Get Started with Microsoft Graph Intune PowerShell Module for Endpoint Manager Tasks

This is my very first blog post after being awarded as a Microsoft MVP and during the past few days it was all about processing this new avenue that just opened up in my life and was mentally getting ready for it. I will be writing a separate article about that later. But for now, I wanted to write about the Endpoint Manager/ Intune PowerShell tasks. As you may already know there are no PowerShell modules for Endpoint Manager out of the box, and it needs to be managed via Microsoft Graph. You can use either PowerShell with the Graph API module or use the Graph Explorer. I will show the PowerShell way as I’m sure this is the one that a standard IT admin would go for.

If you are a PowerShell nerd like me, you would want something similar to other services (Azure AD, Teams, Exchange Online etc.)

  1. Prerequisites
  2. Installing Microsoft Graph Module
  3. What Are The Endpoint Manager/ Intune Related Modules?
  4. Prepare PowerShell
  5. Time to Call the Module
  6. Limiting Access to Intune PowerShell App in AzureAD
  7. Try Executing Commands
  8. Final Words

Prerequisites

  • Upgrade to PowerShell 5.1 or later
  • Install .NET Framework 4.7.2 or later
  • Update PowerShellGet to the latest version using Install-Module PowerShellGet -Force
  • Set PowerShell execution policy to RemoteSigned using Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Installing Microsoft Graph Module

If you install the Microsoft.Graph module, it will install 38 sub modules as well. Maybe you don’t need all 38 of them. However, Microsoft.Graph.Authentication module will get installed along with the selected modules. Below are the modules that comes with Microsoft.Graph

Ideally Microsoft.Graph.Intune is the best module I must say as it contains all the related commands.

You will also see Microsoft.Graph.Identity.DirectoryManagement, Microsoft.Graph.Identity.DeviceManagement modules that has similar commands. However, I will be writing a separate post on that.

Prepare PowerShell

you can run the command below to get the Microsoft.Graph.Intune installed

Install-Module Microsoft.Graph.Intune -Scope AllUsers -Force

If you run the Get-Command -Module Microsoft.Graph.Intune you will see the related commands as below

Time to Call the Module

You must have Global Administrator permissions to call the module and to grant consent on behalf of the organization, but that will open up access to everyone. I have section to discuss about limiting access below.

To work with the Intune module, first you have to call the main module which is MSGraph.

Run Connect-MSGraph and it will prompt you to enter credentials.

And that will lead to granting the Permissions to the module so it can access the required information.

This will give the full access (read/ write) to the PowerShell user.

Select Consent on behalf of your organization and press Accept

When you complete the above task, an Azure AD Application will get created.

If you need to revoke permissions at a later time, you can do so by going to,

Azure AD > Enterprise Applications > Microsoft Intune PowerShell > Permissions

You will see the permissions on the right-hand side pane.

Limiting Access to Intune PowerShell App in AzureAD

To run the specific commands that’s in the modules requires Global Administrator, Intune Administrator or Intune RBAC setup. However, because the app has granted with the Admin consent, anyone in the organization can log in and that can lead to unwanted issues and security risks. This has to be done with restricted access.

To setup the restrictions, check below

  • Go to the Microsoft Intune PowerShell app > Properties
  • Set Assignment required? to Yes
  • And now that the settings are done, go to Users and groups
  • Add users or Groups so they will have access to the app
  • Make sure the users in this section has the correct Intune/ Endpoint Manager access so they will be able run the commands accordingly
  • If someone not in this section is trying to call the MSGraph module will receive the below error

Try Executing Commands

As a test, I’m running the below command to get details of Intune managed devices

Get-IntuneManagedDevice | fl devicename, Operatingsystem, OSversion, Model, Deviceenrollmenttype

Final Words

Now in this way you can use your PowerShell knowledge to execute commands and create scripts for various tasks. What you have to be mindful is the access you are getting granted. With the app restrictions you have a peace of mind that only the required users will have the access to the AzureAD app.

6 thoughts on “Get Started with Microsoft Graph Intune PowerShell Module for Endpoint Manager Tasks

    1. You can read more about service principles here and how to create one. https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals?WT.mc_id=EM-MVP-5004964

      Once the app is created, create a self-signed cert. Check https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps&viewFallbackFrom=windowsserver2022-ps%3FWT.mc_id%3DEM-MVP-5004964

      Upload the cert to the above created AAD app.

      Once you have the app ready to go use the below connection string.

      Connect-msgraph -TenantId -ApplicationID -CertificateThumbprint

      Hope this helps.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.