With the upcoming release of Microsoft Intune in the Azure portal, we’re finally getting support for automation. Microsoft states that everything that you can do through the Azure portal, is possible to accomplish with PowerShell as well. This becomes possible because Microsoft has built the new portal on top of what’s called Microsoft Graph API. If you were to add a new Device Profile, add an App or create a Compliance Policy, all the actions you take within the portal, is actually being processed by the Microsoft Graph API that communicates with the Microsoft Intune backend. With this knowledge in mind, it’s now possible to start exploring all the possibilities available through the Microsoft Graph API and how it can be used with PowerShell.
UPDATE: This post has been amended and now references the PSIntuneAuth module instead that simplifies the whole authentication process.
Authentication module
https://www.powershellgallery.com/packages/PSIntuneAuth
Sample script utilizing the authentication module
https://github.com/MSEndpointMgr/Intune/blob/master/Templates/Script-TemplateWithAuth.ps1
Hi Nickolaj,
I’m trying to do silent authentication to the graph interface to connect to azure like in this blog. But I always get an error trying to get devices stating that I need a different scope.
Response content:
{
“error”: {
“code”: “Forbidden”,
“message”: “Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWr
ite.All – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 7694b3df-1a0d-46ba-aae0-6d67c495185a – Url: https://fef.amsub0102.manage.microsoft.com/DeviceFE/Statele
ssDeviceFEService/managedDeviceOverview?api-version=2017-05-18 – CustomApiErrorPhrase: “,
“innerError”: {
“request-id”: “7694b3df-1a0d-46ba-aae0-6d67c495185a”,
“date”: “2017-07-21T12:00:07”
}
When I change the scope in the script, you still get the impersonate_user scope back with the app id. So I changed it to mine and added the secret key to it. After that I always get a eduAdministration scope and not the requested scope.
Name Value
—- —–
Scope EduAdministration.ReadWrite User.Read
Authorization Bearer eyJ0eXAiO…
Content-Type application/json
ExpiresOn 1500642113
When I do the same interactive I get the right scope back. Any idea how to get that silent authentication working?