Intune APIs in Microsoft Graph
Articles,  Blog

Intune APIs in Microsoft Graph

>>Hello and welcome.
My name is David Randall, and we’re going to
talk today about Microsoft Graph and
the Intune APIs. Let’s first get started by
talking about Microsoft Graph in general and then we’ll
dive into the Intune APIs, and show you exactly
how they work in graph. Microsoft Graph is
our unified Rest API and it’s a comprehensive developer
experience that you can use for integrating data and intelligence exposed by Microsoft services. Let’s take a look at specifically what you
can do with Graph. Microsoft Graph
allows you to access user group and
organizational data. As you’re building
your applications, you’ll take one endpoint, one authentication token
for any of the users that are accessing data stored
in Microsoft Graph. For example, if an
organization has SharePoint, outlook, one note, planner, teams or Intune, all
of that data can be accessed by using a single In order to use that endpoint, you’re going to call an API. The base URL for the graph API is simply The next thing that
you’re going to do, is you’re going to add a version
to the end of that URL. The versions are either
going to be v1.0 or beta. Beta indicates that
the API is in preview. After that, you’re going
to append a resource. A resource as the specific bit of information that your
query and Graph four. For example, it could
be users or sites, or drives, or into
managed devices. After that resource, optionally, you can specify a specific member from the collection of resources. You can also get a specific
property of that member. And because of the way
that graph has data about all of
the different services and they’re linked together, you can use a navigation property to traverse to related resources. Lastly, in order to make
your query much more useful, you can add a variety of different query parameters
such as a select query, or you can order by
a specific field, or you can filter on
a specific property. For example in this query, I’m using filter equals user principle name equals
[email protected]’ Now if I were to run this query, it would simply return
to me the one user whose principal name was
[email protected] All of graph APIs are
all data compliant. So if you spend
a little bit of time and research data you’ll find
all of the different ways that you can leverage
graph APIs and query information in Intune and other graph hosted services. When you’re calling graph,
you’re going to use one of five different
standard HTTP methods. GET, POST, PUT, PATCH and DELETE. GET, will allow you to
retrieve the information, POST, PUT and PATCH, will add or change the data. And of course DELETE, will delete an individual
resource that you specify. JSON is the format of all of the data exchange using graph, so you’ll retrieve information
in JSON format or you’ll format that data
and send it over to Graph API in JSON format as well. A few things that you
need to know when you’re building your
applications with graph. And Azure Active Directory
global administrator for the company must consent
your app in their tenant. You have to define
specific permissions scopes for your application and those go along with the consent that
a global administrator performs. Graph API will return
a lot of information. And so, Graph API supports and oftentimes requires paging. In the case of Intune, will typically return
a thousand objects per page. Graph also supports
a new feature called batching. This allows you to specify several commands all
in one single entry. It’s usually faster
you do use batching. Lastly, I want you to
watch the changelog. This indicates all of the new
and updated APIs in graph. Now, I know you want
to get to build applications for Intune and a couple of things
that you need to know. First off, all of our Intune APIs is required
delegated permissions. So you’re going to be logging in with an app-ended user token. All of our APIs support Intune
role-based access control. That means you have specific
permissions that need to be granted for the functions that you’re performing
in your app. All our Intune APIs will
also support auditing. So, if your application
changes things in Intune, those change events
will be audited. And as of January this year, many of our APIs are now
generally available or in v1.0. Some of them are
also still in beta. So you’ll need to make
sure that you check both v1.0 and beta code trees. Let’s spend a little
bit of time in Graph Explorer and see
exactly how this works. First off, I’m in the Azure portal and I’m looking at the
overview for Intune. I’ll select “Graph Explorer”, and you’ll notice I’m
authenticated and logged in as the same user as I
was in Azure portal. Now, to help me along, I’ve
got a couple of scripts that I’ve saved off in notepad. So let’s go take a look
at the very first one. We’re going to copy
this and I’m going to paste it into Graph Explorer
which I think is just a fantastic tool
for being able to easily understand all of the things
you can do with Graph. When I click run query
and the query executes, it’s going to tell me
some basic information about the different devices
that I have enrolled. In this case, you can see I’ve
got five Android devices, two iOS devices,
some Windows Mobile and Windows. Now the reason why we started
out in the Azure portal, is because in fact, if we look at
the list of devices, I have 11 compliant devices. This matches what we
saw in Graph Explorer. Total number of
devices, is 11 devices. Let’s go ahead and run
the device overview, and you notice in the list of data that was
returned by Graph, we have Android, iOS, Mac and Windows devices. Five Android, two
iOS and so forth. Now if we go over to
the Azure portal and we look at the overview
of the devices, you’ll see that
this Doughnut chart matches exactly the same numbers. And the reason why, is because the
Azure portal is using that exact same Graph API call to return the information
to display in the chart. So that is to say, everything that you can do in
Azure portal for Intune is called via graph and you can
call it separately yourself. So let’s take a look
at a couple of other things that you
can do with graph. If I want to look at
individual managed devices, are those are
the devices that have been enrolled in Intune. Let’s take a look at that query. When I run it, you’ll notice from my scrollbar that
I’ve got a lot of data. This is all of
the detailed information for every one of the devices that have been
enrolled and Intune. Let’s take a look here’s
one specifically, David Windows phone that was
in rolled on 4/17 of 2018. It’s marked as compliant. We don’t know whether
it’s been jail-broken. We can see a bunch
