syncUri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices('$DeviceId')/syncDevice"
Invoke-MgGraphRequest -Uri $syncUri -Method POST
Write-Information "✓ Sync triggered successfully for device: $DeviceName" -InformationAction Continue
return $true
}
catch {
Write-Information "✗ Failed to sync device $DeviceName : $($_.Exception.Message)" -InformationAction Continue
return $false
}
}
# Function to get devices by Entra ID group
function Get-DevicesByEntraGroup {
param([string]$GroupName)
try {
Write-Information "Finding Entra ID group: $GroupName..." -InformationAction Continue
# Find the group
$groupUri = "https://graph.microsoft.com/v1.0/groups?`$filter=displayName eq '$GroupName'"
$groups = @(Get-MgGraphAllPage -Uri $groupUri)
if ($groups.Count -eq 0) {
throw "Group '$GroupName' not found"
}
elseif ($groups.Count -gt 1) {
throw "Multiple groups found with name '$GroupName'. Please use a more specific name."
}
$group = $groups[0]
Write-Information "✓ Found group: $($group.displayName) (ID: $($group.id))" -InformationAction Continue
# Get group members
Write-Information 'Retrieving group members...' -InformationAction Continue
$membersUri = "https://graph.microsoft.com/v1.0/groups/$($group.id)/members"
$members = @(Get-MgGraphAllPage -Uri $membersUri)
Write-Information "✓ Found $($members.Count) members in group" -InformationAction Continue
# Get all managed devices
Write-Information 'Retrieving managed devices...' -InformationAction Continue
$devicesUri = 'https://graph.microsoft.com/v1.0/deviceManagement/managedDevices'
$allDevices = @(Get-MgGraphAllPage -Uri $devicesUri)
# Filter devices by group members
[System.Collections.Generic.List[PSCustomObject]]$targetDevices = @()
foreach ($device in $allDevices) {
if ($device.id) {
# Test if device.id is in members
$deviceInGroup = $members.deviceID.contains($device.azureADDeviceId)
if ($deviceInGroup) {
$targetDevices.Add($device)
}
}
}
Write-Information "✓ Found $($targetDevices.Count) devices belonging to group members" -InformationAction Continue
return $targetDevices
}
catch {
Write-Error "Failed to get devices by Entra ID group: $($_.Exception.Message)"
return @()
}
}
# ============================================================================
# MAIN SCRIPT LOGIC
# ============================================================================
try {
# Get target devices based on parameter set
$targetDevices = @()
switch ($PSCmdlet.ParameterSetName) {
'DeviceNames' {
Write-Information 'Retrieving devices by names...' -InformationAction Continue
$devicesUri = 'https://graph.microsoft.com/v1.0/deviceManagement/managedDevices'
$allDevices = Get-MgGraphAllPage -Uri $devicesUri
foreach ($deviceName in $DeviceNames) {
$matchingDevices = $allDevices | Where-Object { $_.deviceName -eq $deviceName }
if ($matchingDevices) {
$targetDevices += $matchingDevices
Write-Information "✓ Found device: $deviceName" -InformationAction Continue
}
else {
Write-Warning "Device not found: $deviceName"
}
}
}
'DeviceIds' {
Write-Information 'Retrieving devices by IDs...' -InformationAction Continue
foreach ($deviceId in $DeviceIds) {
try {
$deviceUri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$deviceId"
$device = Invoke-MgGraphRequest -Uri $deviceUri -Method GET
$targetDevices += $device
Write-Information "✓ Found device: $($device.deviceName)" -InformationAction Continue
}
catch {
Write-Warning "Device not found with ID: $deviceId"
}
}
}
'EntraGroup' {
$targetDevices = Get-DevicesByEntraGroup -GroupName $EntraGroupName
}
}
if ($targetDevices.Count -eq 0) {
Write-Warning 'No target devices found. Exiting.'
