Using Azure AD authentication with Intune Graph API and PowerShell

In a recent blog post I demonstrated how we can create an Azure AD App registration to configure a native application to control the access to corporate resources in Intune by associating permissions scopes. With that application configured, it’s time to take a look at how we can create a PowerShell function that for acquiring an access token using an Azure AD credential to access Intune Graph API.


Before we dig into the PowerShell code, I assume that you have read my blog post about how to create the Azure AD App registration. See the link below:

Without the application setup properly, you’ll experience issues when attempting to run the authentication function provided in this post.

Authentication PowerShell function

For any PowerShell script that we want to write and access corporate resources through Intune Graph API, we need to authenticate with a valid identity. Acquiring the access token can be accomplished with various methods and below is a PowerShell function that I’ve built to make this process easier:

Simply just copy the code from the above link into any script that you’re writing for automating Intune tasks. At the beginning of your scripts, make sure that you invoke the function to get the access token that can be passed along as the header for Invoke-RestMethod cmdlet. An example of how the function can be used is shown below:

$AuthenticationHeader = Get-MSGraphAuthenticationToken -TenantName "" -ClientID "YOURGUIDHERE"

The function has two mandatory parameters that require input. TenantName should contain the your tenant name, e.g. ClientID should contain the application ID of your Azure AD App registration.

Code sample using the function

A more detailed example of how to use the function is shown below:

# Acquire access token
$AuthenticationHeader = Get-MSGraphAuthenticationToken -TenantName "" -ClientID "YOURGUIDHERE"

# Get a list of applications
$RESTResponse = Invoke-RestMethod -Method Get -Headers $AuthenticationHeader -Uri
if (-not[string]::IsNullOrEmpty($RESTResponse.Value)) {
    foreach ($Application in $RESTResponse.Value) {

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

Add comment


Categories use cookies to ensure that we give you the best experience on our website.