This is my very first blog post after being awarded as a Microsoft MVP and during the past few days it was all about processing this new avenue that just opened up in my life and was mentally getting ready for it. I will be writing a separate article about that later. But for now, I wanted to write about the Endpoint Manager/ Intune PowerShell tasks. As you may already know there are no PowerShell modules for Endpoint Manager out of the box, and it needs to be managed via Microsoft Graph. You can use either PowerShell with the Graph API module or use the Graph Explorer. I will show the PowerShell way as I’m sure this is the one that a standard IT admin would go for.
If you are a PowerShell nerd like me, you would want something similar to other services (Azure AD, Teams, Exchange Online etc.)
- Installing Microsoft Graph Module
- What Are The Endpoint Manager/ Intune Related Modules?
- Prepare PowerShell
- Time to Call the Module
- Limiting Access to Intune PowerShell App in AzureAD
- Try Executing Commands
- Final Words
- Upgrade to PowerShell 5.1 or later
- Install .NET Framework 4.7.2 or later
- Update PowerShellGet to the latest version using
Install-Module PowerShellGet -Force
- Set PowerShell execution policy to RemoteSigned using Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Installing Microsoft Graph Module
If you install the Microsoft.Graph module, it will install 38 sub modules as well. Maybe you don’t need all 38 of them. However, Microsoft.Graph.Authentication module will get installed along with the selected modules. Below are the modules that comes with Microsoft.Graph
What Are The Endpoint Manager/ Intune Related Modules?
Ideally Microsoft.Graph.Intune is the best module I must say as it contains all the related commands.
You will also see Microsoft.Graph.Identity.DirectoryManagement, Microsoft.Graph.Identity.DeviceManagement modules that has similar commands. However, I will be writing a separate post on that.
you can run the command below to get the Microsoft.Graph.Intune installed
Install-Module Microsoft.Graph.Intune -Scope AllUsers -Force
If you run the Get-Command -Module Microsoft.Graph.Intune you will see the related commands as below
Time to Call the Module
You must have Global Administrator permissions to call the module and to grant consent on behalf of the organization, but that will open up access to everyone. I have section to discuss about limiting access below.
To work with the Intune module, first you have to call the main module which is MSGraph.
Run Connect-MSGraph and it will prompt you to enter credentials.
And that will lead to granting the Permissions to the module so it can access the required information.
This will give the full access (read/ write) to the PowerShell user.
Select Consent on behalf of your organization and press Accept
When you complete the above task, an Azure AD Application will get created.
If you need to revoke permissions at a later time, you can do so by going to,
Azure AD > Enterprise Applications > Microsoft Intune PowerShell > Permissions
You will see the permissions on the right-hand side pane.
Limiting Access to Intune PowerShell App in AzureAD
To run the specific commands that’s in the modules requires Global Administrator, Intune Administrator or Intune RBAC setup. However, because the app has granted with the Admin consent, anyone in the organization can log in and that can lead to unwanted issues and security risks. This has to be done with restricted access.
To setup the restrictions, check below
- Go to the Microsoft Intune PowerShell app > Properties
- Set Assignment required? to Yes
- And now that the settings are done, go to Users and groups
- Add users or Groups so they will have access to the app
- Make sure the users in this section has the correct Intune/ Endpoint Manager access so they will be able run the commands accordingly
- If someone not in this section is trying to call the MSGraph module will receive the below error
Try Executing Commands
As a test, I’m running the below command to get details of Intune managed devices
Get-IntuneManagedDevice | fl devicename, Operatingsystem, OSversion, Model, Deviceenrollmenttype
Now in this way you can use your PowerShell knowledge to execute commands and create scripts for various tasks. What you have to be mindful is the access you are getting granted. With the app restrictions you have a peace of mind that only the required users will have the access to the AzureAD app.