Intune Graph API should be accessible non-interactively
In order to automate tasks with Graph it is essential that scripts can be run non-interactively. Currently the Graph API requires a user login for delegated access to be able to access the /ManagedDevices/ endpoint of the API.
Received confirmation from Peter Richards that this is currently not supported.
Steps to reproduce
Create an Application in Azure
Populate and run this script
$OauthTokenEndpoint = 'https://login.microsoftonline.com/tenantid/oauth2/token'
$OauthRequest = @{
grant_type="client_credentials"
client_id = "clientidguid"
client_secret = "clientidsecret"
resource = "<a rel="nofollow noreferrer" href="https://graph.microsoft.com"">https://graph.microsoft.com"</a>;
scope="DeviceManagementManagedDevices.Read.All"
}
$AuthResponse = Invoke-RestMethod -Uri $OauthTokenEndpoint -Method Post -ContentType application/x-www-form-urlencoded -Body $OauthRequest
$Token = $authresponse.access_token
this query completes successfully
$Success = Invoke-restmethod -uri https://graph.microsoft.com/v1.0/users/username@domain.com/ownedDevices -Headers @{Authorization = "Bearer $Token"} -method Get
this query fails with 401 unauthorised
$401Error = Invoke-RestMethod -Headers @{Authorization = "Bearer $Token"} -uri "https://graph.microsoft.com/beta/managedDevices/deviceguid?`$select=hardwareInformation" -Method GET

Take a look at docs.microsoft.com/en-us/intune/whats-new for Week of June 24. We added app-only auth permissions for Graph for read operations. We’re continuing to work on expanding app-only auth permissions. Right now, we have read permissions for apps, device config profiles, managed devices, rbac roles and the Intune service configuration" It took a while to roll out fully, but it’s out now, so calling it complete.
Thanks for your feedback, and thanks for using Intune!
18 comments
-
Jakob Strøm commented
Do we really need to create a new user-voice to get write access? An external developed tool with read-only access is not really valuable.. You whole Enterprise Application framework is not used to it's full extend here..
For other people, please vote this idea:
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/39904015-intune-graph-api-should-be-writable-non-interactiv -
Ben Norris commented
Allowing just read only seems unnecessarily restrictive when the main use for non-interactive logins would be automation. From outside it seems bizarre that they can't just have any of the permissions that a user can.
-
Alexander Ostmoen commented
This is great news David! Thanks a lot!
Looking forward to giving this a try :) -
davidra@microsoft.com commented
Take a look at https://docs.microsoft.com/en-us/intune/whats-new for Week of June 24. We added app-only auth permissions for Graph for read operations. We're continuing to work on expanding app-only auth permissions. Right now, we have read permissions for apps, device config profiles, managed devices, rbac roles and the Intune service configuration.
-
Tim commented
You can completely automate it by running it in Azure PowerShell Runbook, pulling stored credentials from the credential manager in Azure Automation area.
-
Alexander Ostmoen commented
This would really help! Much wanted feature!
-
Rock commented
Microsoft, please add this. Automation is key especially since there is currently no CMDB offering in Intune asides from leveraging Graph API programatically.
-
Jeff Hilfiker commented
Is this still true? This is something we definitely need as well. Our server needs to make queries without user interaction.
-
ON commented
@jseerden : nice try, but we are talking here about Application-level permissions, using OAuth client credential grant type to get the Bearer token.
Not something using delegated-permissions.As you can see here : https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/intune_devices_manageddevice_get , it clearly say in the Prerequisites : "Application : Not supported."
-
jseerden commented
You can do this with the Intune PowerShell SDK that's in preview:
I wrote an introduction to this on my blog at https://www.srdn.io/2018/10/intune-powershell-sdk-native-powershell-support-for-the-intune-api-through-microsoft-graph/
-
Jakob Strøm commented
Can't believe this isn't available from the start.
We need this to allow 3rd party developed tools.. -
Joel commented
https://docs.microsoft.com/en-us/intune/intune-graph-apis
Have you all tried the steps here? seems to work fine for me. -
Ryan steeno commented
This is a much needed item for the Intune Graph to be consistent with other areas of the Microsoft Graph. Would be nice to see an update on whether or not this item will be put on the roadmap.
-
Pranay Wankhede commented
All I want to confirm is that admin consent mechanism dosen't work too?
-
Pranay Wankhede commented
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
I am trying to do authentication as per steps mentioned on the above link.
I wasn't able to get managed devices even after admin consent. Can anyone please help as soon as possible? Thanks! -
Pranay Wankhede commented
I need this feature pretty soon! Thanks!
-
Jannik commented
Much needed feature! I'm wondering why they don't enable that for all endpoints?
-
Bernie commented
When are application permissions being added?