February 27, 2026 • Senior (5+ years) How-To
Microsoft Graph API for Intune
Automate Intune with Microsoft Graph API. PowerShell scripts for device management, policy deployment, and reporting.
Microsoft Graph API for Intune
The Microsoft Graph API is the modern way to automate Intune. If you’re still using legacy MSOnline or AzureADPreview modules, it’s time to migrate. Here’s how.
Authentication
App Registration Setup
- Go to Azure Portal → App registrations
- Create new registration
- Add API permissions:
DeviceManagementManagedDevices.Read.AllDeviceManagementConfiguration.ReadWrite.AllDeviceManagementServiceConfiguration.ReadWrite.All
- Grant admin consent
- Create client secret
Connect via PowerShell
# Install Graph module
Install-Module Microsoft.Graph -Scope CurrentUser
# Connect with app
$ClientId = "your-app-id"
$TenantId = "your-tenant-id"
$ClientSecret = "your-secret"
$Body = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $ClientId
Client_Secret = $ClientSecret
}
$TokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" -Method POST -Body $Body
# Connect to Graph
Connect-MgGraph -AccessToken $TokenResponse.access_tokenCommon Intune Operations
Get All Devices
# Get all managed devices
Get-MgDeviceManagementManagedDevice -All |
Select-Object DeviceName, DeviceType, OperatingSystem, LastSyncDateTimeGet Specific Device
# Find by name
Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'"Sync a Device
# Trigger sync
$DeviceId = (Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'").Id
Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId $DeviceIdGet Device Compliance
# Get compliance states
Get-MgDeviceManagementDeviceCompliancePolicy -All |
Select-Object DisplayName, IdAssign Policy to Group
# Get group ID
$GroupId = (Get-MgGroup -Filter "displayName eq 'IT Devices'").Id
# Get policy ID
$PolicyId = (Get-MgDeviceManagementDeviceConfiguration -Filter "displayName eq 'Security Policy'").Id
# Assign
$Params = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/groups('$GroupId')"
}
Invoke-MgDeviceManagementDeviceConfigurationAssign -DeviceConfigurationId $PolicyId -BodyParameter $ParamsCreating Objects
Create Configuration Profile
$ProfileParams = @{
"@odata.type" = "#microsoft.graph.windows10CustomConfiguration"
DisplayName = "Custom Settings Profile"
Description = "Created via Graph API"
OmaSettings = @(
@{
"@odata.type" = "#microsoft.graph.omaSettingString"
DisplayName = "Device Name"
OmaUri = "./Vendor/MSFT/Device/Virtualization/WSName"
Value = "CORP-{SERIAL}"
}
)
}
New-MgDeviceManagementDeviceConfiguration -BodyParameter $ProfileParamsCreate Device Group
$GroupParams = @{
DisplayName = "Windows 11 Devices"
Description = "Devices running Windows 11"
MailEnabled = $false
MailNickname = "Win11Devices"
SecurityEnabled = $true
}
New-MgGroup -BodyParameter $GroupParamsError Handling
try {
$Device = Get-MgDeviceManagementManagedDevice -DeviceId $DeviceId -ErrorAction Stop
}
catch {
if ($_.Exception.Message -match "404") {
Write-Host "Device not found"
}
else {
throw $_
}
}Pagination
# Graph returns max 100 by default
# Use -Top for more
Get-MgDeviceManagementManagedDevice -Top 999 -AllWrap-Up
Graph API is powerful but requires setup. Create an app registration, get permissions, and automate everything.
Questions? Drop them below!
Was this helpful?