Hi, I am Jyoti Prakash, part of SI IGD, based out of Bangalore, India. This blog gives you a glimpse of what Intune Graph API is all about and how to use it.
What is Graph API?
The Microsoft Graph API for Intune enables programmatic access to Intune information for your tenant; the API provides you access to Microsoft 365 services like Intune, AzureAD, Office365 etc. via REST-API. You can go through details on Microsoft Graph API here.
Recently, in my engagement, there was a requirement to fetch the information from Intune Managed Win 10 devices specially to collect ethernet MAC address along with Wi-fi MAC address from the devices to be able to whitelist BYOD user devices based on MAC. While Wi-fi MAC can be exported from MEM admin center or Intune section in Azure portal, ethernet MAC wasnt available and needed to export using Graph API beta version. Hence, we used this approach.
Script to get Hardware Info of Intune managed devices
You can find the PowerShell script to get the hardware details of any Intune enrolled device here.
Note: This is to get hardware level details of Intune managed devices and not the Hardware Hash required for Autopilot. 🙂
How to get access to Graph API for Intune(Managed devices)
- Install the AzureAD PowerShell module by running ‘Install-Module AzureAD’ or ‘Install-Module AzureADPreview’ from an elevated PowerShell prompt
- An Intune tenant which supports the Azure Portal with a production or trial license (https://docs.microsoft.com/en-us/intune-azure/introduction/what-is-microsoft-intune)
- Using the Microsoft Graph APIs to configure Intune controls and policies requires an Intune license.
- An account with permissions to administer the Intune Service
- PowerShell v5.0 on Windows 10 x64 (PowerShell v4.0 is a minimum requirement for the scripts to function correctly)
- Note: For PowerShell 4.0 you will require the PowershellGet Module for PS 4.0 to enable the usage of the Install-Module functionality
- First time usage of these scripts requires a Global Administrator of the Tenant to accept the permissions of the application
Register AzureAD Application
- Login to AzureAD Admin portal as an Global Admin > App Registration
- Click on New Registration – Fill the details as below
- Enter the details as below and click on Register.
4. Once the App is registered, go to API Permissions and click on Add a permission
5. Select Graph API and select Application Permissions(Delegated Permissions works too, we are choosing Application permissions in this case).
6. Search for DeviceManagementManagedDevice Section and select the below two and click on add permission.
7. Click on Grant Consent for <Directory Name>. WVDDirectory here is my AzureAD Tenant Directory Name.
8. Go to AAD>Enterprise Applications and look for Intune Graph API and add the required users/members who would use this API to fetch reports.
9. Once done, need the global admin to run the PowerShell script(lnk in earlier section) once via his/her credentials to grant consent. This is one time activity and doesn’t need any actions further.
Note: The graph API permissions in this blog are limited to the need of the customer, however you can add more based on your requirements to retrieve more information.
Hope this helps you in someway. Do reach out in case of any questions.