Using Graph to Manage Intune Devices

One of the best ways to manage Intune is by using the Microsoft Graph API. Microsoft Graph is a unified endpoint for accessing data and integrating with msot Microsoft cloud services, e.g. Intune. Using the Graph API, you can programmatically access and manipulate Intune data, making it easier to automate tasks and integrate Intune with other systems


In this blog post, I'll try to go over some of the ways that you can use the Graph API to manage Intune. That said, this post is a beginners guide to using Graph via modules and commandlets. 


Graph has much, much more powerful ways of being used than what is summarized in this blog post. And that's exactly what Microsoft has designed graph to do. Microsoft's endgoal is to make Graph API the

ONE API TO RULE THEM ALL

On the Azure platform. at least

But honestly, I would love to see that happen. But honestly. this is the platform where EXO has had, and always will, have its own little safe space away from standardization. 

But honestly, let’s move on...


So, what's an API? Simply put, APIs are an interface that allows different resource types to "talk to each other".  There are several principal types of APIs in widespread use. MS Graph uses a REST API - the most used API out there. REST stands for Representational State Transfer and uses HTTP requests to access and use data. This can be data stored in Azure; registered apps; or in our case, Intune. 

The REST APIs is composed of five methods: 
  • GET: Makes a request to pull data from a resource type. 
  • POST: Creates or makes an Action for a resource. 
  • PUT: Overwrites a resource.
  • DELETE: I'm going to let you figure out what this this method does. 🙃
  • PATCH: Updates a resource with new values. 
The easiest way to start playing around with MS Graph is by signing into Graph Explorer. Just keep in mind that MS Graph uses two APIs: a "stable" v1.0 and beta version with APIs that are currently in preview - when digging through documentations.

But sticking to the more UX aspect of this blog post; let's get back on track. 

Enrolling devices

One of the first things you will likely want to do with Intune is enroll devices. The Graph API makes this process easy by providing a simple API for enrolling devices.

1.      To enroll a device using a Graph API powershell script, you can use the following steps:
2.      First, open the powershell and authenticate your device with the Graph API. You can do this by using the Connect-AzureAD command and providing your Azure AD credentials.
3.      Once you have authenticated your device, you can use the New-AzureADDevice command to create a new device object in Azure AD. You will need to provide a name and description for the device, as well as the device's MAC address and serial number.
4.      After creating the device object, you can use the New-AzureADDeviceRegistrationAuthorization command to generate a registration code for the device. This code will be used by the device to register itself with Azure AD.
5.      To enroll the device, you can use the Invoke-AzureADDeviceManagementEnrollment command and provide the registration code that you generated in the previous step. This will enroll the device in Azure AD and allow it to access resources secured by Azure AD.

Here's an example powershell script that demonstrates these steps:

# Authenticate with the Graph API
Connect-AzureAD

# Create a new device object
New-AzureADDevice -DisplayName "My Device" -Description "My device description" -MacAddress "00-11-22-33-44-55" -SerialNumber "123456"

# Generate a registration code for the device
$registrationCode = New-AzureADDeviceRegistrationAuthorization -Id "My Device"

# Enroll the device using the registration code
Invoke-AzureADDeviceManagementEnrollment -RegistrationCode $registrationCode


Setting policies

Once you have enrolled your devices, you will likely want to set policies to control how those devices can be used. The Graph API makes it easy to set policies for both individual devices and groups of devices.

AzureADDeviceConfiguration and Set-AzureADDeviceConfiguration commands. These commands allow you to create and manage device configurations, which are sets of policies that control how devices can be used.

# Authenticate with the Graph API
Connect-AzureAD

# Assign the device configuration to the device
Add-AzureADDeviceConfigurationDevice -DeviceId "My Device" -DeviceConfigurationId "My Device Configuration"


In this example, the Add-AzureADDeviceConfigurationDevice command assigns the device configuration with the specified ID to the device with the specified ID. This will apply the policies in the device configuration to the device.

You can use these commands and scripts as a starting point for creating and managing device configurations using the Graph API and powershell.

To create and set a device configuration for multiple devices using the Graph API and powershell, you can use the New-AzureADDeviceConfiguration and Set-AzureADDeviceConfiguration commands, as well as the Add-AzureADDeviceConfigurationDevice command.

# Authenticate with the Graph API
Connect-AzureAD

# Create a new device configuration
New-AzureADDeviceConfiguration -DisplayName "My Device Configuration" -Description "My device configuration description"

# Set the device configuration policies
Set-AzureADDeviceConfiguration -Id "My Device Configuration" -AccessRecheckOfflineTimeout 4 -AccessRecheckOnlineTimeout 2

# Assign the device configuration to the first device
Add-AzureADDeviceConfigurationDevice -DeviceId "Device1" -DeviceConfigurationId "My Device Configuration"

# Assign the device configuration to the second device
Add-AzureADDeviceConfigurationDevice -DeviceId "Device2" -DeviceConfigurationId "My Device Configuration"

# Assign the device configuration to the third device
Add-AzureADDeviceConfigurationDevice -DeviceId "Device3" -DeviceConfigurationId "My Device Configuration"

In this example, the New-AzureADDeviceConfiguration and Set-AzureADDeviceConfiguration commands create and set a device configuration with the specified name and description. The Add-AzureADDeviceConfigurationDevice command is then used to assign the device configuration to each of the specified devices. This will apply the policies in the device configuration to all of the devices.

You can modify this script to include additional devices, or to use different device configuration policies as needed. You can also use the Get-AzureADDeviceConfiguration command to retrieve information about the device configuration, and the Get-AzureADDeviceConfigurationDevice command to retrieve information about the devices that are assigned to the device configuration.


Remotely managing devices

To use the Graph API in a powershell script to remotely manage devices, you can use the Invoke-AzureADDeviceManagementCommand command. This command allows you to send commands to one or more devices, and receive responses from those devices.

The following snippet below demonstrates how to use the Invoke-AzureADDeviceManagementCommand command to remotely manage devices:

# Authenticate with the Graph API
Connect-AzureAD

# Send a command to the first device
$response = Invoke-AzureADDeviceManagementCommand -DeviceId "Device1" -MethodName "getDeviceInformation"
# Display the response from the first device

$response.Payload
# Send a command to the second device

$response = Invoke-AzureADDeviceManagementCommand -DeviceId "Device2" -MethodName "getDeviceInformation"
# Display the response from the second device
$response.Payload

# Send a command to the third device
$response = Invoke-AzureADDeviceManagementCommand -DeviceId "Device3" -MethodName "getDeviceInformation"

# Display the response from the third device
$response.Payload


In this example, the Invoke-AzureADDeviceManagementCommand command is used to send a command to each of the specified devices. The command in this case is "getDeviceInformation", which retrieves information about the device. The response from each device is then displayed using the Payload property of the response object. 

You can modify this script to send different commands to the devices, or to send the same command to multiple devices at once. You can also use the Invoke-AzureADDeviceManagementMethod command to invoke a specific method on a device, rather than sending a command. This allows you to perform more complex actions on the device, such as installing an app or setting a configuration value.

Summing it up

So that's it. In this blog post, we've gone over some of the way that you can use the Microsoft Graph API to manage Intune. By using the Graph API, you can easily enroll devices, set policies, and remotely manage devices to keep your organization's data secure. 

Stay tuned for a follow-up!^1


^1 when I get around to it. At some point. Life's hard and keeps you busy, man!