Configuring Entra ID ESR
Now, we will look at Enterprise State Roaming (ESR), which automatically backs up some device user preferences into Azure for a more seamless experience when moving between Windows devices.
How to do it…
The other device setting within Entra ID is ESR. This is similar to the older User Experience Virtualization (UE-V), which can be found in the Microsoft Desktop Optimization Pack (MDOP).
It backs up certain user settings within Intune and Edge and backs them up to Azure Storage (outside the subscription and without cost).
The following Windows settings are currently backed up:
- Keyboard: Turn on toggle keys (off by default)
- Date, time, and region: Country/region
- Date, time, and region: Region format (locale)
- Language: Language profile
- Keyboard: List of keyboards
- Mouse: Primary mouse button
- Passwords: Web credentials
- Pen: Pen handedness
- Touchpad: Scrolling direction
- Wi-Fi: Wi-Fi profiles (only WPA)
The following settings are backed up on Edge:
- Favorites
- Passwords
- Addresses and more (form-fill)
- Collections
- Settings
- Extensions
- Open tabs (available in Microsoft Edge version 88 or later)
- History (available in Microsoft Edge version 88 or later)
To enable ESR, follow these steps:
- Navigate to Entra ID | Devices | Overview | Device settings and click on Enterprise State Roaming.
- Change the Users may sync settings and app data across devices setting to All or Selected. As there is no cost regarding this, it is recommended to set it to All.
- Then, click Save.
You have now enabled ESR across your tenant.
Automating it
This one is slightly more complicated as it does not work with the Graph API; instead, you have to access the more hidden Azure Identity and Access Management (IAM) API:
- Set the necessary variables:
##Set to 2 to disable or 0 to enable $esrstatus = 0 $tenantid = "Your-Tenant-ID"
- Create the JSON. If we had set it to a select user group, it would be populated within the
syncSelectedUsersarray. As we are doing an all-or-nothing, we will simply leave the array blank:$json = @" { "isAdminConfigurable": true, "isRoamingSettingChanged": true, "syncSelectedUsers": [], "syncSetting": $esrstatus } "@ - Set the URL (note the non-Graph setup of it):
$url = "https://main.iam.ad.ext.azure.com/api/RoamingSettings?ESRV2=true"
- Now, create the access token and headers.
- When you run this section, you will be presented with a hyperlink and some code that you must enter to authenticate. Click the link, enter the code, and then accept the numerous prompts.
- Here, we are using
Invoke-Restmethodto send aPOSTrequest to theoauth2Microsoft login URL for the tenant and requesting a token for the Entra ID IAM client ID.As this one requires user interaction, we will add a
whileloop to wait until the request has been requested and approved within the web browser. If no activity is detected, the script will stop with an error code:##Create Access Token $clientid = "1950a258-227b-4e31-a9cf-717495945fc2" $response = Invoke-RestMethod -Method POST -UseBasicParsing -Uri "https://login.microsoftonline.com/$tenantId/oauth2/devicecode" -ContentType "application/x-www-form-urlencoded" -Body "resource=https%3A%2F%2Fmain.iam.ad.ext.azure.com&client_id=$clientId" Write-Output $response.message $waited = 0 while($true){ try{ $authResponse = Invoke-RestMethod -uri "https://login.microsoftonline.com/$tenantId/oauth2/token" -ContentType "application/x-www-form-urlencoded" -Method POST -Body "grant_type=device_code&resource=https%3A%2F%2Fmain.iam.ad.ext.azure.com&code=$($response.device_code)&client_id=$clientId" -ErrorAction Stop $refreshToken = $authResponse.refresh_token break }catch{ if($waited -gt 300){ Write-Verbose "No valid login detected within 5 minutes" Throw } #try again Start-Sleep -s 5 $waited += 5 } } $response = (Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body "resource=74658136-14ec-4630-ad9b-26e160ff0fc6&grant_type=refresh_token&refresh_token=$refreshToken&client_id=$clientId&scope=openid" -ErrorAction Stop) $resourceToken = $response.access_token - The previous command has given us our access token, which we can then add to the header to call our
webrequest. The authorization section always needs to start with"Bearer"and then the access token (in this case,$resourceToken):$Headers = @{ "Authorization" = "Bearer " + $resourceToken "Content-type" = "application/json" "X-Requested-With" = "XMLHttpRequest" "x-ms-client-request-id" = [guid]::NewGuid() "x-ms-correlation-id" = [guid]::NewGuid() } - Finally, send the request to enable or disable ESR:
Invoke-RestMethod -Uri $url -Headers $Headers -Method PUT -Body $json -ErrorAction Stop
This script has automated enabling ESR using the IAM API.
