What is Microsoft Graph?
Microsoft Graph connects resources across Office 365 services. Using https://graph.microsoft.com you can connect to these services and access a wealth of resources, relationships and intelligence.
You can read more on Microsoft Graph at https://docs.microsoft.com/en-us/graph/overview
How do I use Microsoft Graph?
If you have a requirement to return a wealth of information about your Intune Devices (more than Get-MSOLDevice can offer) we must use Microsoft Graph. We can just pop over to https://graph.microsoft.com to return some data. Lets take a look at this before we jump into some PowerShell
- Authenticate with your Global Admin Account
- Choose a simple query GET – V1.0 – “https://graph.microsoft.com/v1.0/me”
- Click “Run Query”
You can try a load of other simple, cool examples documented at https://docs.microsoft.com/en-us/graph/overview
Introducing the Intune PowerShell SDK
https://github.com/Microsoft/Intune-PowerShell-SDK
This is your friend. What an awesome project! This PowerShell module will provide support for the Intune API using Microsoft Graph. Lets have a look at downloading the module, connecting to Microsoft Graph and querying our Intune data.
1 . Navigate to https://github.com/Microsoft/Intune-PowerShell-SDK/releases
2 . Download the release zip
3 . You may need to “Unblock the file” before you extract it (Windows 10 unblock scripts downloaded from the Internet https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-6
4 . You will see the “Microsoft.Graph.Intune” PowerShell module we will need to import
5 . Import the Module
|
1 |
Import-Module .\Microsoft.Graph.Intune.psd1 |
6 . Connect to the Microsoft Graph (You must have .NET 4.7.1 or higher installed)
|
1 |
Connect-MSGraph -AdminConsent |
7 . Accept the Permission request for Intune PowerShell
You should have a successful connection
PowerShell Time
Lets see what this Module can do. How many cmdlets do we have?
|
1 |
Get-Command -Module Microsoft.Graph.Intune | measure |
That’s a lot of cmdlets!
The post title suggested we are querying our Intune Devices. So here is a useful cmdlet for your arsenal:-
|
1 |
Get-IntunemanagedDevice |
Running this cmdlet will return all your Intune Managed Devices with all Device Details – cool! Lets see what this would look like in the PowerShell Grid View
|
1 |
Get-IntuneManagedDevice | Out-GridView |
47 columns are returned for each Intune Managed Device, that is a lot of cool info right there at your fingertips. The Columns are:-
- id
- userId
- deviceName
- managedDeviceOwnerType
- enrolledDateTime
- lastSyncDateTime
- operatingSystem
- complianceState
- jailBroken
- managementAgent
- osVersion
- easActivated
- easDeviceId
- easActivationDateTime
- azureADRegistered
- deviceEnrollmentType
- activationLockBypassCode
- emailAddress
- azureADDeviceId
- deviceRegistrationState
- deviceCategoryDisplayName
- isSupervised
- exchangeLastSuccessfulSyncDateTime
- exchangeAccessState
- exchangeAccessStateReason
- remoteAssistanceSessionUrl
- remoteAssistanceSessionErrorDetails
- isEncrypted
- userPrincipalName
- model
- manufacturer
- imei
- complianceGracePeriodExpirationDateTime
- serialNumber
- phoneNumber
- androidSecurityPatchLevel
- userDisplayName
- configurationManagerClientEnabledFeatures
- wiFiMacAddress
- deviceHealthAttestationState
- subscriberCarrier
- meid
- totalStorageSpaceInBytes
- freeStorageSpaceInBytes
- managedDeviceName
- partnerReportedThreatState
- deviceActionResults
Let’s try another command. I want to find my iPhone:-
|
1 |
Get-IntuneManagedDevice | Where-Object {$_.userDisplayName -eq "Ben Whitmore" -and $_.model -like "iphone*"} |
Another example. What if we wanted to find all the old iPhones in the company so we can prepare for product End of Support?
|
1 |
Get-IntuneManagedDevice | Where-Object {$_.model -like "iphone 5*"} | Select userDisplayName, model, osVersion |
Here is another real world example we encountered recently. We upload corporate identifiers to Intune so our Company devices enroll as “Corporate” instead of “Personal”. There was/is a bug which means the IMEI is not exposed and captured by Intune so our devices were registering as “Personal”. We could use Microsoft Graph to find all IOS devices that have a $Null IMEI field
|
1 |
Get-IntuneManagedDevice | Where-Object {$_.operatingsystem -eq 'ios' -and $_.imei -eq $Null} | Select userDisplayName, model, osVersion |
So now we are leveraging PowerShell with Intune, the possibilities are endless…ish. But certainly alot more powerfull than relying on our old buddy Get-MSOLDevice
I hope this post has given you an oversight on using PowerShell with Microsoft Graph to query Intune Devices. More posts will follow with real world examples.
Have a great day!
Pingback: Create an Intune App Protection Policy to force an app "Pin Reset" after x days
you can also unblock the assemblies using the command:-
Dir -Recurse $sdkDir | Unblock-File
Source: https://github.com/Microsoft/Intune-PowerShell-SDK
This command only allows a MAX result of 1000. What is the best method to expand this beyond 1000 results? MaxPageSize doesn’t seem to work.
Does this help?
https://github.com/Microsoft/Intune-PowerShell-SDK/blob/master/Samples/README.md#paging
Yes is does. Get-MSGraphAllPages was my solution. Thanks for the prompt response!
awesome 🙂
just reading this for this information! for future googlers you can pipe the command:
Get-IntuneManagedDevice | Get-MSGraphAllPages
Hi Ben,
thanks for the posts and blog. very informative. I had an Idea, whereby I could use the complianceState cmdlet inconjuction with a Toast Notification. The toast notification will popup up periodically e.g every 1 hour and produce a custom toast message with the current devices compliance state. Ideally the api call should need to run with the correct permissions to read etc. Let me know what you think.
Hi Ben,
Thanks for the post and your article is really helpful.
I’m just trying to pull the device hardware properties specifically the ethernet MAC address which is not working when i run the commandlet Get-IntuneManagedDevice
Is there any way to get this information
Hi sirs,
is there a way to get registered devices infos (i.e. ram and disk?)
Hello Paolo,
Here is an example to get total and free disk space for Intune managed devices using the module
Get-IntuneManagedDevice | Select-Object devicename, totalstoragespaceinbytes, freestoragespaceinbytes | Out-GridView
The docs have some good examples too
https://docs.microsoft.com/en-us/graph/api/intune-devices-manageddevice-get?view=graph-rest-1.0
What’s the best option to run this script remotely, without having to authenticate manually each time?
How can we pull device ethernet MAC addres?. Thanks
wiFiMacAddress is a valid variable returned – is that what you are looking for with this module?
Hi Ben,
I’m looking to pull the State (i.e. managed, retire pending) via PowerShell for all devices, but I can’t seem to find that property anywhere. Frustratingly enough, everywhere in the portal(s) it shows up, there’s no export. Any ideas?
This is excellent: is there a way to get a list of users without a device registered to them?
Is there a command to delete/remove a device as an alternative to using the bulk device with this? I have the export with the device name and device ID.
When I’m using Get-IntuneManagedDevice | Out-GridView i’m only getting the 4 columns (@odata.context, @odata.count, @odata.nextlink, Value) which then doesn’t really provide the data in a viewable format. I was using the latest release 1907 but even downloaded the older version in this example and ran into the same issue.
Can anyone help me figure out what i’m doing wrong?
Gavin,
Follow this. https://github.com/microsoft/Intune-PowerShell-SDK/issues/78 . I guess when you breach 1000 devices your command has to look like this Get-IntuneManagedDevice | Get-MSGraphAllPages
Gavin,
I ran into the same issue.
See if this helps.
https://github.com/microsoft/Intune-PowerShell-SDK/issues/78
Is there a way I can sync all devices in an specific Intune group? I have a maintenance window set up to update iOS versions and I want to sync all devices in a group instead of having to sync all iOS devices.
Hi Ben
I’m getting the following when I connect to MS graph in Powershell ISE:
Need admin approval
Microsoft Intune PowerShell
I’m an Intune administrator, but not a Global Administrator. Will I need to get a Global Admin to give approval?
Hello Tom, is there a way to get all corporate windows devices whose check-in time is null and/or use a list from a txt or csv of devices that you would specifically like to check?
Hello Ben, what about piping the results to a csv?
Hello Ben, one more question. I need to run a check based on a list of devices in a txt file for the last check-in time and then output the devices with last check-in time or null value to a csv.
Hello Ben,
I’m looking for a way to use a list of computers from a txt file and check their last check-in time then export to a csv.
Is there a way I can find out what Intune policies and profiles are assigned to a specific device in Intune? Microsoft is asking for this information in an open tech support case.