Permalink
<# | |
.COPYRIGHT | |
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license. | |
See LICENSE in the project root for license information. | |
#> | |
#################################################### | |
function Get-AuthToken { | |
<# | |
.SYNOPSIS | |
This function is used to authenticate with the Graph API REST interface | |
.DESCRIPTION | |
The function authenticate with the Graph API Interface with the tenant name | |
.EXAMPLE | |
Get-AuthToken | |
Authenticates you with the Graph API interface | |
.NOTES | |
NAME: Get-AuthToken | |
#> | |
[cmdletbinding()] | |
param | |
( | |
[Parameter(Mandatory=$true)] | |
$User | |
) | |
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User | |
$tenant = $userUpn.Host | |
Write-Host "Checking for AzureAD module..." | |
$AadModule = Get-Module -Name "AzureAD" -ListAvailable | |
if ($AadModule -eq $null) { | |
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview" | |
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable | |
} | |
if ($AadModule -eq $null) { | |
write-host | |
write-host "AzureAD Powershell module not installed..." -f Red | |
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow | |
write-host "Script can't continue..." -f Red | |
write-host | |
exit | |
} | |
# Getting path to ActiveDirectory Assemblies | |
# If the module count is greater than 1 find the latest version | |
if($AadModule.count -gt 1){ | |
$Latest_Version = ($AadModule | select version | Sort-Object)[-1] | |
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version } | |
# Checking if there are multiple versions of the same module found | |
if($AadModule.count -gt 1){ | |
$aadModule = $AadModule | select -Unique | |
} | |
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" | |
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" | |
} | |
else { | |
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" | |
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" | |
} | |
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null | |
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null | |
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547" | |
$redirectUri = "urn:ietf:wg:oauth:2.0:oob" | |
$resourceAppIdURI = "https://graph.microsoft.com" | |
$authority = "https://login.microsoftonline.com/$Tenant" | |
try { | |
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority | |
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx | |
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession | |
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto" | |
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId") | |
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result | |
# If the accesstoken is valid then create the authentication header | |
if($authResult.AccessToken){ | |
# Creating header for Authorization token | |
$authHeader = @{ | |
'Content-Type'='application/json' | |
'Authorization'="Bearer " + $authResult.AccessToken | |
'ExpiresOn'=$authResult.ExpiresOn | |
} | |
return $authHeader | |
} | |
else { | |
Write-Host | |
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red | |
Write-Host | |
break | |
} | |
} | |
catch { | |
write-host $_.Exception.Message -f Red | |
write-host $_.Exception.ItemName -f Red | |
write-host | |
break | |
} | |
} | |
#################################################### | |
Function Get-ManagedDevices(){ | |
<# | |
.SYNOPSIS | |
This function is used to get Intune Managed Devices from the Graph API REST interface | |
.DESCRIPTION | |
The function connects to the Graph API Interface and gets any Intune Managed Device | |
.EXAMPLE | |
Get-ManagedDevices | |
Returns all managed devices but excludes EAS devices registered within the Intune Service | |
.EXAMPLE | |
Get-ManagedDevices -IncludeEAS | |
Returns all managed devices including EAS devices registered within the Intune Service | |
.NOTES | |
NAME: Get-ManagedDevices | |
#> | |
[cmdletbinding()] | |
param | |
( | |
[switch]$IncludeEAS, | |
[switch]$ExcludeMDM | |
) | |
# Defining Variables | |
$graphApiVersion = "beta" | |
$Resource = "deviceManagement/managedDevices" | |
try { | |
$Count_Params = 0 | |
if($IncludeEAS.IsPresent){ $Count_Params++ } | |
if($ExcludeMDM.IsPresent){ $Count_Params++ } | |
if($Count_Params -gt 1){ | |
write-warning "Multiple parameters set, specify a single parameter -IncludeEAS, -ExcludeMDM or no parameter against the function" | |
Write-Host | |
break | |
} | |
elseif($IncludeEAS){ | |
$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" | |
} | |
elseif($ExcludeMDM){ | |
$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource`?`$filter=managementAgent eq 'eas'" | |
} | |
else { | |
$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource`?`$filter=managementAgent eq 'mdm' and managementAgent eq 'easmdm'" | |
Write-Warning "EAS Devices are excluded by default, please use -IncludeEAS if you want to include those devices" | |
Write-Host | |
} | |
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | |
} | |
catch { | |
$ex = $_.Exception | |
$errorResponse = $ex.Response.GetResponseStream() | |
$reader = New-Object System.IO.StreamReader($errorResponse) | |
$reader.BaseStream.Position = 0 | |
