This week a short blog about using PowerShell to access data in Microsoft Intune. This can be achieved by using Microsoft Graph. A couple of weeks ago there was a blog post on the Microsoft Intune Support Team Blog about Using the Microsoft Graph API to access data in Microsoft Intune. That post triggered me to look at the PowerShell possibilities, as the Microsoft Graph has an API and an API can be used with PowerShell.
In this blog post I’ll provide the high-level prerequisites for connecting to the Microsoft Graph API and I’ll provide a few examples for querying Microsoft Intune data.
Prerequisites
This blog post is really focused on the queries to the Microsoft Intune data. However, to successfully connect with the Microsoft Graph API there are a few prerequisites that should be in place.
- Create an Azure AD web app with permissions to the Microsoft Graph API. This process is very well documented here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/
- Connect to the Azure AD web app by getting the right tokens. Darren Robinson has a nice example here and Stephen Owen has a great explanation about the tokens here.
Examples
Now let’s have a look at the PowerShell versions of the published Microsoft Graph Explorer commands and the results of them. I’ll go through all of them and provide the required input and show an example result
User
The first example is to get data related to a single user. This requires a user principal name (UPN), in my case pvanderwoude@petervanderwoude.nl, and the token as input.
Invoke-RestMethod https://graph.microsoft.com/v1.0/users/$UPN ` -Method Get ` -Headers @{"Authorization" = "Bearer $accessToken"}
Owned devices
The second example is to get data related to the devices of a single user. Thee information is about the compliance state of the devices of the user. This requires a user principal name (UPN), in my case pvanderwoude@petervanderwoude.nl, and the token as input. The returned information is stored in a hash table.
Invoke-RestMethod https://graph.microsoft.com/v1.0/users/$UPN/ownedDevices ` -Method Get ` -Headers @{"Authorization" = "Bearer $accessToken"}
Registered owners
The third example is to get the owners of a device. This requires a device GUID and the token as input. The returned information is stored in a hash table.
Invoke-RestMethod https://graph.microsoft.com/v1.0/devices/$GUID/registeredOwners ` -Method Get ` -Headers @{"Authorization" = "Bearer $accessToken"}
Registered users
The fourth example is to get the users of a device. This requires a device GUID and the token as input. The returned information is stored in a hash table.
Invoke-RestMethod https://graph.microsoft.com/v1.0/devices/$GUID/registeredUsers ` -Method Get ` -Headers @{"Authorization" = "Bearer $accessToken"}
Applications
The fifth example is to get a list of uploaded applications in Microsoft Intune. This requires the token as input and the returned information is stored in a hash table. However, based on the returned information, it currently seems to return the applications registered in Azure AD.
Invoke-RestMethod https://graph.microsoft.com/beta/applications ` -Method Get ` -Headers @{"Authorization" = "Bearer $accessToken"}
More information
Fore more information about the Microsoft Graph API, in combination with Microsoft Intune and the different tokens, please refer to:
- Using the Microsoft Graph API to access data in Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/2016/10/04/using-the-microsoft-graph-api-to-access-data-in-microsoft-intune/
- Authentication Scenarios for Azure AD: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/
Hi Peter,
Interesting article although I am still unclear as to what to create & how it ties in with Powershell. With automation in mind, do you see PowerShell or PowerBI as the way forward with Graph APi?
Ideally, i would love for an automated PowerShell script to run a query against all of our managed tenants & pipe out the reports to a chosen location or even email. There is a lot of discussion with Microsoft on Power BI but wondering what the best strategy is for automation.
Hi Ronan,
I would say, PowerShell for automation and PowerBI for visualizing information.
Regards,
Peter