Blog Post

Core Infrastructure and Security Blog
6 MIN READ

Identify Device state in EntraID/Defender with PowerShell

edgarus71's avatar
edgarus71
Icon for Microsoft rankMicrosoft
Oct 22, 2025

In certain occasions you may want to confirm what is the state of your devices or a subset of your devices in EntraID and cross reference this with the device status you see in Defender for Endpoint. Sometimes a device can appear as onboarded in Defender for Endpoint but given that an inactive device remains visible in the Defender portal for 180 days before it gets removed automatically, it can be challenging to understand what devices that show as inactive in the console are actually disabled in EntraID and no longer part of the device fleet you manage. The challenge today is that the EntraID API doesn’t expose the parameter “AccountState” to the Defender API, hence it is not possible to run an API call from the API explorer view from Defender portal to query this parameter, or view this information through Defender portal.

Proposed solution: One way to achieve this result is by integrating few pieces of available technology. It sounds like a lot of moving parts but we do not need App registration in EntraID MS ...
Updated Oct 22, 2025
Version 1.0
defender atp
powershell
john66571's avatar
john66571
Iron Contributor
Oct 23, 2025

Great blog! Love that we get to see the technical part and the actual scripts etc :).

But maybe im missing something here, the api.securitycenter.microsoft.com is never called and the script is not doing anything with Defender XDR API. So basically the script above is just using an appregistration to check status of devices in Entra ID. (from a text file).

So, if you have the rights to read devices in your tenant and Microsoft Graph has the right scopes delegated (approved). You can use this oneliner:

Connect-MgGraph -Scopes "Device.Read.All"; Get-Content "C:\temp\devices.txt" | % { $n=$_; $d=Get-MgDevice -Filter "displayName eq '$($n -replace '''','''''')'" -Property "id,deviceId,displayName,accountEnabled"; if($d){ $d | Select @{n='InputName';e={$n}}, @{n='DisplayName';e={$_.DisplayName}}, @{n='Status';e={if($_.AccountEnabled){'Enabled'} else {'Disabled'}}}, @{n='DeviceId';e={$_.DeviceId}}, @{n='ObjectId';e={$_.Id}} } else { [pscustomobject]@{ InputName=$n; DisplayName=$null; Status='Not Found'; DeviceId=$null; ObjectId=$null } } } | Format-Table -AutoSize

I added deviceID and objectID in the ouput as devices in Entra can have the same name, but different ID.
And if you want to use the scope of your admin account, just remove: (ie: use your Entra ID Role that might already have the scope).

-Scopes "Device.Read.All"

  • edgarus71's avatar
    edgarus71
    Icon for Microsoft rankMicrosoft
    Oct 23, 2025

    Hi John, thank you for your kind words. Actually, I don't use the api.securitycenter.microsoft.com directly, I just add an API permission in the app registration access to the WindowsDefendeATP, so I can read details from the machines.