Intune Graph Samples
This repository of PowerShell sample scripts show how to access Intune service resources. They demonstrate this by making HTTPS RESTful API requests to the Microsoft Graph API from PowerShell.
Documentation for Intune and Microsoft Graph can be found here Intune Graph Documentation.
These samples demonstrate typical Intune administrator or Microsoft partner actions for managing Intune resources.
The following samples are included in this repository:
- Manage Applications - iOS, Android, Web
- App Protection Policy - Creation, Get and Delete
- Company Portal Branding - Get and Set
- Compliance Policy - Add, Get and Delete
- Corporate Device Enrollment - Get and Export
- Device Configuration - Add, Get and Delete
- Enrollment Restrictions - Get and Set
- Intune Data Export
- LOB Application - Add
- Managed Devices - Get, Overview and Device Action
- Paging - Get
- Intune Roles (RBAC) - Add, Get and Delete
- Remote Action Audits - Get
- Software Updates - Add, Export, Get and Import
- Terms and Conditions - Add, Get and Delete
- User Policy Report
The scripts are licensed "as-is." under the MIT License.
Some script samples retrieve information from your Intune tenant, and others create, delete or update data in your Intune tenant. Understand the impact of each sample script prior to running it; samples should be run using a non-production or "test" tenant account.
Using the Intune Graph API
The Intune Graph API enables access to Intune information programmatically for your tenant, and the API performs the same Intune operations as those available through the Azure Portal.
Intune provides data into the Microsoft Graph in the same way as other cloud services do, with rich entity information and relationship navigation. Use Microsoft Graph to combine information from other services and Intune to build rich cross-service applications for IT professionals or end users.
Use of these Microsoft Graph API Intune PowerShell samples requires the following:
- Install the AzureAD PowerShell module by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt
- An Intune tenant which supports the Azure Portal with a production or trial license (https://docs.microsoft.com/en-us/intune-azure/introduction/what-is-microsoft-intune)
- Using the Microsoft Graph APIs to configure Intune controls and policies requires an Intune license.
- An account with permissions to administer the Intune Service
- PowerShell v5.0 on Windows 10 x64 (PowerShell v4.0 is a minimum requirement for the scripts to function correctly)
- Note: For PowerShell 4.0 you will require the PowershellGet Module for PS 4.0 to enable the usage of the Install-Module functionality
- First time usage of these scripts requires a Global Administrator of the Tenant to accept the permissions of the application
After the prerequisites are installed or met, perform the following steps to use these scripts:
1. Script usage
- Download the contents of the repository to your local Windows machine
- Extract the files to a local folder (e.g. C:\IntuneGraphSamples)
- Run PowerShell x64 from the start menu
- Browse to the directory (e.g. cd C:\IntuneGraphSamples)
- For each Folder in the local repository you can browse to that directory and then run the script of your choice
- Example Application script usage:
- To use the Manage Applications scripts, from C:\IntuneGraphSamples, run "cd .\Applications"
- Once in the folder run .\Application_MDM_Get.ps1 to get all MDM added applications This sequence of steps can be used for each folder....
2. Authentication with Microsoft Graph
The first time you run these scripts you will be asked to provide an account to authenticate with the service:
Please specify your user principal name for Azure Authentication:
Once you have provided a user principal name a popup will open prompting for your password. After a successful authentication with Azure Active Directory the user token will last for an hour, once the hour expires within the PowerShell session you will be asked to re-authenticate.
If you are running the script for the first time against your tenant a popup will be presented stating:
Microsoft Intune PowerShell needs permission to: * Sign you in and read your profile * Read all groups * Read directory data * Read and write Microsoft Intune Device Configuration and Policies (preview) * Read and write Microsoft Intune RBAC settings (preview) * Perform user-impacting remote actions on Microsoft Intune devices (preview) * Sign in as you * Read and write Microsoft Intune devices (preview) * Read and write all groups * Read and write Microsoft Intune configuration (preview) * Read and write Microsoft Intune apps (preview)
Note: If your user account is targeted for device based conditional access your device must be enrolled or compliant to pass authentication.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact firstname.lastname@example.org with any additional questions or comments.
Questions and comments
We'd love to get your feedback about the Intune PowerShell sample. You can send your questions and suggestions to us in the Issues section of this repository.
Your feedback is important to us. Connect with us on Stack Overflow. Tag your questions with [MicrosoftGraph] and [intune].
- Microsoft Graph API documentation
- Microsoft Graph Portal
- Microsoft code samples
- Intune Graph Documentation
Copyright (c) 2017 Microsoft. All rights reserved.