Series Overview

Microsoft Graph API provides a unified programmability model to access Microsoft Intune data and operations. This comprehensive guide introduces system administrators to the fundamentals of using Microsoft Graph with Intune for device and application management. Whether you’re looking to automate routine tasks or gain deeper insights into your Intune environment, this series will equip you with the necessary knowledge and practical scripts.

This three-part guide will take you from basic concepts to advanced automation scenarios. Each part builds on the previous one, with real-world examples and step-by-step code breakdowns.

Part 1 (This Article): Fundamentals, Authentication, Device Management, Compliance, Configuration, and Application Management
Part 2: Advanced Automation and Reporting.
Part 3: Real life scenario of reporting Scripts

Introduction to Microsoft Graph and Intune

Microsoft Graph is the unified API gateway to access data and intelligence across Microsoft 365, including Intune device management capabilities. For Intune administrators, Graph PowerShell provides powerful automation capabilities for:

• Device lifecycle management – Enrollment, sync, retire, wipe
• Compliance monitoring – Policy enforcement and reporting
• Application deployment – App distribution and status tracking
• Security management – Threat detection and remediation
• Reporting and analytics – Custom reports and insights

This series assumes you’re a beginner to intermediate sysadmin familiar with PowerShell basics but new to Microsoft Graph and Intune automation.

Prerequisites and Environment Setup

What You’ll Need

Before starting, ensure you have:

1. Intune subscription (included in Business Premium, Microsoft 365 E3/E5 or standalone)
2. Global Administrator or Intune Administrator role
3. PowerShell 5.1 or PowerShell 7+
4. Admin access to Azure AD for app registration

Step 1: Install Required Modules

Let’s start by installing the necessary PowerShell modules. We’ll install them one by one to understand each component.

Install-Module Microsoft.Graph -Scope CurrentUser -Force
Install-Module Microsoft.Graph.Intune -Scope CurrentUser -Force
Install-Module Microsoft.Graph.DeviceManagement -Scope CurrentUser -Force
Import-Module Microsoft.Graph

Step 2: Create Azure AD App Registration

For production automation, you need an app registration. Let’s do this step-by-step in Azure Portal:

1. Navigate to Azure Portal → Azure Active Directory → App registrations
2. Click New registration

1. Enter name: Intune-PowerShell-Automation
2. Select: Accounts in this organizational directory only
3. Click Register

Copy the following values (you’ll need them):

• Application (client) ID
• Directory (tenant) ID

Step 3: Configure API Permissions

Now let’s add the necessary permissions:

1. In your app registration, go to API permissions
2. Click Add a permission → Microsoft Graph → Application permissions

1. Add these permissions:
   • DeviceManagementApps.Read.All
   • DeviceManagementConfiguration.Read.All
   • DeviceManagementManagedDevices.PrivilegedOperations.All
   • DeviceManagementManagedDevices.Read.All
   • DeviceManagementManagedDevices.ReadWrite.All
   • DeviceManagementServiceConfig.Read.All
   • User.Read.All

1. Click Grant admin consent for [Your Tenant]

Why Application Permissions? These allow scripts to run unattended without user interaction, essential for automation.

Step 4: Create Client Secret

1. Go to Certificates & secrets → New client secret
2. Select “Client Secret“
3. Click “New Client Secret“
4. Add description and Exipre period.
5. Click Add
6. IMPORTANT: Copy the secret value immediately (you won’t see it again!)

Authentication with App registration

You just need to change the 3 first variables then execute :

# -------------------------------------------------- Change this variables -----------------------------------------
# Connect using app credentials
$TenantId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

# -------------------------------------------------- Noting to change here -----------------------------------------
$Scope = "https://graph.microsoft.com/.default"
$AuthUrl =
"https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
$Body = @{
    client_id = $ClientId
    scope = $Scope
    client_secret = $ClientSecret
    grant_type = "client_credentials"
}
$Connection = Invoke-RestMethod -Method POST -Uri $AuthUrl -Body $Body -ContentType "application/x-www-form-urlencoded"
$AccessToken = $Connection.access_token

# Convert token to SecureString
$SecureToken = ConvertTo-SecureString -String $AccessToken -AsPlainText -Force

# Use the token for authentication
Connect-MgGraph -AccessToken $SecureToken

Device Management

Get All Managed Devices

Permissions: DeviceManagementManagedDevices.Read.All

This command retrieves all devices enrolled in Intune, giving you a complete inventory of your managed endpoints across Windows, iOS, Android, and macOS platforms.

