Service Graph Intune Connector : Assigned to

parth2 · ‎08-04-2022

Can I get help to understand what is 'assigned to' on computer in ServiceNow mapped to from Intune?

There are two fields in Intune - 'Primary User' and 'Enrolled User'

I can see the data stream is using the API /deviceManagement/managedDevices/

The API doesnt really mentions if its returning primary user or enrolled user.

Can someone help me understand the difference between the primary user or enrolled user. Also based on the imported data, it appears that the api returns enrolled user. If so, how can we configure it to populate primary user?

Palani Chockali · ‎08-08-2022

Hi Parth,

Jim has provided an excellent answer to your mapping question with visualization. The API call returns only the enrolled user, even though the attribute name says primary user. When a user is assigned to a device initially, the enrolled and primary user remain the same. But if the same device is reassigned to another user, either the user left the tenant or for other business reasons, then the primary user name gets reassigned to the new user but the enrolled user will have the original enrolled user name. That is the difference between the two attributes in Intune.

We have fixed this to reflect the current device owner in an upcoming release of Intune(do not have dates yet!). Per Microsoft, we have to make another API call to get the current primary user name as the device API only returns enrolled user name (misleading with an attribute name like "userPrincipalName").

Here is the Graph API call to know the primary user name:

https://graph.microsoft.com/beta/deviceManagement/managedDevices/<deviceid>/users

The output of the above API call will give us the actual/current device owner or the primary user name. No surprise here from Microsoft and the attribute name again is "userPrincipalName".
I was also told that Microsoft is working on converging these API calls so it correctly reports on the primary user name on the current device call but it is not in place yet and not sure of the timeline also.

This involves making an additional API call for each device to know the primary username. We typically do performance testing as part of any major changes, especially when it comes to additional API calls to make sure it did not degrade current performance. This is work in progress as we speak. We would highly recommend you to wait and take the upgrade when it is available, assuming all the testing/performance are acceptable.

Hopefully this helps clarify your questions.

View solution in original post

Kieran Anson · ‎08-04-2022

Hi,

The API value that is used by SN to perform a lookup is the userPrincipalName value. The value is dependent on the device type (assigned vs shared) and doesn't correlation 1-2-1 with the Intune UI. For the most part, it can be seen as correlating to the Enrolled User field.

Report Inappropriate Content · ‎08-04-2022

The two field returned from the Intune API are userprincipalname and userdisplayname. These fields are used to lookup the user in ServiceNow's sys_user table and then take that reference to populate the assigned_to field for the handheld computing device.

Here is a visualization of the assigned to mapping in the Service Graph connector for intune devices:

The User Lookup - u_userprincipalname operation will do a lookup on the sys_user table. The logic in this lookup isn't trivial but can be read from the CmdbIntegrationUserLookup script include. It will essentially do a 3 pass user lookup. First, by whatever field is defined in the value of the glide.discovery.assigned_user_match_field system property. Second, by the user_name field. Third, by the email field.

Palani Chockali · ‎08-08-2022

Hi Parth,

Jim has provided an excellent answer to your mapping question with visualization. The API call returns only the enrolled user, even though the attribute name says primary user. When a user is assigned to a device initially, the enrolled and primary user remain the same. But if the same device is reassigned to another user, either the user left the tenant or for other business reasons, then the primary user name gets reassigned to the new user but the enrolled user will have the original enrolled user name. That is the difference between the two attributes in Intune.

We have fixed this to reflect the current device owner in an upcoming release of Intune(do not have dates yet!). Per Microsoft, we have to make another API call to get the current primary user name as the device API only returns enrolled user name (misleading with an attribute name like "userPrincipalName").

Here is the Graph API call to know the primary user name:

https://graph.microsoft.com/beta/deviceManagement/managedDevices/<deviceid>/users

The output of the above API call will give us the actual/current device owner or the primary user name. No surprise here from Microsoft and the attribute name again is "userPrincipalName".
I was also told that Microsoft is working on converging these API calls so it correctly reports on the primary user name on the current device call but it is not in place yet and not sure of the timeline also.

This involves making an additional API call for each device to know the primary username. We typically do performance testing as part of any major changes, especially when it comes to additional API calls to make sure it did not degrade current performance. This is work in progress as we speak. We would highly recommend you to wait and take the upgrade when it is available, assuming all the testing/performance are acceptable.

Hopefully this helps clarify your questions.

parth2 · ‎08-10-2022

Hi Palani,

Thank you so much for your reply. I did some research and found the same thing about the API. Unfortunately the API currently used only returns enrolled user and to get primary user we need to make another API calls.

Thanks for confirming that this would be resolved in next release.

Cheers!