Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1221264%22%20slang%3D%22en-US%22%3EChange%20the%20Intune%20Primary%20User%20%E2%80%93%20Public%20Preview%20Now%20Available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221264%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3EBy%20Scott%20Duffey%20%7C%20Senior%20Program%20Manager%2C%20Microsoft%20Endpoint%20Manager%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%E2%80%99m%20excited%20to%20announce%20that%20today%20we%20started%20rolling%20out%20a%20feature%20giving%20you%20the%20ability%20to%20change%20a%20device%E2%80%99s%20primary%20user.%20We%20have%20had%20this%20item%20on%20our%20product%20backlog%20for%20a%20long%20time%2C%20being%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F31356574-change-registereed-owner-for-corporate-owned-devic%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethe%20highest%20voted%20item%3C%2FA%3E%20on%20UserVoice%20and%20also%20attracting%20a%20lot%20of%20comments%20on%20the%20previous%20support%20post%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsupport-tip-how-user-device-affinity-works-in-intune%2Fba-p%2F708196%22%20target%3D%22_self%22%3EHow%20User%20Device%20Affinity%20Works%20in%20Intune%3C%2FA%3E.%20Read%20below%20for%20more%20information%20on%20Primary%20User.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOver%20the%20next%20two%20weeks%2C%20you%E2%80%99ll%20see%20this%20feature%20show%20up%20under%20the%20%E2%80%9Cdevices%E2%80%9D%20area%20of%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%20(at%20either%20%3CA%20href%3D%22https%3A%2F%2Fdevicemanagement.microsoft.com%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdevicemanagement.microsoft.com%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%3C%2FA%3E)%20and%20you%E2%80%99ll%20also%20see%20some%20updates%20to%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fremote-actions%2Ffind-primary-user%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPrimary%20User%20docs%20page%3C%2FA%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHere%E2%80%99s%20the%20brief%20overview%20of%20what%20you%20can%20do%20with%20this%20new%20feature%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EChange%20the%20Primary%20user%20from%20User-A%20to%20User-B%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EChange%20the%20Primary%20user%20from%20none%20(shared)%20to%20a%20single%20user%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EChange%20the%20Primary%20user%20from%20a%20single%20user%20to%20none%20(shared)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MemAdmin_Scott1.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176281iEBDB3008CA3F95ED%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22MemAdmin_Scott1.png%22%20alt%3D%22MemAdmin_Scott1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20all%20the%20above%20cases%2C%20the%20Intune%20device%20(Primary%20User%20property)%20will%20be%20updated%20as%20well%20as%20the%20Azure%20AAD%20device%20object%20(DeviceRegisteredOwner%20and%20DeviceRegisteredUser).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHere's%20what%20you'll%20see%20in%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22memadmin_scott2.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176283i198D2F7A40392547%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22memadmin_scott2.png%22%20alt%3D%22memadmin_scott2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAnd%20here's%20what%20you'll%20see%20in%20Azure%20AD%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22memadmin_scott3.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176286i25D92C7F087917B3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22memadmin_scott3.png%22%20alt%3D%22memadmin_scott3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENote%3A%20It%20may%20take%20up%20to%2010%20minutes%20to%20reflect%20in%20the%20Azure%20AD%20portal.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%3EA%20couple%20more%20details%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EDevices%20must%20be%20a%20supported%20version%20of%20Windows%2010.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EDevices%20can%20be%20either%20Azure%20AD%20Joined%20or%20Hybrid%20Azure%20AD%20Joined.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIf%20a%20device%20is%20co-managed%20then%20you%20can%E2%80%99t%20change%20the%20Primary%20User%20(but%20this%20is%20a%20scenario%20we%20are%20working%20on).%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EWe%20have%20added%20a%20new%20administrator%20privilege%3A%20%E2%80%9CManaged%20Device%2FSet%20primary%20user%E2%80%9D%20and%20it%20has%20been%20added%20to%20built-in%20roles%20including%3A%20%3C%2FSPAN%3EHelpdesk%20Operator%2C%20School%20administrator%2C%20and%20Endpoint%20Security%20Manager.%20To%20use%20this%20feature%2C%20you%20will%20need%20to%20have%20this%20privilege%20assigned.%3C%2FLI%3E%0A%3CLI%3EA%20user%20must%20have%20an%20Intune%20license%20to%20be%20assigned%20as%20a%20Primary%20user.%3C%2FLI%3E%0A%3CLI%3EThe%20new%20Device%20compliance%20report%20list%20includes%20columns%20for%20both%20Primary%20User%20and%20Enrolled-by%20user.%20This%20change%20will%20also%20be%20added%20to%20the%20%E2%80%9CAll%20devices%E2%80%9D%20list%20soon.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20addition%20to%20the%20Microsoft%20Endpoint%20Manager%20console%2C%20you%20can%20change%20the%20Primary%20User%20through%20graph%20API.%20You%E2%80%99ll%20see%20an%20example%20Powershell%20script%20appear%20on%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoftgraph%2Fpowershell-intune-samples%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20Github%20repository%3C%2FA%3E%20shortly.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1221264%22%20slang%3D%22en-US%22%3E%3CP%3EIntune%20now%20has%20public%20preview%20ready%20for%20changing%20your%20primary%20user%20on%20a%20device.%20This%20is%20one%20of%20the%20most%20requested%20Intune%20UserVoice%20items%20and%20we're%20excited%20to%20deliver%20this%20feature%20in%20public%20preview.%20The%20feature%20is%20rolling%20out.%20Once%20you%20have%20it%2C%20give%20us%20your%20feedback%20on%20the%20feature!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1221264%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENew%20feature%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1221549%22%20slang%3D%22en-US%22%3ERe%3A%20Change%20the%20Intune%20Primary%20User%20%E2%80%93%20Public%20Preview%20Now%20Available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221549%22%20slang%3D%22en-US%22%3E%3CP%3Edoes%20the%20new%20primary%20user%20also%20become%20a%20local%20admin%20on%20the%20device%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1221515%22%20slang%3D%22en-US%22%3ERe%3A%20Change%20the%20Intune%20Primary%20User%20%E2%80%93%20Public%20Preview%20Now%20Available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221515%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20is%20it%20possible%20or%20supported%20to%20change%20the%20primary%20user%20on%20a%20device%20that%20was%20enrolled%20using%20a%20%E2%80%9Cdevice%20enrollment%20manager%E2%80%9D%20account%20to%20a%20normal%20user%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E

