Introduction to Microsoft Entra Device ID
Microsoft Entra Device ID is a globally unique identifier assigned to each device managed within the Microsoft Entra ecosystem. This identifier is crucial for maintaining the security and integrity of devices, as it allows for precise identification and tracking across various Microsoft services and applications. By leveraging this unique ID, organizations can effectively monitor and manage their device inventory, ensuring that each device's security and compliance status is up-to-date.
Integration of SaaS Alerts with Microsoft Entra Device ID
To enhance the accuracy and reliability of our matching algorithm within Unify, SaaS Alerts is now utilizing the Microsoft Entra Device ID. This integration involves comparing the Device ID in alerts (when provided by Microsoft) with the value stored for each device in your Remote Monitoring and Management (RMM) system.
This comparison significantly improves our algorithm’s accuracy and boosts the confidence rating in the matching process. By ensuring a precise match between the IDs recorded in the SaaS Activity logs and those provided by the RMM, we can offer a more robust and reliable monitoring solution.
Overview of Required Configuration Steps
- Create a custom field in your RMM called msftEntraDeviceId.
- Create a script in your RMM to obtain the Entra Device Id from a device (see below for a powershell example).
- Schedule the script to run once per day on every device and store the output to the msftEntraDeviceId field.
- For Datto RMM, utilize the field mapper in the RMM integration wizard to map the msftEntraDeviceId field to SaaS Alerts.
- The rest will happen automagically within SaaS Alerts.
Powershell Script Example
SaaS Alerts does not provide development assistance or support to Partners for the purposes of creating scripts. SaaS Alerts is providing this script for you only as an example. We have tested it in our environment, however you should test in your own environment manually before implementing any script in your production environment on a mass scale.
$DsregCmdStatus = dsregcmd /status
if($DsregCmdStatus -match "DeviceId")
{
$DeviceId = $DsregCmdStatus -match "DeviceID"
$DeviceId = ($DeviceId.Split(":").trim())
$DeviceId = $DeviceId[1]
}
$DeviceId
$DeviceId should look similar to this: 60da01ce-6420-4233-b39d-72c65a23409b
Product-specific Instructions
Because each product is configured differently, and we are not experts in each RMM product, the following instructions are meant to provide you with a general roadmap and terminology for your specific RMM with links to vendor documentation where it is publicly available. Reaching out to the vendor directly is your best bet to ensure that the configuration is set up properly if the instructions below do not work for you. If you find something that is not accurate or details that are missing, please let us know and we will update this documentation to better our partner community.
Ninja RMM
Creating a Custom Field (Official documentation)
- Add a New Custom Field:
- Ninja RMM provides two categories of custom fields: global custom fields (apply to all devices) and role-based custom fields (apply only to specific device types). For msftEntraDeviceId, you would likely use a global custom field.
- Custom field types in Ninja RMM include text, integers, drop-downs, and device mapping fields. Choose the type that best suits your data format. For msftEntraDeviceId, a text field would be appropriate.
- Configure the Custom Field:
- Set the technician access to ‘Read Only’ and the script access to ‘Read / Write’ to ensure that the field can be written to by a script but not modified manually by technicians.
Creating and Scheduling a PowerShell Script
- Develop the PowerShell Script:
- Write a script that pulls data from the endpoint and stores it in the msftEntraDeviceId custom field. This script should be tested thoroughly in a development environment before deployment.
- Add the Script:
- Navigate to Administration -> Library -> Automation in Ninja RMM.
- Click ‘Add a Scheduled Automation’ and copy the example script into the IDE provided by Ninja RMM.
- Add “Ninja-Property-Set msftEntraDeviceId $DeviceId” as the last line after the example script.
- Set the script’s parameters, ensuring that the operating system is set to Windows and the language to PowerShell.
- Scheduling the PowerShell Script
- Navigate to the policy where you want to apply the script.
- Click on ‘Scheduled Automations’ and then ‘Add a scheduled script’.
- Choose an appropriate name and description for your automation.
- Set the schedule to run once per day and your preferred notification preferences.
- Select ‘Add Automation’, find your script and click it to add it into the schedule.
- Leave the "Preset Parameter" field blank, set "Run As" to "System", and then click 'Apply'.
* Within Ninja, please make sure these parameters are set:
Kaseya VSA
- Create a custom field: Audit -> Machine Summary -> +New Custom Field.
- Name it msftEntraDeviceId and set the type to String.
Upload the Powershell script to Kaseya VSA.
- Create an Agent Procedure that delivers the PS1 file to the device, and then executes it.
- Use the updateSystemInfo command to store the output into the msftEntraDeviceId custom field.
- Schedule the Agent Procedure to run once per day.
Here’s some links that may help in your journey:
Forum post on some best practices for VSA scripting.
Forum post on a quick way to do scripting.
Kaseya Support TechJams: Scripting within Agent Procedures.
Connectwise Automate
Creating an Additional Field
- Using the local Windows client and navigate to System -> Configuration -> Dashboard -> Config -> Configurations - Additional Fields, and ensure Computers is selected as the target.
- Fill in the following fields:
- Field Name: msftEntraDeviceId
- Field Type: Text
- Tab: Return Data
- Data Screen: Computers
- Click Add.
Youtube video on how to create an Additional Field.
