Learn how to leverage Intune support for Microsoft Graph and PowerShell to enable powerful automation and IT security- my notes

Introduction

Microsoft Ignite 2018 (in Florida) has just come and gone but there’s still 644GB of sessions to get through, and all of them are online and available for you to review (or download).

Ignite is an awesome experience but not everyone can attend, even if you could attend there’s no way you could see all the sessions you wanted to see, however now you can.

In this blog post I’m going to add my notes about a session called “Learn how to leverage Intune support for Microsoft Graph and PowerShell to enable powerful automation and IT security” by these two clever guys.

I do this because it’s great blogging and learning material and because it means that I can dissect these sessions in fine detail to see exactly what they were talking about and to expand upon it including code samples and links which you don’t get by simply clicking on a video.

You can review it yourself here (20 minutes to watch): https://myignite.techcommunity.microsoft.com/sessions/64603

The session starts with a quick intro from David and Rohit before acknowledging that Rohit wrote the PowerShell modules for Intune. Good job Rohit ! (p.s. he’s also good at Music and is on soundcloud).

Next, David points out that Intune totally rebuilt itself in 2017 when they decided to use Microsoft Graph API  as the API of choice for use with the UI and to use Automation and Services to interact with Intune.

Microsoft released GitHub PowerShell samples in 2017 (which I blogged about here).

Getting started with Microsoft Graph and using PowerShell to automate things in Intune

These PowerShell samples are constantly evolving and continuously being developed and allow you to manage Intune using PowerShell. These samples are also being created due to UserVoice items, for example this one.

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/8363319-add-powershell-support-to-manage-the-service

As a direct result of that feedback, Microsoft is announcing the PowerShell Intune SDK module

But, it’s in preview mode right now, that said, you can download this PowerShell preview module from GitHub at  https://aka.ms/intunepowershell

This PowerShell preview module supports the following:

The granular level of control with Microsoft Graph, also comes with complexity so Microsoft have also provided a user interface by way of the Azure Portal. The user interface (UI) abstracts away some of that complexity and makes it easier to get things done.

The Intune PowerShell SDK has a 1:1 mapping between Graph and the SDK so whatever you can do in Graph, you can also do in the SDK but this comes with the same complexities that come in the Graph API, so to assist with that they will release modules (Scenario Modules).

Rohit demos some of this in the session (and they want feedback on this, so if you have any suggestion or feedback, please provide it either to them directly or send it to me and i’ll pass it on).

To begin with, browse to https://aka.ms/intunepowershell and scroll down to learn how to login, use the commands and so on.

 

The scenarios mentioned by Rohit are found here – https://github.com/Microsoft/Intune-PowerShell-Management

To get the modules, scroll up to the top and click on the Releases tab (in GitHub). In the releases, click on the link the ZIP file, download it and extract it, there are two folders, one for cross-platform (netstandard2.0) and the other for Windows only (to popup forms etc).

In the net471 folder you’ve a bunch of files and the psd1 file is the most important, it’s the module manifest (it actually does stuff) and that’s the one you need to import to do things.

Importing a PowerShell module

To import this module you need to first open a PowerShell (or cmd prompt) using Administrative permissions.

Next, browse to the folder where you extracted the Microsoft.Graph.Intune.psd1 file and then issue the following command in an administrative PowerShell cmd prompt.

Import-module Microsoft.Graph.Intune.psd1

If you didn’t open a cmd/PowerShell prompt as an Administrator you’ll see the following error:

Import-Module : The specified module ‘Microsoft.Graph.Intune.psd1’ was not loaded because no valid module file was found in any
module directory.
At line:1 char:1
+ Import-Module Microsoft.Graph.Intune.psd1

if you then try to import the module and get the following error:

Import-Module : Could not load file or assembly
‘file:///C:\Users\niall\Desktop\Intune-PowerShell-SDK-Release-6.1811.00642-preview\Release\net471\Microsoft.Intune.PowerShellGraphSDK.dll’ or one of its
dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515)
At line:1 char:1
+ Import-Module .\Microsoft.Graph.Intune.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-Module], FileLoadException
+ FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommand

to resolve this, you need to unblock the files, you can use the following PowerShell to do so, use the following command while you are in the folder containing the files you just downloaded.

gci . | Unblock-File

after which you can import the module without errors.

After importing the module you want to log in to Graph. To do that, use the following PowerShell command:

connect-msgraph

This will popup a login prompt, enter your Microsoft Intune credentials

Once done you are connected to your tenant.

