Play with MS Graph Explorer to interact with Intune
https://www.systanddeploy.com/2019/11/play-with-ms-graph-explorer-to-interact.html
In this post, we will see what is Graph Explorer and how it can be used to interact with Intune.
In my previous posts I explained how to build your own free free lab for Intune and Autopilot.
Now let's go a bit further to manage Intune using Graph Explorer and see the below points:
- What is Graph Explorer
- How Graph Explorer is organized ?
- How to find a specific Intune data
- Graph Explorer first authentification
- Manage Graph Explorer permissions
- List Deployment profiles from Graph Explorer
- Change Deployment profile value from Graph Explorer
- Create a new deployment profile from Graph Explorer
- Remove a deployment profile from Graph Explorer
- Reboot a device from Graph Explorer
What is MS Graph ?
Microsoft Graph allows you to interact with Office 365, Azure resources.
With Graph you can access to a lot of data from Office 365, Enterprise Mobility + Security and Windows 10.
The idea of Graph is that all datas are interconnected and you can access all datas on which you have rights.
MS Graph contain API that allows you to manage for instance:
- Azure Active Directory
- Office 365 services: SharePoint, OneDrive, Outlook/Exchange, Microsoft Teams, OneNote, Planner, and Excel
- Enterprise Mobility and Security services: Identity Manager, Intune, Advanced Threat Analytics, and
- Windows 10 services: activities and devices
in order to list, update or remove datas. It uses the MS Graph API to interact with Intune.
What is Graph Explorer ?
Graph Explorer is a website that allows you to interact with Office 365, Azure resources like Intune.
In this post, we will use it to manage Intune datas like deployment profile, or execute some actions like reboot a device.
You can access Graph Explorer on this link.
You can access to the Graph API doc here.
See here how to use the Graph API.
Graph Explorer organization
Graph Explorer looks like as below:
Available methods
The part below allows you to do an action. It's composed in three parts.
The below ComboBox allows you to choose what you want to do. As you can see there are 5 actions available.
See below what they do:
- GET: Read data from a resource.
- POST: Create a new resource, or perform an action.
- PATCH: Update a resource with new values.
- PUT: Replace a resource with a new one.
- DELETE: Remove a resource.
Choose the API version
The second ComboBox below allows you to choose the API version to use.
See below what they are:
Resource part
The below field allows you to insert the part of the resource you want to manage.
This link always starts with: https://graph.microsoft.com
Then you have to specify the API version and the resource link.
The complete link will be as below:
Graph link + API version + Resource link
For instance, to manage deployment profiles, the resource link is the following:
/deviceManagement/windowsAutopilotDeploymentProfiles
The full resource link will be:
https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles
Part to update values
The below text zone allows you to type the new value to create or data to update.
Result view
The below text zone will list data or error message.
How to find a specific Intune data
We want to manage Autopilot deployment profile, for that we will proceed as below:
1. Open the MS Doc Graph API here
2. In the search bar, type profile
3. Select what you want
4. Check query from the get part as below
Now we will list device actions from Graph Explorer.
1. In the search bar type managed device
2. Select Managed device
3. You will see action that you can do using Graph, like reboot a computer
Now to use graph Explorer we will need to log on.
Graph Explorer authentification
1. Click on Sign in with Microsoft
2. Choose your account
Now let's see how to list device from Graph Explorer.
For that we will use the managed device part.
1. In the first CombBox select Get
2. In the second, select Beta
3. The query part starts with https://graph.microsoft.com/beta
4. In the query bar type add: /deviceManagement/managedDevices
4. Click on Run query
5. The below error will appear
This error is because each action needs some specific authorization. Now let's how to manage permissions.
Graph Explorer permissions
List required permissions
To see how to manage your permissions, check the MS Doc link of the action you want to do.
1. In the MS Doc Graph, search bar type: managed devices
2. Select managed device
3. Go to the get part
4. Check Prerequistes part
5. All required permissions are listed there
Change permissions
Now let's change permissions
1. On the Red part, click on modify your permissions
2. Many permissions will be listed
3. Change the appropriate permissions, then click on Modify permissions
4. Click on Accept
List device again
1. In the first CombBox select Get
2. In the second, select Beta
3. In the query bar type add: /deviceManagement/managedDevices
4. Click on Run query
5. The success warning will be displayed and values will be displayed in the result part
List Deployment profiles: GET
Now let's see how to list available deployment profiles from Graph Explorer.
Previously in this article we have seen which part to use from MS doc to manage deployment profiles.
See the link here.
1. In the query bar type /deviceManagement/windowsAutopilotDeploymentProfiles
2. Click on Run query
3. Deployment profiles will be listed
Change deployment profile value: PATCH
We want to change the description of the profile to My profile description
The ID of this profile is 7444ad3c-28f0-44f9-886f-55ea17071810
See below the profile list from Intune before the change
Let's see how to proceed:
1. In the first ComboBox select PATCH
2. In the query bar, type: deviceManagement/windowsAutopilotDeploymentProfiles and the ID
3. In the first text zone type the below query
4. Click on Run query
5. A success warning will be displayed
6. In Intune we can see our change
7. To check change from Graph Explorer, change the action from PATCH to GET
8. In the query bar, add the ID of the profile we have changed
9. Click on Run query
10. We can see our change
Create a new deployment profile: POST
Now we will create a new deployment profile from Graph Explorer.
For that it's pretty simple, we will copy an existing profile query and change some values.
1. Select the GET action
2. Check the previous profile value
3. Copy the query from the result part, as below
4. In the action part, select POST
5. In the first text zone copy the below query
6. Remove the ID line
7. Change values as you want
8. In our case the query will be the below one
9. See below the deployment profiles list from Intune before
10. Click on Run query
11. See below the deployment profiles list from Intune after
Remove a deployment profile: DELETE
Now we will remove the profile we have just created using Graph Explorer.
1. The device ID is: 86435600-4961-423b-b6a2-4a091d885090
1. In the action part, select DELETE
2. In the query bar type: deviceManagement/windowsAutopilotDeploymentProfiles/ID
3. Click on Run query
4. See below the deployment profiles list from Intune
Reboot a device from Graph Explorer
So far we have seen how to use differents actions to get value, change value or delete value.
Now let's execute a specific action like rebooting a specific device.
As mentioned previously, on the MS doc website you can navigate through Intune datas.
One of them called Manageddevice allows you to manage your device, including some actions like the reboot.
You can find this action easily by using the search bar.
1. In the search bar, type reboot
2. Click on rebootNow action
3. You can access to this action on this link
4. See below required permissions for this action
5. See below http request part
6. We will use: POST /deviceManagement/managedDevices/{managedDeviceId}/rebootNow
7. The action to use is POST
8. The query template to use is: /deviceManagement/managedDevices/{managedDeviceId}/rebootNow
9. To restart a specific device, we will need its ID.
10. To get it use the GET action and the deviceManagement/managedDevices query
11. We will restart the device with ID: 259aaf6f-af5f-4d6c-9aff-94b354c2f36c
12. Add /rebootNow to the selected device, as below:
13. Click on Run query
14. An error message is displayed, as mentioned before we will have to manage permissions
15. Click on modify your permissions
16. A quick reminder about required permissions for the reboot
17. Change the appropriate permission then click on Modify permission
18. Click on Accept
19. A success warning is displayed
20. If you check on the device from Intune, you will see a pending restart
21. The device is now being restarted
Enregistrer un commentaire