# Get all Intune managed devices
Get-MgDeviceManagementManagedDevice -All | Select-Object DeviceName, OperatingSystem, UserPrincipalName, ComplianceState, LastSyncDateTime

Filter Devices by Operating System

Permissions: DeviceManagementManagedDevices.Read.All

When managing a multi-platform environment, you often need to focus on specific device types. This query helps you isolate devices by their OS for targeted management.

# Get only Windows devices
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" | Select-Object DeviceName, OSVersion, UserPrincipalName | Format-Table

# Get only iOS devices
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'iOS'" | Select-Object DeviceName, OSVersion, UserPrincipalName | Format-Table

# Get only Android devices
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Android'" | Select-Object DeviceName, OSVersion, UserPrincipalName | Format-Table

• Let’s get WINDOWS Devices :

Search Device by Name

Quickly locate a device in your Intune environment by its name, useful when responding to user support requests or security incidents.

Permissions: DeviceManagementManagedDevices.Read.All

# Device Name
$DeviceName = "LAPTOP-ABC123"
# Find device by name
Get-MgDeviceManagementManagedDevice -Filter "deviceName eq '$DeviceName'" | Select-Object DeviceName, UserPrincipalName, LastSyncDateTime, ComplianceState

Get Device Details

Permissions: DeviceManagementManagedDevices.Read.All

To troubleshoot or audit a specific device, you need detailed information including hardware specs, enrollment date, and compliance status.

# Device Name
$DeviceName = "PC0111"
# Get device Id
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "DeviceName eq '$DeviceName'").Id
# Get specific device information
Get-MgDeviceManagementManagedDevice -ManagedDeviceId $DeviceId | Select-Object DeviceName, SerialNumber, Manufacturer, Model, TotalStorageSpaceInBytes, FreeStorageSpaceInBytes

Get Devices by User

Permissions: DeviceManagementManagedDevices.Read.All

When investigating user-specific issues or preparing for offboarding, you need to see all devices associated with a particular user account.

# User Name
$UserName = "a.eljaziri@globalitnow.com"
# Get all devices for specific user
Get-MgDeviceManagementManagedDevice -Filter "userPrincipalName eq '$UserName'" | Select-Object DeviceName, OperatingSystem, EnrolledDateTime

Get Non-Compliant Devices

Permissions: DeviceManagementManagedDevices.Read.All

Identifying non-compliant devices is critical for security. This query shows you which devices aren’t meeting your organization’s compliance policies.

# Find non-compliant devices
Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" | Select-Object DeviceName, UserPrincipalName, ComplianceState, LastSyncDateTime

Get Devices Not Synced Recently

Permissions: DeviceManagementManagedDevices.Read.All

Devices that haven’t checked in recently may be lost, stolen, or experiencing connectivity issues. This helps you identify potentially problematic devices.

# Find devices not synced in last 7 days
$SevenDaysAgo = (Get-Date).AddDays(-7)
Get-MgDeviceManagementManagedDevice | Where-Object {$_.LastSyncDateTime -lt $SevenDaysAgo} | Select-Object DeviceName, UserPrincipalName, LastSyncDateTime

Sync Device with Intune

Permissions: DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All

Force a device to check in with Intune immediately, useful when you’ve just deployed a new policy or app and need immediate results.

# Device Name
$DeviceName = "PC0123456"
# Get device Id
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "DeviceName eq '$DeviceName'").Id
# Force device sync
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $DeviceId

Restart Device Remotely

Permissions: DeviceManagementManagedDevices.ReadWrite.All

Remote restart capability is essential for applying updates or troubleshooting frozen devices without requiring physical access or user intervention.

# Device Name
$DeviceName = "PC123456"
# Get device Id
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "deviceName eq '$DeviceName'" -All).Id
# Reboot device remotely
Restart-MgDeviceManagementManagedDeviceNow -ManagedDeviceId $DeviceId

Wipe Device (Factory Reset)

Permissions: DeviceManagementManagedDevices.ReadWrite.All

When a device is lost, stolen, or being decommissioned, a full wipe ensures corporate data doesn’t fall into wrong hands.

# Device Name
$DeviceName = "PC123456"
# Get device Id
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "deviceName eq '$DeviceName'" -All).Id

# Factory reset device (removes all data)
Clear-MgDeviceManagementManagedDevice -ManagedDeviceId $DeviceId

Delete Device from Intune

Permissions: DeviceManagementManagedDevices.ReadWrite.All

Remove the device record from Intune entirely. This is typically done after a device has been wiped or is permanently out of service.

