If you have experience managing an Intune environment, then you know that there are some real repetitive tasks:
- Creating new applications
- Assigning applications/policies
- Copying policies
- Documenting your environment
For all these tasks, Intune has the ability for some automation. During this blog post, I will walk you through how to get started and provide you with some tips and tricks.
All of the automation capabilities for Intune are based on the Microsoft Graph API. The Microsoft Graph API is the general endpoint for almost all Microsoft endpoints. It uses a uniform method of authentication/querying across all the different endpoints, which makes it really convenient to switch between platforms.
For an introduction into the Graph API check on this blog.
v1.0 vs beta
The Microsoft Graph API has two main endpoints: v1.0 and beta. The 1.0 is the stable version which is meant for production use. The beta endpoint is the development branch which might change unannounced.
Although the beta endpoint is meant for production use, almost the entire Intune console is based upon it. This is because all the new features first appear in the beta endpoint. So whenever you are looking into automating something, chances are your functions are still in the beta endpoint. You shouldn’t be afraid of using the beta endpoint. Just be sure to keep an eye on the changelog to keep your scripts up to date.
Finding the right functions
In order to find out which Graph function you should use, you have two options:
- Using the Graph Documentation
- Using Debugging Tools
The Graph docs are divided in different workspace. The most important ones are:
- App Management
- Device Configuration
- Device Management
The workspaces makes up a big part of the URL, for example
A global overview of the Graph Documentation can be found here. The docs can be of great value in order to find examples of the different functions, this way you can find out what all the required parameters are. Unfortunately, navigating to the function you need can be pretty difficult, that’s why I often use debugging tools.
An easy way to find out the right functions is to inspect the network traffic. This can be done with a tool like Fiddler, I often use the debugging tools built into Edge Chromium/Chrome.
In the short video below, you can see the steps in order to find out the right functions this way:
- Press F12 to open the debugging tools
- Go to the networking tab
- Execute the tasks that you want to automate
- Filter on graph.microsoft.com to get the relevant alerts
- Find the right function in the requests
- Check the right query parameters and example response
As you can see the Endpoint Management portal is really chatty and you can see a lot of requests, most of them are not useful to you. So it can be a hassle to find the functions you need.
Know that this is not a supported way to ‘reverse engineer’ the Graph, but this method is often easier than using the documentation.
This trick can also be used in the Azure portal for Azure related tasks.
Intune Graph Examples
The Intune team also provides some Powershell examples on how to interact with the Intune parts of the Graph API. This is a great place to get started and see how the queries and output can be handled. The Powershell examples are available on GitHub and are regularly maintained.
I personally don’t use these examples very often as they are often specific. I prefer to create my own functions which are tailored made to my own needs.
Next to the Powershell examples, there is also a Powershell module available. The Powershell module is a wrapper for the Intune Graph API. It provides some convenient commands to easily connect to the Graph API and retrieve some basic information.
Retrieving all mobile applications:
The prebuilt commands can be really convenient when you are first starting off and are executing basic commands. If you are trying to do some more advanced actions, you will run into some limitations pretty soon.
The module also provides a wrapper for regular Graph calls that takes care of the URL formatting and authentication for you.
Invoke-MSGraphRequest -HttpMethod GET -Url 'deviceAppManagement/mobileApps'
I found the Invoke-MsGraphRequest really useful when you are just getting started and don’t want to be ‘bothered’ with the in and outs of the Graph API.
Note that Intune is curently not in scope for the Microsoft Graph Powershell Module, which is a Powershell module for the entire Graph API.
Logic Apps/Power Automate
As a systems administrator, I have a huge fan of Logic Apps (and Power Automate). These products enable you to easily create scripts without the need to write code. They can be scaled up and easily monitored.
There are some good examples out there on how to automate certain tasks with Logic Apps/ Power Automate: