This is my very first blog post after being awarded as a Microsoft MVP and during the past few days it was all about processing this new avenue that just opened up in my life and was mentally getting ready for it. I will be writing a separate article about that later. But for now, I wanted to write about the Endpoint Manager/ Intune PowerShell tasks. As you may already know there are no PowerShell modules for Endpoint Manager out of the box, and it needs to be managed via Microsoft Graph. You can use either PowerShell with the Graph API module or use the Graph Explorer. I will show the PowerShell way as I’m sure this is the one that a standard IT admin would go for.
If you are a PowerShell nerd like me, you would want something similar to other services (Azure AD, Teams, Exchange Online etc.)
- Installing Microsoft Graph Module
- What Are The Endpoint Manager/ Intune Related Modules?
- Prepare PowerShell
- Time to Call the Module
- Limiting Access to Intune PowerShell App in AzureAD
- Try Executing Commands
- Final Words
- Upgrade to PowerShell 5.1 or later
- Install .NET Framework 4.7.2 or later
- Update PowerShellGet to the latest version using
Install-Module PowerShellGet -Force
- Set PowerShell execution policy to RemoteSigned using Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Installing Microsoft Graph Module
If you install the Microsoft.Graph module, it will install 38 sub modules as well. Maybe you don’t need all 38 of them. However, Microsoft.Graph.Authentication module will get installed along with the selected modules. Below are the modules that comes with Microsoft.Graph
What Are The Endpoint Manager/ Intune Related Modules?
Ideally Microsoft.Graph.Intune is the best module I must say as it contains all the related commands.
You will also see Microsoft.Graph.Identity.DirectoryManagement, Microsoft.Graph.Identity.DeviceManagement modules that has similar commands. However, I will be writing a separate post on that.
you can run the command below to get the Microsoft.Graph.Intune installed
Install-Module Microsoft.Graph.Intune -Scope AllUsers -Force
If you run the Get-Command -Module Microsoft.Graph.Intune you will see the related commands as below
Time to Call the Module
You must have Global Administrator permissions to call the module and to grant consent on behalf of the organization, but that will open up access to everyone. I have section to discuss about limiting access below.
To work with the Intune module, first you have to call the main module which is MSGraph.
Run Connect-MSGraph and it will prompt you to enter credentials.
And that will lead to granting the Permissions to the module so it can access the required information.
This will give the full access (read/ write) to the PowerShell user.
Select Consent on behalf of your organization and press Accept
When you complete the above task, an Azure AD Application will get created.
If you need to revoke permissions at a later time, you can do so by going to,
Azure AD > Enterprise Applications > Microsoft Intune PowerShell > Permissions
You will see the permissions on the right-hand side pane.
Limiting Access to Intune PowerShell App in AzureAD
To run the specific commands that’s in the modules requires Global Administrator, Intune Administrator or Intune RBAC setup. However, because the app has granted with the Admin consent, anyone in the organization can log in and that can lead to unwanted issues and security risks. This has to be done with restricted access.
To setup the restrictions, check below
- Go to the Microsoft Intune PowerShell app > Properties
- Set Assignment required? to Yes
- And now that the settings are done, go to Users and groups
- Add users or Groups so they will have access to the app
- Make sure the users in this section has the correct Intune/ Endpoint Manager access so they will be able run the commands accordingly
- If someone not in this section is trying to call the MSGraph module will receive the below error
Try Executing Commands
As a test, I’m running the below command to get details of Intune managed devices
Get-IntuneManagedDevice | fl devicename, Operatingsystem, OSversion, Model, Deviceenrollmenttype
Now in this way you can use your PowerShell knowledge to execute commands and create scripts for various tasks. What you have to be mindful is the access you are getting granted. With the app restrictions you have a peace of mind that only the required users will have the access to the AzureAD app.
6 thoughts on “Get Started with Microsoft Graph Intune PowerShell Module for Endpoint Manager Tasks”
How do we execute Intune powershell commands using a service principal name. User accounts keep asking for MFA when you try connect to ms graph.
You can read more about service principles here and how to create one. https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals?WT.mc_id=EM-MVP-5004964
Once the app is created, create a self-signed cert. Check https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps&viewFallbackFrom=windowsserver2022-ps%3FWT.mc_id%3DEM-MVP-5004964
Upload the cert to the above created AAD app.
Once you have the app ready to go use the below connection string.
Connect-msgraph -TenantId -ApplicationID -CertificateThumbprint
Hope this helps.
Any specific permission is needed for that created app to connect-msgraph.
It depends on what you need to achieve. Read all or ReadWrite.all permissions you provide via the API permissions in the app
Thank you. Its a very useful article and it really helped me.
LikeLiked by 1 person