Using PowerShell with Microsoft Graph to query Intune Devices

What is Microsoft Graph?

Microsoft Graph connects resources across Office 365 services. Using https://graph.microsoft.com you can connect to these services and access a wealth of resources, relationships and intelligence.

You can read more on Microsoft Graph at https://docs.microsoft.com/en-us/graph/overview

How do I use Microsoft Graph?

If you have a requirement to return a wealth of information about your Intune Devices (more than Get-MSOLDevice can offer) we must use Microsoft Graph. We can just pop over to https://graph.microsoft.com to return some data. Lets take a look at this before we jump into some PowerShell

  1. Authenticate with your Global Admin Account
  2. Choose a simple query GET – V1.0 – “https://graph.microsoft.com/v1.0/me”
  3. Click “Run Query”
Simple Query will look like this
The returned data will look similar to this

You can try a load of other simple, cool examples documented at https://docs.microsoft.com/en-us/graph/overview

Introducing the Intune PowerShell SDK

https://github.com/Microsoft/Intune-PowerShell-SDK

This is your friend. What an awesome project! This PowerShell module will provide support for the Intune API using Microsoft Graph. Lets have a look at downloading the module, connecting to Microsoft Graph and querying our Intune data.

1 . Navigate to https://github.com/Microsoft/Intune-PowerShell-SDK/releases

2 . Download the release zip

Download the Zip File

3 . You may need to “Unblock the file” before you extract it (Windows 10 unblock scripts downloaded from the Internet https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-6

Unblock the Zip File to allow scripts to run that have been downloaded from the Internet

4 . You will see the “Microsoft.Graph.Intune” PowerShell module we will need to import

Intune SDK PowerShell Module

5 . Import the Module

6 . Connect to the Microsoft Graph (You must have .NET 4.7.1 or higher installed)

7 . Accept the Permission request for Intune PowerShell

Accept the permission request

You should have a successful connection

Successful Connection

PowerShell Time

Lets see what this Module can do. How many cmdlets do we have?

914 cmdlets!

That’s a lot of cmdlets!

The post title suggested we are querying our Intune Devices. So here is a useful cmdlet for your arsenal:-

Get-IntuneManagedDevice

Running this cmdlet will return all your Intune Managed Devices with all Device Details – cool! Lets see what this would look like in the PowerShell Grid View

A wealth of information is returned about our Intune Managed Devices

47 columns are returned for each Intune Managed Device, that is a lot of cool info right there at your fingertips. The Columns are:-

  • id
  • userId
  • deviceName
  • managedDeviceOwnerType
  • enrolledDateTime
  • lastSyncDateTime
  • operatingSystem
  • complianceState
  • jailBroken
  • managementAgent
  • osVersion
  • easActivated
  • easDeviceId
  • easActivationDateTime
  • azureADRegistered
  • deviceEnrollmentType
  • activationLockBypassCode
  • emailAddress
  • azureADDeviceId
  • deviceRegistrationState
  • deviceCategoryDisplayName
  • isSupervised
  • exchangeLastSuccessfulSyncDateTime
  • exchangeAccessState
  • exchangeAccessStateReason
  • remoteAssistanceSessionUrl
  • remoteAssistanceSessionErrorDetails
  • isEncrypted
  • userPrincipalName
  • model
  • manufacturer
  • imei
  • complianceGracePeriodExpirationDateTime
  • serialNumber
  • phoneNumber
  • androidSecurityPatchLevel
  • userDisplayName
  • configurationManagerClientEnabledFeatures
  • wiFiMacAddress
  • deviceHealthAttestationState
  • subscriberCarrier
  • meid
  • totalStorageSpaceInBytes
  • freeStorageSpaceInBytes
  • managedDeviceName
  • partnerReportedThreatState
  • deviceActionResults

Let’s try another command. I want to find my iPhone:-

Results for a query looking for model “iphone*” for user “Ben Whitmore”

Another example. What if we wanted to find all the old iPhones in the company so we can prepare for product End of Support?

Old Company iPhones

Here is another real world example we encountered recently. We upload corporate identifiers to Intune so our Company devices enroll as “Corporate” instead of “Personal”. There was/is a bug which means the IMEI is not exposed and captured by Intune so our devices were registering as “Personal”. We could use Microsoft Graph to find all IOS devices that have a $Null IMEI field

So now we are leveraging PowerShell with Intune, the possibilities are endless…ish. But certainly alot more powerfull than relying on our old buddy Get-MSOLDevice

I hope this post has given you an oversight on using PowerShell with Microsoft Graph to query Intune Devices. More posts will follow with real world examples.

Have a great day!

3.6/5 - (8 votes)

28 thoughts on “Using PowerShell with Microsoft Graph to query Intune Devices”

  1. Pingback: Create an Intune App Protection Policy to force an app "Pin Reset" after x days

  2. Shaune Sichkaruk

    This command only allows a MAX result of 1000. What is the best method to expand this beyond 1000 results? MaxPageSize doesn’t seem to work.

        1. just reading this for this information! for future googlers you can pipe the command:

          Get-IntuneManagedDevice | Get-MSGraphAllPages

  3. Hi Ben,

    thanks for the posts and blog. very informative. I had an Idea, whereby I could use the complianceState cmdlet inconjuction with a Toast Notification. The toast notification will popup up periodically e.g every 1 hour and produce a custom toast message with the current devices compliance state. Ideally the api call should need to run with the correct permissions to read etc. Let me know what you think.

  4. Hi Ben,
    Thanks for the post and your article is really helpful.
    I’m just trying to pull the device hardware properties specifically the ethernet MAC address which is not working when i run the commandlet Get-IntuneManagedDevice
    Is there any way to get this information

  5. Hi Ben,

    I’m looking to pull the State (i.e. managed, retire pending) via PowerShell for all devices, but I can’t seem to find that property anywhere. Frustratingly enough, everywhere in the portal(s) it shows up, there’s no export. Any ideas?

  6. Is there a command to delete/remove a device as an alternative to using the bulk device with this? I have the export with the device name and device ID.

  7. When I’m using Get-IntuneManagedDevice | Out-GridView i’m only getting the 4 columns (@odata.context, @odata.count, @odata.nextlink, Value) which then doesn’t really provide the data in a viewable format. I was using the latest release 1907 but even downloaded the older version in this example and ran into the same issue.

    Can anyone help me figure out what i’m doing wrong?

  8. Is there a way I can sync all devices in an specific Intune group? I have a maintenance window set up to update iOS versions and I want to sync all devices in a group instead of having to sync all iOS devices.

  9. Hi Ben

    I’m getting the following when I connect to MS graph in Powershell ISE:

    Need admin approval

    Microsoft Intune PowerShell

    I’m an Intune administrator, but not a Global Administrator. Will I need to get a Global Admin to give approval?

  10. Hello Tom, is there a way to get all corporate windows devices whose check-in time is null and/or use a list from a txt or csv of devices that you would specifically like to check?

  11. Hello Ben, one more question. I need to run a check based on a list of devices in a txt file for the last check-in time and then output the devices with last check-in time or null value to a csv.

  12. Hello Ben,

    I’m looking for a way to use a list of computers from a txt file and check their last check-in time then export to a csv.

  13. Is there a way I can find out what Intune policies and profiles are assigned to a specific device in Intune? Microsoft is asking for this information in an open tech support case.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.