Discussion on "Get Intune Compliance data using PowerShell leveraging Graph API"

Ondrej Sebela · 2021-07-20T09:25:51.397Z

Getting compliance data from Intune web interface can be a pain in the ass. Post from Ola Strom about getting compliance data from Intune using Graph API inspired me to create PowerShell functions for such task. TL;DR We will create App registrati...

Hi Ondrej Sebela I was trying to do similar thing but for device configurations so I know what devices have which configurations set properly and which failed. I was able to list some statuses "an block" but so far I did not manage to query status of configuration for particular device - well at least not through PS (I did end up digging into Intune using developer tools and checking how it displays the device state via standard GET/POST). Have you ever tried to dig this information using MgGraph modules?

I don't have such function, but to get all intune policies for a given account check doitpshway.com/get-all-intune-policies-assigned-t… (uses doitpshway.com/get-all-intune-policies-using-powe… in the background)
if you know the correct API URI, you can easily translate it back to the corresponding cmdlet by Find-MgGraphCommand -Uri "graph.microsoft.com/v1.0/deviceManagement" (just replace the URI part)
if you want to check policy status directly on the client itself, check doitpshway.com/get-a-better-intune-policy-report-…
this is how I am getting other types of reports, so it might help doitpshway.com/get-intune-reports-using-powershel…

Thanks Ondrej Sebela will check that. Coming from the other MDMs I share your frustration of terrible reporting capabilities of Intune :)

Very good: clever innovative idea, well laid-out and associated code quality appears very good.

Hi Ondrej,

Thanks for you published work, I've found it very useful so far.

I've chosen to use MSAL.PS to acquire a header, alongside a self-signed certificate, rather than the hard-coded secret.

Regardless of that: many people have environments large enough that their token will expire. Can you suggest a simple method of handling token refresh when calling your functions to avoid such scenarios?

Many thanks,

Stevie

For those interested in using MSAL.PS and certs instead of New-IntuneAuthHeader:

generate a self-signed certificate key-pair on your computer
add its public key to the App Reg you created as documented by Ondrej
install the MSAL.PS module
use Get-MsalToken to acquire a token

# store your thumbprint
$thumbprint = <your certificate's thumbprint> # this is visible in your registered app's Credentials and Secrets section once it has been added

# store the path to your private key based on the thumbprint
$path = "Cert:\CurrentUser\My\" + $thumbprint

# set a hashtable for the connection parameters
$connectionDetails = @{
            'TenantId'          = <your tenant Id>
            'ClientId'          = <your app's client ID>
            'ClientCertificate' = Get-Item -Path $path
        }

$token = Get-MsalToken @connectionDetails

# create an auth header from that token
 $header = @{
            'Authorization' = $token.CreateAuthorizationHeader()
        }

you can now use the above $header when calling either of Ondrej's awesome functions.

Thank you 🙂

According the expired header. I saw solution on the internet where custom new attribute is put into $header variable with time of the token generation. Not sure what the token lifetime is but before you use it, you can then check whether it is valid and if not generate the new one...

Discussion

Get Intune Compliance data using PowerShell leveraging Graph API

Responses(2)

Recent in Forum

Search Hashnode

Get Intune Compliance data using PowerShell leveraging Graph API

Responses(2)

Recent in Forum