$null = Disconnect-MgGraph
exit 0
}
# Display target information
Write-Information "`n📱 TARGET DEVICES SUMMARY" -InformationAction Continue
Write-Information '=========================' -InformationAction Continue
Write-Information "Total devices to process: $($targetDevices.Count)" -InformationAction Continue
# Process sync operations
$successfulSyncs = 0
$failedSyncs = 0
$skippedSyncs = 0
$processedDevices = 0
Write-Information "`nProcessing device synchronization..." -InformationAction Continue
foreach ($device in $targetDevices) {
$processedDevices++
Write-Progress -Activity 'Synchronizing Devices' -Status "Processing device $processedDevices of $($targetDevices.Count): $($device.deviceName)" -PercentComplete (($processedDevices / $targetDevices.Count) * 100)
# Calculate time since last sync
$hoursSinceSync = if ($device.lastSyncDateTime) {
[math]::Round(((Get-Date) - [DateTime]$device.lastSyncDateTime).TotalHours, 1)
}
else {
999
}
# Determine if sync should be triggered
$shouldSync = $ForceSync -or $hoursSinceSync -gt 1 -or $null -eq $device.lastSyncDateTime
if ($shouldSync) {
$syncSuccessful = Invoke-DeviceSync -DeviceId $device.id -DeviceName $device.deviceName
if ($syncSuccessful) {
$successfulSyncs++
}
else {
$failedSyncs++
}
# Add delay between sync operations to avoid overwhelming the service
if ($processedDevices -lt $targetDevices.Count) {
Start-Sleep -Seconds $SyncDelaySeconds
}
}
else {
Write-Information "⏭️ Skipping $($device.deviceName) - synced $hoursSinceSync hours ago" -InformationAction Continue
$skippedSyncs++
}
}
Write-Progress -Activity 'Synchronizing Devices' -Completed
# Display final summary
Write-Information "`n🔄 SYNC OPERATION SUMMARY" -InformationAction Continue
Write-Information '=========================' -InformationAction Continue
Write-Information "Total Devices Processed: $($targetDevices.Count)" -InformationAction Continue
Write-Information "Successful Syncs: $successfulSyncs" -InformationAction Continue
Write-Information "Failed Syncs: $failedSyncs" -InformationAction Continue
Write-Information "Skipped Devices: $skippedSyncs" -InformationAction Continue
# Show failed devices if any
if ($failedSyncs -gt 0) {
Write-Information "`n❌ Failed sync operations require manual review." -InformationAction Continue
}
Write-Information "`n🎉 Device synchronization completed successfully!" -InformationAction Continue
}
catch {
Write-Error "Script execution failed: $($_.Exception.Message)"
exit 1
}
finally {
# Disconnect from Microsoft Graph
try {
$null = Disconnect-MgGraph
Write-Information '✓ Disconnected from Microsoft Graph' -InformationAction Continue
}
catch {
# Ignore disconnection errors - this is expected behavior when already disconnected
Write-Verbose 'Graph disconnection completed (may have already been disconnected)'
}
}
Related Scripts
Discover similar scripts that might be useful for your automation needs
Highly Related
Add Devices to Entra ID Groups from CSV
This script reads a CSV file containing device identifiers and group names, then adds the specified devices to their corresponding Entra ID groups. It supports multiple device identifiers (Device Name, Serial Number, Azure AD Device ID) for flexible device matching and can add devices to multiple groups. The script validates that devices exist in Intune before processing, checks for existing group memberships to avoid duplicates, and can create new groups with user confirmation. A dry-run mode allows previewing changes before execution.
OperationalDevices
Highly Related
Cleanup Orphaned Autopilot Devices
This script connects to Microsoft Graph and identifies Windows Autopilot devices that are registered in the Autopilot service but are no longer present as managed devices in Intune. These orphaned devices can accumulate over time when devices are retired, reimaged, or replaced without proper cleanup of the Autopilot registration. The script provides options to preview orphaned devices before removal and supports batch operations with confirmation prompts for safety. It helps maintain a clean Autopilot device inventory and prevents potential enrollment issues.
OperationalDevices
Highly Related
Get Stale Intune Devices
This script connects to Microsoft Graph and retrieves all managed devices from Intune, then identifies devices that are considered "stale" based on their last check-in date. The script supports all device platforms (Windows, iOS, Android, macOS) and provides comprehensive reporting with options to export results to CSV format. Stale devices may indicate hardware that is no longer in use, devices that have been reimaged without proper cleanup, or devices experiencing connectivity issues.
OperationalDevices