Getting started with Microsoft Intune and PowerShell

With the upcoming release of Microsoft Intune in the Azure portal, we’re finally getting support for automation. Microsoft states that everything that you can do through the Azure portal, is possible to accomplish with PowerShell as well. This becomes possible because Microsoft has built the new portal on top of what’s called Microsoft Graph API. If you were to add a new Device Profile, add an App or create a Compliance Policy, all the actions you take within the portal, is actually being processed by the Microsoft Graph API that communicates with the Microsoft Intune backend. With this knowledge in mind, it’s now possible to start exploring all the possibilities available through the Microsoft Graph API and how it can be used with PowerShell.

UPDATE: This post has been amended and now references the PSIntuneAuth module instead that simplifies the whole authentication process.

Authentication module

Sample script utilizing the authentication module

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

1 comment

  • Hi Nickolaj,
    I’m trying to do silent authentication to the graph interface to connect to azure like in this blog. But I always get an error trying to get devices stating that I need a different scope.

    Response content:
    “error”: {
    “code”: “Forbidden”,
    “message”: “Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWr
    ite.All – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 7694b3df-1a0d-46ba-aae0-6d67c495185a – Url:
    ssDeviceFEService/managedDeviceOverview?api-version=2017-05-18 – CustomApiErrorPhrase: “,
    “innerError”: {
    “request-id”: “7694b3df-1a0d-46ba-aae0-6d67c495185a”,
    “date”: “2017-07-21T12:00:07”

    When I change the scope in the script, you still get the impersonate_user scope back with the app id. So I changed it to mine and added the secret key to it. After that I always get a eduAdministration scope and not the requested scope.
    Name Value
    —- —–
    Scope EduAdministration.ReadWrite User.Read
    Authorization Bearer eyJ0eXAiO…
    Content-Type application/json
    ExpiresOn 1500642113

    When I do the same interactive I get the right scope back. Any idea how to get that silent authentication working?


Categories use cookies to ensure that we give you the best experience on our website.