# Device Name
$DeviceName = "PC123456"
# Get device Id
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "deviceName eq '$DeviceName'" -All).Id

# Remove device from Intune management
Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $DeviceId

Device Compliance

List All Compliance Policies

Permissions: DeviceManagementConfiguration.Read.All

Compliance policies define the security baseline for your devices. This command shows all active policies and their settings.

# Get all compliance policies
Get-MgDeviceManagementDeviceCompliancePolicy | Select-Object DisplayName, Description, CreatedDateTime, LastModifiedDateTime

Get Compliance Policy Details

Permissions: DeviceManagementConfiguration.Read.All

Review the specific settings and requirements of a compliance policy to understand what standards devices must meet.

# Compliance Policy name
$PolicyName = "GlobalITnow Compliance Policy for Windows 10/11"

# Get Policy Id
$PolicyId = (Get-MgDeviceManagementDeviceCompliancePolicy | Where-Object DisplayName -EQ $PolicyName).Id

# Get specific compliance policy details
Get-MgDeviceManagementDeviceCompliancePolicy -DeviceCompliancePolicyId $PolicyId

Check Device Compliance Status

Permissions: DeviceManagementManagedDevices.Read.All

Verify if a specific device meets all compliance requirements, useful for troubleshooting access issues or conditional access blocks.

# Device Name
$DeviceName = "PC0123456"
# Get device Id
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "deviceName eq '$DeviceName'" -All).Id

# Get compliance status for a device
Get-MgDeviceManagementManagedDevice -ManagedDeviceId $DeviceId | Select-Object DeviceName, ComplianceState, ComplianceGracePeriodExpirationDateTime

Get Compliance Policy Assignments

Permissions: DeviceManagementConfiguration.Read.All

Understanding which policies apply to which groups helps you troubleshoot why certain devices have specific requirements or restrictions.

# Compliance Policy name
$PolicyName = "GlobalITnow Compliance Policy for Windows 10/11"

# Get Policy Id
$PolicyId = (Get-MgDeviceManagementDeviceCompliancePolicy | Where-Object DisplayName -EQ $PolicyName).Id

# Get policy assignments
Get-MgDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $PolicyId | Select-Object Id, Target

Application Management

List All Managed Apps

Permissions: DeviceManagementApps.Read.All

View all applications deployed through Intune, including Win32 apps, store apps, and web links across all platforms.

# Get all managed applications
Get-MgDeviceAppManagementMobileApp -All | Select-Object DisplayName, Publisher, CreatedDateTime, LastModifiedDateTime

Get App Details

Permissions: DeviceManagementApps.Read.All

Review comprehensive information about an application including version, size, and deployment settings.

$AppName = "Trend Micro Antivirus"
# Get App id
$AppId = (Get-MgDeviceAppManagementMobileApp -Filter "DisplayName eq '$AppName'").Id
# Get specific app information
Get-MgDeviceAppManagementMobileApp -MobileAppId $AppId | Select-Object DisplayName, Publisher, Description, CreatedDateTime, PublishingState | Format-Table

Get App Assignments

Permissions: DeviceManagementApps.Read.All

See which groups are assigned to receive an application, helping you understand deployment scope and target users.

$AppName = "Trend Micro Antivirus"
# Get App id
$AppId = (Get-MgDeviceAppManagementMobileApp -Filter "DisplayName eq '$AppName'").Id
# Get app assignment groups
Get-MgDeviceAppManagementMobileAppAssignment -MobileAppId $AppId

Security Management

Get Encryption Status

Permissions: DeviceManagementManagedDevices.Read.All

Verify that devices have encryption enabled (BitLocker for Windows, FileVault for macOS) to protect data at rest.

# Check device encryption status
Get-MgDeviceManagementManagedDevice | Select-Object DeviceName, OperatingSystem, IsEncrypted, EncryptionState

Get Devices with Encryption disabled

Permissions: DeviceManagementManagedDevices.Read.All

Get Devices with Encryption disabled

# Get Devices with Encryption disabled
Get-MgDeviceManagementManagedDevice | Where-Object IsEncrypted -EQ $False | Select-Object DeviceName, OperatingSystem, IsEncrypted, EncryptionState

Get Jailbroken/Rooted Devices

Permissions: DeviceManagementManagedDevices.Read.All

Identify compromised devices that have had security restrictions removed, representing significant security risks.

# Find jailbroken or rooted devices
Get-MgDeviceManagementManagedDevice | Where-Object {$_.JailBroken -eq $true} | Select-Object DeviceName, UserPrincipalName, OperatingSystem

No jailbroken or rooted devices in my tenant :

Thanks