To see how many cmdlets are available in the SDK try the following PowerShell cmd:

get-command -module Microsoft.Graph.Intune | measure

which output’s something like this:

PS C:\Users\niall\Desktop\Intune-PowerShell-SDK-Release-6.1811.00642-preview\Release\net471> get-command -module Microsoft.Graph.Intune | measure

Count : 1287

..

So each of these 1287 cmdlets equates to an operation in Microsoft Graph. Amazing. These cmdlets were generated using the Graph MetaData and these are based upon the Microsoft Graph documentation. Here is an example of that.

Get mobileApp

And the cmdlet is based upon the info in the HTTP Request

for example…

get-deviceAppManagement_mobileApps

and that will return a long list of apps in your tenant

You can then fine tune the results to for example, select Publisher and Displayname

get-deviceAppManagement_mobileApps -select publisher , displayname

To further filter, you could say filter where the publisher contains the word, Microsoft.

get-deviceAppManagement_mobileApps -select publisher, displayname -filter “contains(Publisher, ‘Microsoft’)”

Ok that’s cool, but to do really cool things try this code.

$createdApps = ‘https://www.windows-noob.com’, ‘https://www.niallbrady.com’, ‘https://www.linux-noob.com’ `
| ForEach-Object { `
New-DeviceAppManagement_MobileApps `
-webApp `
-displayName $_ `
-publisher ‘Niall’ `
-appUrl $_ `
-useManagedBrowser $false `
}

and here’s the output

and here’s the result of that..

$createdApps

and you can verify that in the Intune console

After this point, Rohit demo’d auditing of paged events as only 1000 events can be paged via Graph at one time. This is shown below.

$auditEvents = Invoke-MSGraphRequest -HttpMethod GET -Url ‘deviceManagement/auditEvents’

Note that this doesn’t work in production currently, only special Beta tenants. So I’ve nothing to show here.. check the video for more details.

Next try to add an iOS LOB app using 2 commands (well… a wee bit more than that) with the following code…

$appToUpload = New-MobileAppObject `
-iosLobapp `
-displayName “Niall’s cool App” `
-description ‘A cool iOS LOB app’ `
-publisher ‘Niall’ `
-bundleId ” `
-applicableDeviceType (New-IosDeviceTypeObject -iPad $true -iPhoneAndIPod $true) `
-minimumSupportedOperatingSystem (New-IosMinimumOperatingSystemObject -v9_0 $true) `
-filename ‘niallbrady.ipa’ `
-buildNumber ‘v1’ -versionNumber ‘v1’ -expirationDateTime ((Get-Date).AddDays(90))

Now, go back to the Intune PowerShell SDK GitHub page here and scroll down to the scenarios link..you get a link to this page – https://github.com/Microsoft/Intune-PowerShell-Management which contains links to more samples and modules.

Don’t forget to unblock the module before importing otherwise it will fail…make sure it points to the Apps folder which contains the scripts

gci “C:\Users\niall\Desktop\Intune-PowerShell-SDK-Release-6.1811.00642-preview\Scenario Modules\Apps” | Unblock-File

and then import the module…

import-module ‘C:\Users\niall\Desktop\Intune-PowerShell-SDK-Release-6.1811.00642-preview\Scenario Modules\apps\Microsoft.Graph.Intune.Apps.psd1

the use the following command to upload your iOS LOB app called niallbrady.ipa (can be a text file for the purpose of this demo)

$uploadedAppFile = New-LobApp -filePath ‘niallbrady.ipa’ -mobileApp $appToUpload

And the app will appear in the Intune portal

Next let’s try and get all apps and then group those apps by app type.

$apps = Get-DeviceAppManagement_MobileApps
$appsGroupedByType = $apps | Group-Object -Property ‘@odata.type’

and when you use the  $appsGroupedByType variable, you see a load of values including count, name, group…

then add the following code… to create x and y values…

[string[]]$xvals = $appsGroupedByType | ForEach-Object {$_.Name.Replace(‘#microsoft.graph.’, ”)}
[int[]]$Yvals = $appsGroupedByType | ForEach-Object {$_.Count}

and then you can visualize the data using another of the scenario module scripts (which is in the Samples sub folder, see my screenshot below the code) which uses WinForms.

.\VisualizeData.ps1 `
-Title ‘Intune apps by type’ `
-ChartType ‘Pie’ `
-XLabel ‘App Type’ -YLabel ‘Number of apps…’ `
-xValues $xvals -YValues $YVals

and if you change Pie to Bar in the code snippet, you can run it again and see this

Pretty awesome stuff, well done Rohit and David !

Recommended reading

 

 

 

This entry was posted in 2018, Azure, Graph, Intune, iOS. Bookmark the permalink.