In order to automate tasks with Graph it is essential that scripts can be run non-interactively. Currently the Graph API requires a user login for delegated access to be able to access the /ManagedDevices/ endpoint of the API.

Received confirmation from Peter Richards that this is currently not supported.

Steps to reproduce
Create an Application in Azure
Populate and run this script
$OauthTokenEndpoint = 'https://login.microsoftonline.com/tenantid/oauth2/token';

$OauthRequest = @{
grant_type="client_credentials"
client_id = "clientidguid"
client_secret = "clientidsecret"
resource = "https://graph.microsoft.com"
scope="DeviceManagementManagedDevices.Read.All"
}

$AuthResponse = Invoke-RestMethod -Uri $OauthTokenEndpoint -Method Post -ContentType application/x-www-form-urlencoded -Body $OauthRequest
$Token = $authresponse.access_token

#this query completes successfully
$Success = Invoke-restmethod -uri https://graph.microsoft.com/v1.0/users/username@domain.com/ownedDevices -Headers @{Authorization = "Bearer $Token"} -method Get

#this query fails with 401 unauthorised
$401Error = Invoke-RestMethod -Headers @{Authorization = "Bearer $Token"} -uri "https://graph.microsoft.com/beta/managedDevices/deviceguid?`$select=hardwareInformation" -Method GET

We would like to authenticate to services, like Azure Storage or Azure SQL from an Intune MDM PowerShell script.

However, with PowerShell scripts in Intune MDM the source, including passwords are visible in plain text, for instance when you review the log files in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.

We would like a secure way to safely authenticate with different services from PowerShell scripts in Intune MDM. For instance by being able to preconfigure one or more Credential- or Variable Assets passed (as parameter?) with the PowerShell script configured.

A credential source provider could be Azure Key Vault or Azure Automation Credential- and Variable Assets.

There is the application flow:

1. Admin uploads a mobile application(mobileAppId) as a blob to the Intune web Portal and configures it.
2. User X(Non-Admin) using his mobile device has to install a mobileAppId to his or selected User's(targetUserId) mobile device which was enrolled as well. He(User X) should have the ability to click the button "Install". After clicking the request should be created and sent to the Microsoft Graph API(Intune) or any other(if exists) API. API should send the notification back to the targetUserId's device. After the confirmation message about starting the application installation process should be shown on a mobile device.

I found the Intune beta API documentation. It contains the assign method which assigns the application(mobileAppId) to the Azure AD user group(targetGroupId). This method works fine for Non-Admin users and can be called from enrolled(in Company Portal) mobile devices. However it does not contain any targetUserId parameter.

My suggestion.
To modify existing assign method or add new Assign\Install method which will extend Graph API and give developers the ability to assign the application mobileAppId to the current or selected User (targetUserId) directly without any targetGroupId.

PS: I am not comfortable with creating of personal group for each user in Azure AD :)

We are still in eval phase, and are supposed to use Intune with more than 100000 laptops/desktops in our company.

This means if the laptops have a 3years lifecycle, then there are more than 100 devices that must be deleted every day from Intune DB across the globe.

Please add ability to delete devices using a REST API, based on criterias like "Last Contact Date", as it is also impossible to know if a device has been stolen/lost/sold to broker. So we must be able to extract the attributes shown in Intune for each device, like we do currently with AD and LDAP attributes.

I am looking for Intune to formally support Custom policy, OMA URI Supported Operation - Get

That is, Get the value of the node/policy.

I have been using Intune since beta.

I love the new changes, and an a major fan of MDM/OMAURI management.

I'm not beleiving that I see a this hole in functionality.. you can deploy a configuration, not only just report on it??

I am not seeing support for GET - which is a Baseline Command to the OMA URI heirarchy, respondent on a mdm enrolled device.

Get is the same as Read, and is consumed by a admin/business for knowledge, and well, if your company faces a Security Audit, and or needs to prove baseline configurations then.. hey what about retreiving those in place configurations with, "GET"??

Reference,
https://docs.microsoft.com/en-us/windows/client-management/mdm/accountmanagement-csp

Sure as an Admin using the service, You can plug in Configurations, but under every URI is certainly "GET".

Get is pretty straight forward, it returns the value set on the Node/URI policy.

https://docs.microsoft.com/en-us/intune/custom-settings-windows-10

invariably you can also find this at https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers

Yet, you feed this command to Intune.. and it wont provide this, there is an error.

All Windows 10, Windows family devices like Holo or Hub use OMA URI commands, and it appears Intune does not appear to support the native URI - GET command.

Minimally, if I want to create the OMAURI with a GET command to implicitly probe the IN-PLACE device configuration, it should directly be supported, but it does not appear to be.

I opened support case titled:

Does Intune support Get commands for OMAURI MDM enrolled Windows devices?

Text:

Hello,

I am managing Windows 10 Enterprise and Windows Surface HUB devices in a testing initiative.

I am setting Custom OMA-URI values on all CSPs, and also wanted to receive a little more in the reporting department on those settings, and other settings within OMAURI structure.

I am reviewing MDM depth management, OMAURI MDM management and of that is 'Get' command which appears to be reporting on values set against a devices' CSP settings.

I am aware Intune can issue Templated, or Custom URIs in order to set local values on the MDM device, however, I would like a bit more in the reporting department, as in specific settings inherent on the device vs 'successful/unsuccessful' delivery/enforcement of the URI.

I also want to randomly poll URI values without issuing URI configurations.

If this is possible using Intune, could support help me with how I may use Intune's management power to send Get commands for OMAURI MDM enrolled Windows devices, so I can receive reporting on specific nodes, and the values that are set.

As I am reading, https://docs.microsoft.com/en-us/windows/client-management/mdm/oma-dm-protocol-support;

'Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format'

So this would appear to function very much like directly or remotely opening/querying regedit and viewing the configuration of the registry, Get commands return values to the MDM provider.

So, I'd like to know how I may do this, if supported, and how to read the reporting.

An example, if I want to query this CSP:

DeviceStatus/TPM
This was added in Windows, version 1607.
'DeviceStatus' is is the Node for the TPM query.
The Supported operation is Get.

The use of GET would return the value, so, Custom URI reporting, using GET command, and focusing on the Scope, and Node of the OMAURI command that an Admin could use.
Thanks for you help!

The quick of it, Intune support stated it was not possible!

I deep dived into MDM competitors.. Airwatch.. Open Mobile Alliances' breakdowns on URI and it does appear that Get is a reporting method.. WHAT?

Real world usage:
I would beleive that before any Admin goes meddling with deploying settings to devices or if they purely want to know whats in place (heck, what about those pesky AUDITS), an admin should be aware of the setting value first, and if you wanted to craft the OMA URI to look at the value, GET would be the way you do that.. but cant do that to a MDM enrolled Compliant device?

So, I'm casting my vote for Intune Supporting GET as a baseline URI command!

Thanks!
Alex

Recently, I have worked on scripts to automate post deployment actions for Windows 10 clients deployed with Intune and AutoPilot.

There are a number of points where the deployment script needs to know whether the Windows 10 Client is compliant. I have yet to find any way of detecting the compliance status of the machine through PowerShell, WMI or COM.

I could connect to Azure and query the compliance status but that would involve caching a powerful admin account in a deployment script.

I would like a PowerShell command that I could run from a Windows 10 client using an ordinary user account. The PowerShell command would provide the compliance status of the Windows 10 client.