Loading...

Intune, PowerShell and Graph API: best practices

Reply A+ A-


In this article, we will cover some best practices to know in order to start automating your actions with Intune, PowerShell and Graph API.


Developer mode in browser

What is it ?

Your browser, Chrome or Edge, allows you to understand what is happening during a web call on a site. 

This can be done through the developer mode. 

This mode can be opened by pressing F12 in your browser, which will open a configuration panel.

It allows you, starting from an action performed in the portal, to see what is done in background using Graph API.


You will then be able to see: 

- URL of the resource used

- Method used

- Type of body to pass (if needed)


This is one of my favorite features that I always use when MS introduces a new feature.

To access to the developer mode, proceed as below:

1. Go to the Intune portal

2. Open the developer mode with F12

3. Go to the Network tab

4. Perform an action from the Intune portal

5. Stop recording the logs from the dev mode

6. Access to the Graph URL to understand what is being done


Developer mode in action

We will see 3 types of actions that we will do from the Intune portal while opening the developer mode at the same time to see the equivalence with the Graph API:

- List all devices

- Rename a device

- Restart a device


Listing devices

1. Go to Devices


2. Open the developer mode with F12


3. Go to the Network tab. The red button indicates that the developer mode is in recording mode

The idea here is to perform the desired action to see what happens behind the scenes.


4. Go to All devices. By clicking on All devices, everything done in the background will be displayed in the developer mode

5. Click on the red icon to Stop recording network log. We want to stop recording here to avoid being overwhelmed by additional actions


6. In the developer mode, all actions performed will be displayed (when we clicked on All devices)


7. We can see an action called managedDevices

8. Click on it

9. The URL of the resource to use is displayed


10. The method to use here is GET

11. A right-click allows you to copy this in PowerShell



Renaming a device

1. Go to Devices

2. Go to All devices

3. Select a device

4. Open the developer mode with F12

5. Go to the Network tab

6. Click on the ...

7. Click on Rename device


8. Enter a new name like POSTE-TEST

9. Click on Rename


10. Click on Stop recording network log

11. In the developer menu, the resource will be displayed

12. Here it is setDeviceName, which is an action with a POST method

13. Click on it


14. The URL of the resource is displayed

15. The method to use is POST

16. Go to the Request Payload section

17. The JSON to use is displayed


18. It should be inserted in JSON format in the request to rename the device


Restarting a device

1. Go to Devices

2. Go to All devices

3. Select a device

4. Open the developer mode with F12

5. Go to the Network tab

6. Click on ...

7. Click on Restart

8. Click on Stop recording network log

9. In the dev menu, the resource is displayed


10. Here, it is rebootNow


11. Click on it

12. The path of the resource is displayed


13. The method to use is POST


Graph X-Ray

What is it?

Graph X-Ray is an awesome tool (browser extension) that helps you understand how to perform an action with Graph API and PowerShell. 

This tool is developed by Merill Fernando, see here.


How to install it?

It is available as an extension:

- For Chrome: here

- For Edge: here


Or use the app from the MS Store.

In my case, I use the extension for Chrome.


Proceed as below:

1. Click on the link

2. Click on Add to Chrome

3. Click on Add extension



How to use it?

We will now perform a device listing action and see the equivalent using Graph X-ray:

1. Go to the Intune portal

2. Go to Devices

3. Activate developer mode with F12

4. Click on the >>>


5. Select Graph X Ray


6. In the Intune portal, go to All devices

7. Graph X-Ray provides:

- The resource used

- How to use it with PowerShell


8. You can then save the PowerShell as a script



Find the right permission

Each action performed requires one or more specific permissions. 

Restarting devices cannot, of course, be done with the same permission that listing devices.


From the MS documentation

Let's use again the previous example of renaming a device. 

We saw that the name of the action was setDeviceName.

Now type the name of the resource + Graph API in Google: setDeviceName Graph API.

We access to this page.

The permissions section then indicates required permissions to perform this action:


With Find-MgGraphCommand

This is a PowerShell module that displays the required permission for a Graph resource.

The command to use is: Find-MgGraphCommand (included in the Microsoft.graph.Authentication module).

Let's use again the previous example of renaming a device. The URL of the resource is as follows:

To find the required permission, type the following command:

The permissions display will be as below:


Graph Explorer

What is it?

Graph Explorer is a web tool allowing you to make Graph API requests on your tenant and your Intune environment or other.

You can then do the same thing as from the Intune portal.

You can access Graph Explorer via this link

You can access the Graph API documentation via this link

You can see how to use Graph API via this link


How does it look like?

The main part of Graph Explorer is divided into five sections as below:

1. Method choice

2. Graph API version choice

3. URL of the Graph resource

4. Body to insert in the request

5. Response of the request


Available methods

There are different methods allowing you to manage a resource.


Below are the different methods and what they do:

- GET: Get data from a resource

- POST: Create a new resource or perform an action

- PATCH: Update a resource with new values

- PUT: Replace one resource with another

- DELETE: Delete a resource


API versions

The second drop down menu allows you to choose the API version to use. 

Two versions are available: beta or 1.0


Below is an explanation of these different API versions:



Resource input

This field allows you to insert the path of the resource to act upon.

This link always starts with https://graph.microsoft.com

You then need to add the API version and the resource link (beta or 1.0).

The complete link is composed as follows: Graph Link + API Version + resource link


Body and response section

The first part allows you to insert the body for creating or modifying a resource, such as the name of a device. This body must be in JSON format.

The second part displays the response of your request. The request to list managed devices will list the devices in JSON format.


Graph Explorer in action

In the following example, we will list devices in Intune.

As seen above, the resource to use is as follows: https://graph.microsoft.com/beta/deviceManagement/managedDevices

The method is GET.

Below is the response from this request from Graph Explorer:


Permissions

As mentioned previously, when you want to manage a resource using Graph API, permissions are required.

When a permission is missing, it can be visible in Graph Explorer in the Modify permissions section.



slider 1332041224471272390

Enregistrer un commentaire

Accueil item

Award

Sponsors

Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French


Stats