By Scott Duffey | Senior Program Manager, Microsoft Endpoint Manager

 

I’m excited to announce that today we started rolling out a feature giving you the ability to change a device’s primary user. We have had this item on our product backlog for a long time, being the highest voted item on UserVoice and also attracting a lot of comments on the previous support post How User Device Affinity Works in Intune. Read below for more information on Primary User.

 

Over the next two weeks, you’ll see this feature show up under the “devices” area of the Microsoft Endpoint Manager admin center (at either https://devicemanagement.microsoft.com or https://portal.azure.com) and you’ll also see some updates to our Primary User docs page.

 

Here’s the brief overview of what you can do with this new feature:

  • Change the Primary user from User-A to User-B
  • Change the Primary user from none (shared) to a single user
  • Change the Primary user from a single user to none (shared)

MemAdmin_Scott1.png

 

In all the above cases, the Intune device (Primary User property) will be updated as well as the Azure AAD device object (DeviceRegisteredOwner and DeviceRegisteredUser).

 

Here's what you'll see in the Microsoft Endpoint Manager admin center:

memadmin_scott2.png

 

And here's what you'll see in Azure AD:

memadmin_scott3.png

Note: It may take up to 10 minutes to reflect in the Azure AD portal.

 

A couple more details:

  • Devices must be a supported version of Windows 10.
  • Devices can be either Azure AD Joined or Hybrid Azure AD Joined.
  • If a device is co-managed then you can’t change the Primary User (but this is a scenario we are working on).
  • We have added a new administrator privilege: “Managed Device/Set primary user” and it has been added to built-in roles including: Helpdesk Operator, School administrator, and Endpoint Security Manager. To use this feature, you will need to have this privilege assigned.
  • A user must have an Intune license to be assigned as a Primary user.
  • The new Device compliance report list includes columns for both Primary User and Enrolled-by user. This change will also be added to the “All devices” list soon.
  • In addition to the Microsoft Endpoint Manager console, you can change the Primary User through graph API. You’ll see an example Powershell script appear on this Github repository shortly.

 

 

 

24 Comments
Senior Member

Hello, is it possible or supported to change the primary user on a device that was enrolled using a “device enrollment manager” account to a normal user account?

