Intune, PowerShell and Graph API: best practices
In this article, we will cover some best practices to know in order to start automating your actions with Intune, PowerShell and Graph API.
Developer mode in browser
What is it ?
Your browser, Chrome or Edge, allows you to understand what is happening during a web call on a site.
This can be done through the developer mode.
This mode can be opened by pressing F12 in your browser, which will open a configuration panel.
It allows you, starting from an action performed in the portal, to see what is done in background using Graph API.
You will then be able to see:
- URL of the resource used
- Method used
- Type of body to pass (if needed)
This is one of my favorite features that I always use when MS introduces a new feature.
To access to the developer mode, proceed as below:
1. Go to the Intune portal
2. Open the developer mode with F12
3. Go to the Network tab
4. Perform an action from the Intune portal
5. Stop recording the logs from the dev mode
6. Access to the Graph URL to understand what is being done
Developer mode in action
We will see 3 types of actions that we will do from the Intune portal while opening the developer mode at the same time to see the equivalence with the Graph API:
- List all devices
- Rename a device
- Restart a device
Listing devices
1. Go to Devices
2. Open the developer mode with F12
3. Go to the Network tab. The red button indicates that the developer mode is in recording mode
The idea here is to perform the desired action to see what happens behind the scenes.
4. Go to All devices. By clicking on All devices, everything done in the background will be displayed in the developer mode
5. Click on the red icon to Stop recording network log. We want to stop recording here to avoid being overwhelmed by additional actions
6. In the developer mode, all actions performed will be displayed (when we clicked on All devices)
7. We can see an action called managedDevices
8. Click on it
9. The URL of the resource to use is displayed
10. The method to use here is GET
11. A right-click allows you to copy this in PowerShell
Renaming a device
1. Go to Devices
2. Go to All devices
3. Select a device
4. Open the developer mode with F12
5. Go to the Network tab
6. Click on the ...
7. Click on Rename device
8. Enter a new name like POSTE-TEST
9. Click on Rename
10. Click on Stop recording network log
11. In the developer menu, the resource will be displayed
12. Here it is setDeviceName, which is an action with a POST method
13. Click on it
14. The URL of the resource is displayed
15. The method to use is POST
16. Go to the Request Payload section
17. The JSON to use is displayed
18. It should be inserted in JSON format in the request to rename the device
Restarting a device
1. Go to Devices
2. Go to All devices
3. Select a device
4. Open the developer mode with F12
5. Go to the Network tab
6. Click on ...
7. Click on Restart
8. Click on Stop recording network log
9. In the dev menu, the resource is displayed
10. Here, it is rebootNow
11. Click on it
12. The path of the resource is displayed
13. The method to use is POST
Graph X-Ray
What is it?
Graph X-Ray is an awesome tool (browser extension) that helps you understand how to perform an action with Graph API and PowerShell.
This tool is developed by Merill Fernando, see here.
How to install it?
It is available as an extension:
- For Chrome: here
- For Edge: here
Or use the app from the MS Store.
In my case, I use the extension for Chrome.
Proceed as below:
1. Click on the link
2. Click on Add to Chrome
3. Click on Add extension
How to use it?
We will now perform a device listing action and see the equivalent using Graph X-ray:
1. Go to the Intune portal
2. Go to Devices
3. Activate developer mode with F12
4. Click on the >>>
5. Select Graph X Ray
6. In the Intune portal, go to All devices
7. Graph X-Ray provides:
- The resource used
- How to use it with PowerShell
8. You can then save the PowerShell as a script
Find the right permission
Each action performed requires one or more specific permissions.
Restarting devices cannot, of course, be done with the same permission that listing devices.
From the MS documentation
Let's use again the previous example of renaming a device.
We saw that the name of the action was setDeviceName.
Now type the name of the resource + Graph API in Google: setDeviceName Graph API.
We access to this page.
The permissions section then indicates required permissions to perform this action:
With Find-MgGraphCommand
This is a PowerShell module that displays the required permission for a Graph resource.
The command to use is: Find-MgGraphCommand (included in the Microsoft.graph.Authentication module).
Let's use again the previous example of renaming a device. The URL of the resource is as follows:
To find the required permission, type the following command:
The permissions display will be as below:
Graph Explorer
What is it?
Graph Explorer is a web tool allowing you to make Graph API requests on your tenant and your Intune environment or other.
You can then do the same thing as from the Intune portal.
You can access Graph Explorer via this link
You can access the Graph API documentation via this link
You can see how to use Graph API via this link
How does it look like?
The main part of Graph Explorer is divided into five sections as below:
1. Method choice
2. Graph API version choice
3. URL of the Graph resource
4. Body to insert in the request
5. Response of the request
Available methods
There are different methods allowing you to manage a resource.
Below are the different methods and what they do:
- GET: Get data from a resource
- POST: Create a new resource or perform an action
- PATCH: Update a resource with new values
- PUT: Replace one resource with another
- DELETE: Delete a resource
API versions
The second drop down menu allows you to choose the API version to use.
Two versions are available: beta or 1.0
Below is an explanation of these different API versions:
Resource input
This field allows you to insert the path of the resource to act upon.
This link always starts with https://graph.microsoft.com
You then need to add the API version and the resource link (beta or 1.0).
The complete link is composed as follows: Graph Link + API Version + resource link
Body and response section
The first part allows you to insert the body for creating or modifying a resource, such as the name of a device. This body must be in JSON format.
The second part displays the response of your request. The request to list managed devices will list the devices in JSON format.
Graph Explorer in action
In the following example, we will list devices in Intune.
As seen above, the resource to use is as follows: https://graph.microsoft.com/beta/deviceManagement/managedDevices
The method is GET.
Below is the response from this request from Graph Explorer:
Permissions
As mentioned previously, when you want to manage a resource using Graph API, permissions are required.
When a permission is missing, it can be visible in Graph Explorer in the Modify permissions section.
Enregistrer un commentaire