One of the best ways to manage Intune is by using the Microsoft Graph API. Microsoft Graph is a unified endpoint for accessing data and integrating with msot Microsoft cloud services, e.g. Intune. Using the Graph API, you can programmatically access and manipulate Intune data, making it easier to automate tasks and integrate Intune with other systems
In this blog post, I’ll try to go over some of the ways that you can use the Graph API to manage Intune.That said, this post is a beginners guide to using Graph via modules and commandlets.
Graph has much, much more powerful ways of being used than what is summarized in this blog post. And that’s exactly what Microsoft has designed graph to do.Microsoft’s end goal is to make Graph API
THE ONE API TO RULE THEM ALL
On the Azure platform at least.
But honestly, I would love to see that happen. But honestly. this is the platform where EXO has had, and always will, have its own little safe space away from standardization.
But honestly, letโs move on…
So, what’s an API? Simply put, APIs are an interface that allows different resource types to “talk to eachother”. There are several principal types of APIs in widespread use. MS Graph uses a REST API – the mostused API out there. REST stands forRepresentationalStateTransferand uses HTTP requests to accessand use data. This can be data stored in Azure; registered apps; or in our case, Intune.
The REST APIs is composed of five methods:
- GET: Makes a request to pull data from a resource type.
- POST: Creates or makes an Action for a resource.
- PUT: Overwrites a resource.
- DELETE: I’m going to let you figure out what this this method does. ๐
- PATCH: Updates a resource with new values.
The easiest way to start playing around with MS Graph is by signing into Graph Explorer. Just keep in mind thatMS Graph uses two APIs: a “stable” v1.0 and beta version with APIs that are currently in preview – when digging through documentations.
But sticking to the more UX aspect of this blog post; let’s get back on track.
Enrolling devices
One of the first things you will likely want to do with Intune is enroll devices. The Graph API makes this process easy by providing a simple API for enrolling devices.
To enroll a device using a Graph API powershell script, you can use the following steps:
First, open the powershell and authenticate your device with the Graph API. You can do this by using the Connect-AzureAD command and providing your Azure AD credentials.
Once you have authenticated your device, you can use the New-AzureADDevice command to create a new device object in Azure AD. You will need to provide a name and description for the device, as well as the device’s MAC address and serial number.
After creating the new object, use the New-AzureADDeviceRegistrationAuthorization command to generate a registration code for the device. This code will be used by the device to register itself with Azure AD.
To enroll the device, you can use the Invoke-AzureADDeviceManagementEnrollment command and provide the registration code that you generated in the previous step. This will enroll the device in Azure AD and allow it to access resources secured by Azure AD.
Here’s an example powershell script that demonstrates these steps:
|
# Authenticate with the Graph API # Create a new device object # Generate a registration code for the device # Enroll the device using the registration code # Generate a registration code for the device # Enroll the device using the registration code |
Setting policies
Once you have enrolled your devices, you will likely want to set policies to control how those devices can be used. The Graph API makes it easy to set policies for both individual devices and groups of devices.
AzureADDeviceConfiguration and Set-AzureADDeviceConfiguration commands. These commands allow you to create and manage device configurations, which are sets of policies that control how devices can be used.
|
# Authenticate with the Graph API # Assign the device configuration to the device |
In this example, theAdd-AzureADDeviceConfigurationDevice command assigns the device configuration with the specified ID to the device with the specified ID. This will apply the policies in the device configuration to the device.
You can use these commands and scripts as a starting point for creating and managing device configurations using the Graph API and powershell.
To create and set a device configuration for multiple devices using the Graph API and powershell, you can use the New-AzureADDeviceConfiguration and Set-AzureADDeviceConfiguration commands, as well as the Add-AzureADDeviceConfigurationDevice command.
|
# Authenticate with the Graph API # Create a new device configuration # Set the device configuration policies # Assign the device configuration to the first device # Assign the device configuration to the second device # Assign the device configuration to the third device |
The New-AzureADDeviceConfigurationand Set-AzureADDeviceConfiguration commands create and set a device configuration with the specified name and description. The Add-AzureADDeviceConfigurationDevice command is then used to assign the device configuration to each of the specified devices. This will apply the policies in the device configuration to all of the devices.
You can modify this script to include additional devices, or to use different device configuration policies as needed. You can also use the Get-AzureADDeviceConfiguration command to retrieve information about the device configuration, and the Get-AzureADDeviceConfiguration command to retrieve information about the devices that are assigned to the device configuration.
Remotely managing devices
To use the Graph API in a PowerShell script to remotely manage devices, you can use the Invoke-AzureADDeviceManagementCommand command. This command allows you to send commands to one or more devices, and receive responses from those devices.
|
# Authenticate with the Graph API # Send a command to the first device # Send a command to the second device # Display the response from the second device # Send a command to the third device # Display the response from the third device |
In this example, the Invoke-AzureADDeviceManagementCommand command is used to send a command to each of the specified devices. The command in this case is “ getDeviceInformation “, which retrieves information about the device. The response from each device is then displayed using the Payload property of the response object.
You can modify this script to send different commands to the devices, or to send the same command to multiple devices at once. You can also use the Invoke-AzureADDeviceManagementCommand command to invoke a specific method on a device, rather than sending a command. This allows you to perform more complex actions on the device, such as installing an app or setting a configuration value.
Summing it up
So that’s it. In this blog post, we’ve gone over some of the way that you can use the Microsoft Graph API to manage Intune. By using the Graph API, you can easily enroll devices, set policies, and remotely manage devices to keep your organization’s data secure.