Creating a PowerShell Script (Official Documentation)
- Hop back over to the web interface and navigate to Automation, and click + Add.
- Fill in the following fields:
- Name: SaaS Alerts - Get and Write msftEntraDeviceId to Field
- Folder: _System Automation\Stats Gathering
- Target: Computer
- Description: Gets the MSFT Entra DeviceId from each device and writes it to a custom field.
- Automation Time: 0 minute(s)
- Click Next.
- In the Editor tab, do the following:
- Add an Execute Script function, and use the following options:
- Script Type: PowerShell
- Script Editor: <Paste in the example PowerShell script provided>
- Variable: @DeviceId@
- Click Save.
- Add an Extra Data Field Set Value function, and use the following options:
- Scope: Computer
- Extra Data Field: msftEntraDeviceId
- ID: %ComputerID%
- Value: @DeviceId@
- Click Save.
- Click Save, and then close the Script Editor Tab.
- Add an Execute Script function, and use the following options:
Group Setup (Official Documentation)
The PowerShell script will be scheduled against a group of computers. A simple configuration is to create a group for all Windows computers and schedule the script against that group. Instructions for setting this up are below.
(Note: Group settings are specific to your MSP and will be custom for each Automate installation. Speak to your CW Automate subject matter expert for specific instructions for your environment.)
- Navigate to the Groups section, right-click on Agent Types and choose Create Group.
- Name the Group Windows Computers.
- Under Auto-Join Membership, select Computers.
- In the Computers drop-down select Computer Types\Windows Computers
- Click Save.
Scheduling a Powershell Script
- From the Windows Computers Group that was just created (or your custom group), click on the Scheduled Scripts tab.
- Click + Add.
- Select the “SaaS Alerts - Get and Write msftEntraDeviceId to Field” script in the drop down field.
- Click Scheduled Recurrence.
- Change the Frequency to Daily, and choose an appropriate Start Time.
- Choose to disable the option to Wake Offline Agents.
Syncro RMM
Creating a Custom Field
- Go to Admin -> Customers -> Asset Custom Fields
- Click on Manage Fields next to Syncro Device.
- Click +New Field, Name it msftEntraDeviceId and set the type to Text Field.
Creating a PowerShell Script (Official Documentation)
- Click on >_ Scripts and click +New Script
- Name it something like “SaaS Alerts - Get and Write msftEntraDeviceId to Asset”
- Leave all the settings as default.
- Paste in the example script provided above.
- Add the following lines to the end of the example script.
- Import-Module $env:SyncroModule -WarningAction SilentlyContinue
- Set-Asset-Field -Name msftEntraDeviceId -Value $DeviceId
Scheduling a PowerShell Script (Official Documentation)
- Go to Policies.
- Edit the Policy that applies to the Assets you would like to run the script against.
- Go to Scripting within that policy.
- If the Script Schedules section is missing add it from the Add a Scripting Option dropdown.
- Choose +Add Entry.
- Select the “SaaS Alerts - Get and Write msftEntraDeviceId to Asset” script.
- Set the frequency to Daily and select an appropriate time.
- Check the box to skip Offline Assets, and then click Save Policy.
Datto RMM
Setup User Defined Field (Official Documentation)
- Head over to Setup -> Global Settings, and then scroll down to User Defined Fields.
- Find a field that is currently unused and change the Global label to msftEntraDeviceId.
- Click Save, and then Confirm.
Creating a Component (Official Documentation)
- Navigate to Automation -> Components, and click Create Component.
- Use the following options:
- Name: SaaS Alerts - Get and Write msftEntraDeviceId to Field
- Category: Scripts
- Script Type: PowerShell
- Script: <Paste in the example PowerShell script provided>
- Script: Add this to be the last line of the example script (replace XX with the number of the UDF you chose earlier): “Set-itemproperty -path “HKLM:\software\centrastage” -Name “CustomXX” -Value $DeviceId -force”
- Scroll down and select All Sites.
- Click Create Component at the bottom.
Creating and Scheduling a Job (Official Documentation)
- Go to Automation -> Jobs, and click Create Job.
- Use the following options:
- Name: SaaS Alerts - Get and Write msftEntraDeviceId to Field
- Components: SaaS Alerts - Get and Write msftEntraDeviceId to Field
- Targets: Windows Servers and Windows Desktops.
- Recurrence: Daily
- Start date and execution time: Select an appropriate date/time based on your specific needs.
- Click Create Job.
Mapping the User Defined to SaaS Alerts
- Head over to https://manage.saasalerts.com/customers and edit the Organization where Datto RMM is configured.
- (Note if you haven’t configured Datto RMM yet at all, the instructions to do that are here.
- Continue through the wizard until you’re on the 3rd step, Parameters.
- Use the dropdown to select the UDF that you choose, above.
Choose Finish
Comments
2 comments
The 3 lines of code in the IF statement of the PowerShell can be consolidated into 1 line.
Looking for help running script under Connectwise. It appears the context for the powershell launched by Automate is not the same as running the script from the powershell in the desktop. As a consequence, the information returned by DSregcmd is not the same - the whole 'Work Account' section is missing - which has the DeviceID info. The USER STATE section shows "WorkplaceJoined : NO" - which is opposite from the desktop execution... Any guru's out there..?
Please sign in to leave a comment.