BYOD and corporate endpoints require different management policies, so distinguishing devices at scale is essential. Microsoft Intune captures enrollment metadata, but device tagging should be automated for precise scoping. With Microsoft Graph and PowerShell, MSPs can apply consistent and trackable device labels for better control and visibility.
This guide walks you through the methods needed to tag Intune devices automatically based on the enrollment method.
Methods to tag Intune devices automatically based on the enrollment method
📌 General prerequisites:
- Microsoft Intune + Microsoft Entra ID (formerly Azure AD) (P1 or higher)
- PowerShell 7+ with Microsoft.Graph module installed
- Microsoft Graph API application registered with the following permissions:
- Device.Read.All
- DeviceManagementManagedDevices.ReadWrite.All
- Directory.ReadWrite.All
Optional: You may also use an RMM tool (e.g., NinjaOne) for device metadata validation and registry checks
Method 1: Retrieve enrollment type from Intune using Microsoft Graph
Before auto-tagging, identify how each device was enrolled in Intune (BYOD, corporate, Autopilot, etc.) and who owns it (personal vs company). This method pulls the data directly from Intune via Microsoft Graph.
📌 Use Cases: Building a baseline inventory of BYOD vs. corporate vs. Autopilot devices.
Step-by-step:
- Press Win + S, type PowerShell, right-click it, and select Run as administrator.
💡 Tip: Windows PowerShell works; PowerShell 7+ is recommended.
- Install Microsoft Graph module (if not yet installed):
Install-Module Microsoft.Graph -Scope CurrentUser
- Connect to Microsoft Graph: (Read #1 ⚠️ Things to look out for.)
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
If prompted, consent to the permission.
- Define the properties you want to retrieve:
$props = "deviceName,id,azureADDeviceId,managedDeviceOwnerType,deviceEnrollmentType,enrollmentProfileName"
- Get all managed devices with enrollment and ownership details:
$devices = Get-MgDeviceManagementManagedDevice -All -Property $props | Select-Object $props.Split(',')
- View results in table format:
$devices | Select-Object deviceName, azureADDeviceId, managedDeviceOwnerType, deviceEnrollmentType, enrollmentProfileName | Format-Table -AutoSize
Enrollment types include:
- windowsAutoEnrollment – Automatic enrollment
- windowsAzureADJoin – Azure AD Join
- windowsBulkUserless – Corporate bulk enrollment
- windowsCoManagement – Hybrid ConfigMgr + Intune
- deviceEnrollmentManager – DEM account enrollment
- userEnrollment – BYOD
Method 2: Tag devices by enrollment method using Graph extension attributes
Because you now know each device’s enrollment method/ownership, write a label to a directory extension attribute on the Microsoft Entra device. This creates a persistent tag that can be used for dynamic group membership and Intune targeting.
📌 Use Cases: Persistent, directory-level tagging for automation and dynamic grouping.
📌 Prerequisites:
- Tenant must have Microsoft Entra ID (formerly Azure AD) and Intune licenses
- Required Graph permission:
- Directory.AccessAsUser.All (delegated)
- Device.ReadWrite.All or Directory.ReadWrite.All (application).
- You have the Azure AD device GUID from Intune (from Method 1)
Step-by-step:
- Press Win + S, type PowerShell, and click Enter to open.
💡 Tip: Windows PowerShell works; PowerShell 7+ is recommended.
- Connect to Graph (delegated):
Connect-MgGraph -Scopes "Directory.AccessAsUser.All"
- Find the Entra device by deviceID (GUID from Method 1):
$azureAdDeviceId = "<GUID from Method 1>"$dirDevice = Get-MgDevice -Filter "deviceId eq '$azureAdDeviceId'" -ConsistencyLevel eventual
- Write the tag into an extension attribute: (Read #2 ⚠️ Things to look out for.)
Update-MgDevice -DeviceId $dirDevice.Id -BodyParameter @{extensionAttributes = @{ extensionAttribute1 = "BYOD" }}
- Verify the update:
Get-MgDevice -DeviceId $dirDevice.Id -Property "extensionAttributes" |Select-Object -ExpandProperty extensionAttributes
Method 3: Automatically assign dynamic groups based on enrollment
In this method, you’ll let the Azure AD dynamic membership rules handle the tagging. When a device enrolls with a specific profile or ownership type, it’s automatically placed into the corresponding group. These groups can then target apps, policies, and profiles in Intune.
📌 Use Cases: Auto-target Autopilot vs. BYOD vs. corporate-owned based on ownership/profile.
📌 Prerequisites:
- Microsoft Entra ID (formerly Azure AD) Premium P1
- Intune is connected to your Entra tenant
Step-by-step:
- Navigate to the Entra admin center > Groups > New group.
- Group type: Security > Membership type: Dynamic Device.
- Click Add dynamic query, and use the rule syntax text box.
Recommended rules:
- Autopilot:
(device.enrollmentProfileName -contains "Autopilot")
- BYOD (personal ownership):
(device.deviceOwnership -eq "Personal")
- Corporate-owned:
(device.deviceOwnership -eq "Company")
- Save and create the group.
Use these dynamic groups to target compliance policies, app deployments, and configuration profiles in Intune once the membership populates.
Method 4: Script device label assignment and registry tagging
This method uses a script to classify devices locally. Based on enrollment type and ownership, each device writes its own tag into the registry, which helps with reporting or custom automation.
📌 Use Cases: This is useful when you want the device itself to self-identify (e.g., during logon, enrollment, or via registry keys) and stamp a label locally.
Step-by-step:
For local auditing or RMM integration, write the device’s enrollment classification into the registry:
- Press Win + S, type PowerShell, right-click Windows PowerShell (or PowerShell 7), then Run as administrator.