New Contributor

does the new primary user also become a local admin on the device?

New Contributor

Firstly... Congrats!

 

“If a device is co-managed then you can’t change the Primary User“

 

Drat, that’s all of our devices, which makes the feature unusable for us right now. Any more info on when it might be supported?

Senior Member

@jurajt No, local admin can added at once to all AAD joined devices under AAD > devices, using CSP configuration or during Autopilot. 

New Contributor

@giladke i know that, but that adds the local admin to *all* devices.

Senior Member

@jurajt that's why I mentioned 2 other options to have user as local admin for a specific device (i.e CSP, autopilot, you can script it as well) :smile:

Occasional Contributor

Hello, 

 

Is it possible to  automatically set or replace user device affinities depending on the number of hours of connection on the Worksation like Configuration Manager?

 

Regards, 

Julien

Senior Member

Is it supported to have an autopilot device where the autopilot “assigned user” is a device enrollment manager account, but then after the machine runs through autopilot and joins AAD you set the primary user to another account but leave the DEM as the “assigned user”?

Microsoft

@ForumUser - Yes. DEM enrolled can have Primary user changed.

Microsoft

@jurajt - No. This change occurs in the Intune service-side. There are no changes to local group memberships.

Microsoft

@Steve Prentice - Thankyou! We are excited to light-up more scenarios including co-managed ones. No dates to share yet though..

Microsoft

@julien_Gfi - No that is not part of this feature. If this is something you would find helpful in your environment, please go ahead and add a UserVoice item.

Microsoft

@ForumUser. Its not a scenario we've specifically designed for or tested. Can you add some detail about why you'd want to do this instead of the documented AP configuration? 

New Contributor

Thanks Scott. :) If I had a particularly annoying machine which was co-managed and was correct in MECM but not in Intune... could the primary user be changed via a service request while we wait for the other scenarios you mention?

Senior Member

Hi Scott Duffey, we love the autopilot feature (both self deploying and user driven) and the integration with configmgr task sequences to easily image a device using our standard build,  and then also have the added benefits of auto join to AAD, auto enrollment into Intune, automatic encryption with keys stored in AAD etc.  However it’s a burden for our helpdesk to have to wait for the end user to be available to log into the computer to finish the autopilot sequence.  We like to make sure everything is all set for the user (like drivers get installed properly, updates done, encryption finished) and OOBE finished before handing the computer over to the user.  So setting up the device at first  with no primary user with self deploying mode or a DEM account, and then changing the primary user after everything is confirmed would be a much better process for us.

Occasional Contributor

Thank you! That was a much needed change BUT we are co-managed.

 

"If a device is co-managed then you can’t change the Primary User (but this is a scenario we are working on)." 

 

Is there an actual plan on this? Currently we can't take advantage of this...

 

Regular Visitor

Brilliant!

 

It would be great to also get the option to add the new user to be a local administrator on the device as we're changing the primary user.

Regular Visitor

@Intune Support Team @Scott Duffey 

I've created a custom role with below priviliges and still can't change Primary User.

  • ManagedDevices Delete
  • ManagedDevices Read
  • ManagedDevices SetPrimaryUser
  • ManagedDevices Update

No button appearing except for notification error 'User is not authorized to perform this operation'

 

Microsoft

@Pawel Korpisz - Try adding Organizational Access / Read to the set of privileges. LMK how you go.

Microsoft

@cloud_compadre Thanks for the feedback! Feel free to add an item on Uservoice too. https://microsoftintune.uservoice.com/forums/291681-ideas

Senior Member
Visitor

Excellent job on getting this feature done.  

 

Request: Please add the option to add column "Primary user" to the "Microsoft Endpoint Manager admin center" in the "Devices | All devices" window.  Currently that field/column is not present in that blade/window.  I'd like to be able to easily see who the primary user is of a machine at a glance without drilling into each device.

 

Thanks! 

Visitor

Please disregard my request above.  I found that the "Enrolled by user UPN" field in the "Microsoft Endpoint Manager admin center" in the "Devices | All devices" window seems to contain the "Primary user" info.  If I'm mistaken, please advise.

 

Thanks!

Regular Visitor

Is this able to be done for other types of devices ? like IOS or MacOS ?

 

Thanks !