In order to automate tasks with Graph it is essential that scripts can be run non-interactively. Currently the Graph API requires a user login for delegated access to be able to access the /ManagedDevices/ endpoint of the API.

Received confirmation from Peter Richards that this is currently not supported.

Steps to reproduce
Create an Application in Azure
Populate and run this script
$OauthTokenEndpoint = 'https://login.microsoftonline.com/tenantid/oauth2/token';

$OauthRequest = @{
grant_type="client_credentials"
client_id = "clientidguid"
client_secret = "clientidsecret"
resource = "https://graph.microsoft.com"
scope="DeviceManagementManagedDevices.Read.All"
}

$AuthResponse = Invoke-RestMethod -Uri $OauthTokenEndpoint -Method Post -ContentType application/x-www-form-urlencoded -Body $OauthRequest
$Token = $authresponse.access_token

#this query completes successfully
$Success = Invoke-restmethod -uri https://graph.microsoft.com/v1.0/users/username@domain.com/ownedDevices -Headers @{Authorization = "Bearer $Token"} -method Get

#this query fails with 401 unauthorised
$401Error = Invoke-RestMethod -Headers @{Authorization = "Bearer $Token"} -uri "https://graph.microsoft.com/beta/managedDevices/deviceguid?`$select=hardwareInformation" -Method GET

There is the application flow:

1. Admin uploads a mobile application(mobileAppId) as a blob to the Intune web Portal and configures it.
2. User X(Non-Admin) using his mobile device has to install a mobileAppId to his or selected User's(targetUserId) mobile device which was enrolled as well. He(User X) should have the ability to click the button "Install". After clicking the request should be created and sent to the Microsoft Graph API(Intune) or any other(if exists) API. API should send the notification back to the targetUserId's device. After the confirmation message about starting the application installation process should be shown on a mobile device.

I found the Intune beta API documentation. It contains the assign method which assigns the application(mobileAppId) to the Azure AD user group(targetGroupId). This method works fine for Non-Admin users and can be called from enrolled(in Company Portal) mobile devices. However it does not contain any targetUserId parameter.

My suggestion.
To modify existing assign method or add new Assign\Install method which will extend Graph API and give developers the ability to assign the application mobileAppId to the current or selected User (targetUserId) directly without any targetGroupId.

PS: I am not comfortable with creating of personal group for each user in Azure AD :)

We would like to authenticate to services, like Azure Storage or Azure SQL from an Intune MDM PowerShell script.

However, with PowerShell scripts in Intune MDM the source, including passwords are visible in plain text, for instance when you review the log files in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.

We would like a secure way to safely authenticate with different services from PowerShell scripts in Intune MDM. For instance by being able to preconfigure one or more Credential- or Variable Assets passed (as parameter?) with the PowerShell script configured.

A credential source provider could be Azure Key Vault or Azure Automation Credential- and Variable Assets.

We are still in eval phase, and are supposed to use Intune with more than 100000 laptops/desktops in our company.

This means if the laptops have a 3years lifecycle, then there are more than 100 devices that must be deleted every day from Intune DB across the globe.

Please add ability to delete devices using a REST API, based on criterias like "Last Contact Date", as it is also impossible to know if a device has been stolen/lost/sold to broker. So we must be able to extract the attributes shown in Intune for each device, like we do currently with AD and LDAP attributes.