$reader.DiscardBufferedData() | |
$responseBody = $reader.ReadToEnd(); | |
Write-Host "Response content:`n$responseBody" -f Red | |
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" | |
write-host | |
break | |
} | |
} | |
#################################################### | |
Function Get-ManagedDeviceUser(){ | |
<# | |
.SYNOPSIS | |
This function is used to get a Managed Device username from the Graph API REST interface | |
.DESCRIPTION | |
The function connects to the Graph API Interface and gets a managed device users registered with Intune MDM | |
.EXAMPLE | |
Get-ManagedDeviceUser -DeviceID $DeviceID | |
Returns a managed device user registered in Intune | |
.NOTES | |
NAME: Get-ManagedDeviceUser | |
#> | |
[cmdletbinding()] | |
param | |
( | |
[Parameter(Mandatory=$true,HelpMessage="DeviceID (guid) for the device on must be specified:")] | |
$DeviceID | |
) | |
# Defining Variables | |
$graphApiVersion = "beta" | |
$Resource = "deviceManagement/manageddevices('$DeviceID')?`$select=userId" | |
try { | |
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)" | |
Write-Verbose $uri | |
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).userId | |
} | |
catch { | |
$ex = $_.Exception | |
$errorResponse = $ex.Response.GetResponseStream() | |
$reader = New-Object System.IO.StreamReader($errorResponse) | |
$reader.BaseStream.Position = 0 | |
$reader.DiscardBufferedData() | |
$responseBody = $reader.ReadToEnd(); | |
Write-Host "Response content:`n$responseBody" -f Red | |
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" | |
write-host | |
break | |
} | |
} | |
#################################################### | |
Function Get-AADUser(){ | |
<# | |
.SYNOPSIS | |
This function is used to get AAD Users from the Graph API REST interface | |
.DESCRIPTION | |
The function connects to the Graph API Interface and gets any users registered with AAD | |
.EXAMPLE | |
Get-AADUser | |
Returns all users registered with Azure AD | |
.EXAMPLE | |
Get-AADUser -userPrincipleName user@domain.com | |
Returns specific user by UserPrincipalName registered with Azure AD | |
.NOTES | |
NAME: Get-AADUser | |
#> | |
[cmdletbinding()] | |
param | |
( | |
$userPrincipalName, | |
$Property | |
) | |
# Defining Variables | |
$graphApiVersion = "v1.0" | |
$User_resource = "users" | |
try { | |
if($userPrincipalName -eq "" -or $userPrincipalName -eq $null){ | |
$uri = "https://graph.microsoft.com/$graphApiVersion/$($User_resource)" | |
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | |
} | |
else { | |
if($Property -eq "" -or $Property -eq $null){ | |
$uri = "https://graph.microsoft.com/$graphApiVersion/$($User_resource)/$userPrincipalName" | |
Write-Verbose $uri | |
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get | |
} | |
else { | |
$uri = "https://graph.microsoft.com/$graphApiVersion/$($User_resource)/$userPrincipalName/$Property" | |
Write-Verbose $uri | |
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | |
} | |
} | |
} | |
catch { | |
$ex = $_.Exception | |
$errorResponse = $ex.Response.GetResponseStream() | |
$reader = New-Object System.IO.StreamReader($errorResponse) | |
$reader.BaseStream.Position = 0 | |
$reader.DiscardBufferedData() | |
$responseBody = $reader.ReadToEnd(); | |
Write-Host "Response content:`n$responseBody" -f Red | |
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" | |
write-host | |
break | |
} | |
} | |
#################################################### | |
#region Authentication | |
write-host | |
# Checking if authToken exists before running authentication | |
if($global:authToken){ | |
# Setting DateTime to Universal time to work in all timezones | |
$DateTime = (Get-Date).ToUniversalTime() | |
# If the authToken exists checking when it expires | |
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes | |
if($TokenExpires -le 0){ | |
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow | |
write-host | |
# Defining User Principal Name if not present | |
if($User -eq $null -or $User -eq ""){ | |
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication" | |
Write-Host | |
} | |
$global:authToken = Get-AuthToken -User $User | |
} | |
} | |
# Authentication doesn't exist, calling Get-AuthToken function | |
else { | |
if($User -eq $null -or $User -eq ""){ | |
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication" | |
Write-Host | |
} | |
# Getting the authorization token | |
$global:authToken = Get-AuthToken -User $User | |
} | |
#endregion | |
#################################################### | |
$ManagedDevices = Get-ManagedDevices | |
if($ManagedDevices){ | |
foreach($Device in $ManagedDevices){ | |
$DeviceID = $Device.id | |
write-host "Managed Device" $Device.deviceName "found..." -ForegroundColor Yellow | |
Write-Host | |
$Device | |
if($Device.deviceRegistrationState -eq "registered"){ | |
$UserId = Get-ManagedDeviceUser -DeviceID $DeviceID | |
$User = Get-AADUser $userId | |
Write-Host "Device Registered User:" $User.displayName -ForegroundColor Cyan | |
Write-Host "User Principle Name:" $User.userPrincipalName | |
} | |
Write-Host | |
} | |
} | |
else { | |
Write-Host | |
Write-Host "No Managed Devices found..." -ForegroundColor Red | |
Write-Host | |
} |