Intune Graph API should be accessible non-interactively
In order to automate tasks with Graph it is essential that scripts can be run non-interactively. Currently the Graph API requires a user login for delegated access to be able to access the /ManagedDevices/ endpoint of the API.
Received confirmation from Peter Richards that this is currently not supported.
Steps to reproduce
Create an Application in Azure
Populate and run this script
$OauthTokenEndpoint = 'https://login.microsoftonline.com/tenantid/oauth2/token'
$OauthRequest = @{
granttype="clientcredentials"
clientid = "clientidguid"
clientsecret = "clientidsecret"
resource = "https://graph.microsoft.com"
scope="DeviceManagementManagedDevices.Read.All"
}
$AuthResponse = Invoke-RestMethod -Uri $OauthTokenEndpoint -Method Post -ContentType application/x-www-form-urlencoded -Body $OauthRequest
$Token = $authresponse.access_token
this query completes successfully
$Success = Invoke-restmethod -uri https://graph.microsoft.com/v1.0/users/username@domain.com/ownedDevices -Headers @{Authorization = "Bearer $Token"} -method Get
this query fails with 401 unauthorised
$401Error = Invoke-RestMethod -Headers @{Authorization = "Bearer $Token"} -uri "https://graph.microsoft.com/beta/managedDevices/deviceguid?`$select=hardwareInformation" -Method GET
Shane Wright
shared this idea
Take a look at docs.microsoft.com/en-us/intune/whats-new for Week of June 24. We added app-only auth permissions for Graph for read operations. We’re continuing to work on expanding app-only auth permissions. Right now, we have read permissions for apps, device config profiles, managed devices, rbac roles and the Intune service configuration" It took a while to roll out fully, but it’s out now, so calling it complete.
Thanks for your feedback, and thanks for using Intune!
18 comments
-
Jakob Strøm
commented
Do we really need to create a new user-voice to get write access? An external developed tool with read-only access is not really valuable.. You whole Enterprise Application framework is not used to it's full extend here..
For other people, please vote this idea:
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/39904015-intune-graph-api-should-be-writable-non-interactiv -
Ben Norris
commented
Allowing just read only seems unnecessarily restrictive when the main use for non-interactive logins would be automation. From outside it seems bizarre that they can't just have any of the permissions that a user can.
-
Alexander Ostmoen
commented
This is great news David! Thanks a lot!
Looking forward to giving this a try :) -
davidra@microsoft.com
commented
Take a look at https://docs.microsoft.com/en-us/intune/whats-new for Week of June 24. We added app-only auth permissions for Graph for read operations. We're continuing to work on expanding app-only auth permissions. Right now, we have read permissions for apps, device config profiles, managed devices, rbac roles and the Intune service configuration.
-
Tim
commented
You can completely automate it by running it in Azure PowerShell Runbook, pulling stored credentials from the credential manager in Azure Automation area.
-
Alexander Ostmoen
commented
This would really help! Much wanted feature!
-
Rock
commented
Microsoft, please add this. Automation is key especially since there is currently no CMDB offering in Intune asides from leveraging Graph API programatically.
-
Jeff Hilfiker
commented
Is this still true? This is something we definitely need as well. Our server needs to make queries without user interaction.
-
ON
commented
@jseerden : nice try, but we are talking here about Application-level permissions, using OAuth client credential grant type to get the Bearer token.
Not something using delegated-permissions.As you can see here : https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/intune_devices_manageddevice_get , it clearly say in the Prerequisites : "Application : Not supported."
-
jseerden
commented
You can do this with the Intune PowerShell SDK that's in preview:
I wrote an introduction to this on my blog at https://www.srdn.io/2018/10/intune-powershell-sdk-native-powershell-support-for-the-intune-api-through-microsoft-graph/
-
Jakob Strøm
commented
Can't believe this isn't available from the start.
We need this to allow 3rd party developed tools.. -
Joel
commented
https://docs.microsoft.com/en-us/intune/intune-graph-apis
Have you all tried the steps here? seems to work fine for me. -
Ryan steeno
commented
This is a much needed item for the Intune Graph to be consistent with other areas of the Microsoft Graph. Would be nice to see an update on whether or not this item will be put on the roadmap.
-
Pranay Wankhede
commented
All I want to confirm is that admin consent mechanism dosen't work too?
-
Pranay Wankhede
commented
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
I am trying to do authentication as per steps mentioned on the above link.
I wasn't able to get managed devices even after admin consent. Can anyone please help as soon as possible? Thanks! -
Pranay Wankhede
commented
I need this feature pretty soon! Thanks!
-
Jannik
commented
Much needed feature! I'm wondering why they don't enable that for all endpoints?
-
Bernie
commented
When are application permissions being added?