of other properties both hardware information
as well as device information for
this particular device. And in fact, if we went over to the Azure portal and we looked
at a list of all devices, we’d find exactly that
same one in Azure portal. So if we come over
and look at the list of all devices in Intune, we’ll see exactly the same list
of devices that we had in over in Graph Explorer. And here’s the David Windows
Phone 4/17/2018. So here’s the specific record of information that we saw
over in Graph Explorer. So to continue on with some of the other things we can
do with Graph Explorer, the next thing that I
want to take a look at is a specific device and just the device name and the user who logged in
or enrolled that device. So here, I’ve given
a select query, and we’ll see the device name, as well as the user who enrolled
that particular device. So, a good example
of how you can limit the list of data that
you get back from graph, whether than seeing lots and lots of properties
of information. The next thing we’ll take a look at is
device categories. Oftentimes, you need
to build some lists in your code that tie various
pieces of Intune together. So, if we go take a look
at our device categories, we’ll see we have one
called eastern region, one called western
region, southern. If we go back to
the Azure portal, and we go to our
“Device Enrollment”, look at “Device Categories”, you’ll see exactly the same list, western region,
eastern, southern, Boston and so forth. Easy to tie together the data from a variety
of different locations in Azure portal by using
Graph Explorer or Graph Queries. Now, many of you are managing
applications with Intune. So, let’s take a look
at the mobile apps. Actually, I’m just
going to grab this one, which is a filter on only to show the specific application name
or the display name. So, here’s a list of the applications that
I’ve got PowerPoint, Excel, CanvasPaint, Zillow,
Home Remote and so forth. Again, really easy to
get all of the data for all the applications
that are in Intune. I mentioned the fact that any of the change
events that you did in Intune are audited. So, let’s take a look at
what audit events look like. A lot of times, our customers
are interested in pushing audit events over to a security event and
incident monitoring system. Here’s a list of all of the different activities that
were performed in Intune, who did them and what the specific result was
for those change events. So auditing, great way for you
to extend the capabilities of Intune changes into
reporting solution. So, we’ve done a lot of GETs. The next thing that
I’d love to show you is how we can actually
make some changes in Intune. So, the first thing that
I’m going to do is, we’ll stay here in
Device Management, but I’m going to go take
a look at Role Definitions. Now, role definitions are where our role-based access control is defined and we have a role here called the Policy
and Profile Manager, and there’s several more
that are down here. Let’s take a look at what they
look like in the console. If I go to “Intune roles”, look at a list of all my roles, here’s that Policy
and Profile Manager. You notice we have
several built-in roles and a couple of custom roles. So, we’ll leave
this right where it is. Now, I’m going to go over and on the same role
definition endpoint, I’m going to put that text
into my request body. So, by changing from GET to POST, we’ll Graph Explorer
go create for me a new Role Definition using the data that’s
in the request body. We’ll go run that
and because I’ve got a Status Code 200,
I’ve succeeded. Here’s the result
that was generated by the back-end and it matches the permissions that I had
listed in my request body. Let’s go back to the portal, click “Refresh” and
we now see that we have a Graph Explorer Role
that we just created. So, it was very easy
for us to create a new object in Intune by just using a POST against the same endpoint that
we used for the GET. In fact now, if we do GET
on our Role Definition’s, scroll to the bottom of the list. We should see our, here is our role created
in Graph Explorer and here’s the permissions
that were generated for it. Now, the last thing
that I can do, because I have the ID of this particular role
and oftentimes you’re going to need to reference
your Intune objects by ID. If I add a slash and
the ID and run a query, you’ll see now that I only
get back the one role. So, the last action that
we’re going to perform is a delete and clean up
the work that we just did. When I run the query, again a Status Code
200 indicates success. We’ll go back and refresh our list and you’ll see that our Graph Explorer Role
is now gone. So, that’s a quick tour of many of the different
things that you can do in Graph Explorer
with Intune APIs. Now, that we’ve covered
Graph Explorer, here are some of
the other resource APIs that you’re going to
want to take a look at. In the first column on the left, are application related APIs for mobile applications,
or managed applications. Those are going to be the core
ones that you’re querying. Now, I know a lot of customers use
app protection policies, so the manage that
policy is where you’ll find those policies. A lot of Intune information
also has status, like the Managed App Status
which indicates how those application deployments
are succeeding, whether or not their pending, or whether or not they failed. In addition, things like Windows Information
Protection Policy, PPP tokens and managed ebooks are all part of
the device app management area. On the right hand side or are device related APIs such
as managed devices, which we took a look at, terms and conditions or
enrollment profiles are used as new employees enroll with Intune or device
enrollment configurations. Device configuration, device state summaries
indicate whether or not your devices is enrolled and
compliant or you can create new configuration policies using the device
configurations endpoint. Lastly, we took a look at the Role Definitions to see how Intunes or BackRolls can
be viewed and created. I hope you’ve seen how easy it is to use Intune and
Microsoft Graph. There’s a couple of things
that I’d like you to do now. First, I want you to go to
the Intune Resources Page at the highlighted link below and spend a little bit of time, make sure that you
understand all of how to program Graph with Intune. Second, if you’re
using PowerShell, we have a great set
of PowerShell command lets that are available
on a Github repository. Take some time, look
through all of those. They’ve got great
examples of how to leverage Intune APIs
and Microsoft Graph. Lastly, go code. Have some fun and make Intune the center of
your showpiece. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *