In part 1 I gave a brief introduction to Microsoft Graph API. In this part I’ll explain how to get started and give you some useful examples.
As I mentioned in Part 1, almost everything that can be done in the Intune portal can be automated via REST API calls to the Microsoft Graph API. So imagine that you can automate some of the following basic tasks;
- Create a list with all enrolled devices.
- Create a list with all non-compliant devices.
- Create a list of devices not connected for > 30 days.
- Create new policies or other resources via a script instead of via the portal.
You can also automate more complex tasks like creating a document with all current settings configure in Microsoft Intune or maybe completely setup a new test environment in Microsoft Intune. Sky is the limit! 🙂
How to start with Microsoft Graph API and Microsoft Intune?
The easiest way to start and explore the Microsoft Graph API is via the Graph Explorer which you can find on https://graph.microsoft.io. On the website click at Graph Explorer, next you will see the screen below;
1. Sign in with Microsoft. Use your Global Admin account of your tenant if you sign in to the Graph Explorer. You need to accept the consent for the Graph Explorer application in Azure AD.
After signing in, click Modify Permissions and select the following the following permissions that are still listed as Preview:
- Device.read
- Device.Command
- DeviceManagementServiceConfig.Read.All
- DeviceManagementServiceConfig.ReadWrite.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementApps.Read.All
- DeviceManagementApps.ReadWrite.All
- DeviceManagementRBAC.Read.All
- DeviceManagementRBAC.ReadWrite.All
- DeviceManagementManagedDevices.Read.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementManagedDevices.PrivilegedOperations.All
Click Modify Permissions and re-login to the Graph Explorer
2. In the drop down field with you can find the HTTP methods that can be used. Methods that can be used are.
- GET – read data from a resource or its property
- POST – create new resources or execute actions
- PATCH – update a resource with new values
- PUT – replace a resource with a new resource
- DELETE – remove a resource
3. Currently you can choose V1.0 or Beta as the version. The Intune endpoints are still in Beta.
4. Here you need to provide URL to the resource. The URL could be like the following https://graph.microsoft.com/beta/deviceManagement/managedDevices to list all the devices managed by Microsoft Intune.
The URL to the resource is built like this;
https://graph.microsoft.com/{version}/{resource}/{id}/{property}?{query-parameters}
- {version} (/V1.0 or /beta) The Graph API for Microsoft Intune is still in beta, so the version /beta needs to be used.
- {resource} For Intune the following are used; deviceAppManagement and deviceManagement
- {id} the ID is optional, if trying to get information of an object under the resource, the ID of the object needs to be provided.
- {property} a property can be for instance MemberOf if you want to see a list of all group memberships of a user. But also the device configuration state of a managed device.
- ?{query-parameters} results can be filtered by query parameters
5. In the Request Body field you are able to add JSON content, this can be used with POST, PATCH, and PUT methods.
6. In the Response Preview field, the results will be shown.
So after configuring the consent and the extra permissions for your administrative Azure AD account you are ready to test.
Fill in https://graph.microsoft.com/beta/deviceManagement/managedDevices as the URL and click Run Query and see the results.
- https://graph.microsoft.com/v1.0/me/ (see information about yourself)
- https://graph.microsoft.com/v1.0/devices (list all devices in Azure AD)
- https://graph.microsoft.com/v1.0/users (list all Azure AD users)
- https://graph.microsoft.com/v1.0/groups (list all Azure AD groups)
Next if you see a user or device, lookup the ID of the object and add it to the URL.
Add the ID to the URL like follows;
- https://graph.microsoft.com/v1.0/users/f2d62b90-8289-498b-adb0-6f1d90bd82e3/
and add memberOf; - https://graph.microsoft.com/v1.0/users/f2d62b90-8289-498b-adb0-6f1d90bd82e3/memberOf
In my next blogs I will be diving more into how to setup everything so that you are able to use the Microsoft Graph API yourself to access Microsoft Intune together with PowerShell.
More information can be found here:
- Using the Microsoft Graph API
- Get started with Microsoft Graph and REST
- Microsoft Intune PowerShell examples on GitHub
how about geolocation services? can we get information ?
https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/api-reference/beta/resources/intune_devices_devicegeolocation.md
Hey,
Thanks for the tutorial, I am not sure how accurate it is as of now (2,5 years later) – hopefully the core idea is the same 🙂
I can update one thing, the Graph Explorer is now under this link: https://developer.microsoft.com/graph/graph-explorer
thanks Anon!