List Intune roles permissions status with Graph and PowerShell


In this post, I will show you how to list all available permissions and their status, for each Intune roles using Graph and PowerShell.

Context
Intune roles allows you to set or create roles to apply permissions to specific account. 
This way you can choose what can do some user on Intune, like this user can manage a device or just read its properties.
Those roles are available from the Intune portal as below:

There are different kind of roles, as you can see in the picture above.
There are different permission categories, as below:

You can enable or disable some actions for each one.
All those actions are the same in each role.
See below some available action that you can allow to a role for managing devices:
Or for device configuration:

Get the script

What do we want ?
- List permissions for each roles, meaning which action is enable 
- List all available permissions and for each one display if it'enable or not for each rôle.

The issue
Using Graph, you can list all roles and their permissions.
However, only enabled actions are listed.
To list status for each action we will proceed in two steps:
- List all available actions on Intune roles 
- Compare all those actions to actions enabled for each role

Intune roles in Graph
Find the resource
In this part we will check from Graph, how to access to the roles like you can do from the portal.
To do this with PowerShell we will use Microsoft Graph.
First let's check on the Graph reference doc how to manage roles, link here.
1. In the search bar, type role 
2. Go to role definitions

3. Go to the Get part to see the resource used to access to this part
   
4. The resource to use is: /deviceManagement/roleDefinitions
5. See the full link: https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions
6. This will return values as below

7. You may noticed that two properties are available:
- allowedResourceActions: actions that are enabled from the Intune portal
- notAllowedResourceActions: actions that are not (I guess).

Check on Graph Explorer
Now we will use the resource and check its content from Graph Explorer
To understand how to use Graph Explorer, see my previous post here.
1. Open Graph Explorer
2. Choose the Get method
3. In the query part type: https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions
4. Click on Run query
5. This will return permissions as below:

The issue is that notAllowedResourceActions are empty so it only lists enabled actions.

Get a list of all actions
To list all available actions, we will use the resource: resourceOperation 
See here more informations. 

1. Go to the Get part in the like above
2. The resource to use is: /deviceManagement/resourceOperations

3. The full link is: https://graph.microsoft.com/v1.0/deviceManagement/resourceOperations
4. See below what it returns:

5. As you may noticed each actions has its own ID. 
For instance if you enable the Read action for the category Android for work this will add the following ID: Microsoft.Intune_AndroidSync_Read

If we go back to the list of enabled permissions (see below) we can find that when an permission has been added for an action this will add the ID of this action (same ID than above).
The value to compare all permission with specific permissions will be its ID.


Do this with PowerShell
Now let's do this with our favourite language: PowerShell :-)
You can manage easily Intune with Graph using the module Microsoft.Graph.Intune
I won't explain how to use it in this post, you can see this in my post here.
Let's search cmdlets we will use.

Get roles permissions
For this we will check available cmdlets to manage roles, using the command below:
See below the result:

To list enabled actions available for each roles we will use the cmdlet: Get-DeviceManagement_RoleDefinitions
See below the result:

We have now the first part. Now we have to check all available actions.

Get all actions
As mentioned above to list all available actions the resource to use is: resourceOperations
Now we will just check for cmdlet resourceOperations.
The cmdlet to use is: Get-DeviceManagement_ResourceOperations
See below the result of this cmdlet:

Alright we have our two parts.

Script in action
This will list for each roles
- All available actions
- For each action, it gives the status of this action

See below the result of the script.

Of course you can also filter per role

Share this

Related Posts

Previous
Next Post »