- Run the following command: (Read #3 ⚠️ Things to look out for.)
$category = if ($device.managedDeviceOwnerType -eq "company" -and $device.enrollmentType -eq "windowsAutopilotDevice") {"Autopilot"} elseif ($device.managedDeviceOwnerType -eq "personal") {"BYOD"} else {"Corporate"}
New-Item -Path "HKLM:\SOFTWARE\Org\IntuneTags" -ForceSet-ItemProperty -Path "HKLM:\SOFTWARE\Org\IntuneTags" -Name "EnrollmentType" -Value $categorySet-ItemProperty -Path "HKLM:\SOFTWARE\Org\IntuneTags" -Name "LastUpdated" -Value (Get-Date).ToString("u")
- Optional: CMD check:
reg query HKLM\SOFTWARE\Org\IntuneTags
Method 5: Use GPO or PowerShell during autopilot or onboarding
This proactive method embeds tagging into the deployment process. You build tagging into the Autopilot profile, onboarding script, or Group Policy Object (GPO) so devices are labeled right away after setup.
📌 Use Cases: Mark devices as Autopilot/Corporate/BYOD during build time; ensure the tag exists before first sign-in or immediately after enrollment.
Step-by-step:
- For Autopilot or scripted onboarding, add a registry tagging script to your provisioning package.
- For domain-joined devices, use a GPO startup script:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Org\IntuneTags" -Name "EnrollmentType" -Value "Autopilot"
Use this in tandem with dynamic group tagging to ensure devices are correctly classified from day one.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| 1. Connecting to the wrong tenant or scope in Connect-MgGraph | Incomplete inventory; missing azureADDeviceID for later steps | Reconnect with the correct -TenantID and delegated scope DeviceManagementManagedDevices.Read.All; rerun inventory with the full –Property list. |
| 2. Updating the wrong object or lacking directory write permissions | No extensionAttributes written; tags don’t appear; dynamic groups don’t populate | Look up the Entra device by deviceId; reconnect with Directory.AccessAsUser.All (delegated) or app Directory.ReadWrite.All/Device.ReadWrite.All; rerun Update-MgDevice. |
| 3. Script not elevated or running in a 32-bit host | Registry writes fail or land under WOW6432Node; tags appear “missing” | Run as SYSTEM/Administrator in 64-bit PowerShell; remove incorrect keys; rerun the script. |
Additional considerations
Here are some additional considerations to keep in mind during configuration:
Autopilot devices
Autopilot devices may also appear as AzureADJoined, so treat the join state as context only. For accuracy, always inspect deviceEnrollmentType to see how the device enrolled and managedDeviceOwnerType to understand its ownership.
BYOD detection
BYOD inference can drift if users enroll outside corporate-identifier paths. It’s reliable only when personal ownership is explicitly selected during enrollment.
Profile drift
Over time, devices may be reimaged, renamed, or reassigned, which can stale metadata. Revalidate extension attributes and registry labels on a schedule via scripts or Graph polling.
Multi-tenant MSPs
Treat each customer tenant as a strict boundary. Use per-tenant app registrations and API tokens, store secrets, and execute logic in tenant-specific containers or vaults to maintain isolation.
Troubleshooting
Here are the common issues you might encounter and how to resolve them:
Tags not appearing
If tags aren’t showing up, confirm that you’re writing to the Entra device object’s extensionAttributes using the correct Graph permissions: DeviceManagementManagedDevices.ReadWrite.All. If tags feed dynamic groups, allow time for membership processing.
Registry not updating
Registry writes require elevated privileges. Run the script as SYSTEM or under an account with administrator rights.
Device not classified correctly
Mismatches or misclassifications usually come from mixing sources. Cross-check deviceEnrollmentType and managedDeviceOwnerType against dynamic-rule deviceOwnership (Company/Personal) and any user-assigned category labels.
Group not populating
If a group isn’t populating, the issue typically lies in syntax errors or Azure AD sync delays. Review the membership rule syntax and confirm you’re using supported device attributes. Keep in mind that the group membership can take minutes to hours to settle. Use the built-in Validate rules view and processing status to confirm.
NinjaOne services
While the methods above provide powerful ways to tag devices in Intune, they can be complex, time-consuming, and error-prone. For MSPs managing multiple clients, this quickly becomes unsustainable.
NinjaOne eliminates these challenges by automating device tagging in a unified, multi-tenant platform:
| Capability | What NinjaOne enables |
| Scripted tagging | Deploying classification scripts at onboarding or or when policies are applied, no need to manually connect to Graph or run PowerShell. |
| Endpoint mapping | Reads device metadata and registry entries in real time, ensuring tags stay accurate even after re-images or ownership changes. |
| Tag-based alerts | Instantly notifies admins when a device enrollment method is missing, misclassified, or drifting from expected policy. |
| Policy automation | Auto-remediates tagging issues without manual intervention, ensuring devices are always scoped to the right compliance or security policies. |
| Multi-tenant reporting | Provides aggregated reporting across all customer tenants, giving MSPs a single view of device ownership and enrollment trends. |
With NinjaOne, MSPs gain faster visibility, less administrative overhead, and consistent accuracy across all managed tenants. IT teams can rely on NinjaOne to classify devices correctly and apply policies as intended at scale.
Automate Intune device tagging by enrollment method for operational efficiency
Automatically tagging Intune devices based on their enrollment method improves policy targeting, compliance management, and onboarding workflows.
This guide explained the core methods to implement auto-tagging in Intune: retrieving and classifying devices with Microsoft Graph, assigning device categories and writing extension attributes, and building dynamic device groups in Microsoft Entra ID based on enrollment method. It also covered logging tags locally with registry keys for audit or RMM use.
Finally, it showed how NinjaOne supports this automation at scale to drive operational efficiency.
Related topics:
