Thursday 6 October 2016

Use REST APIs to access Microsoft Intune data

Microsoft recently published information on using REST API calls to communicate with Intune to retrieve management data. This is really cool. It uses Microsoft Graph which exposes multiple API’s from Microsoft cloud services. The data retrieved can be very useful in troubleshooting.

So how do we get started?

Navigate to Graph Explorer https://graph.microsoft.io/en-us/graph-explorer



See the Graph Explorer interface. Click Sign in to access the Intune service. A new page opens and you are prompted to log in.



You are then warned that the API Explorer needs permission to the following (it's a lot but remember this is also for Office 365, not just Intune):

  • Sign you in and read your profile  
  • Read and write access to your mail   
  • Read directory data  
  • Access the directory as you  
  • Read your files  
  • View your basic profile  
  • Read and write selected files  
  • Have full access to your calendars   
  • Read and write all users' full profiles  
  • Read items in all site collections  
  • Create, read, update and delete your tasks and projects (preview)  
  • View your OneNote notebooks (preview)  
  • Sign in as you  
  • Read your calendars   
  • Read and write all groups  
  • Read selected files  
  • Read your mail   
  • Have full access to your files  
  • Read all groups  
  • View and modify your OneNote notebooks (preview)  
  • View your email address  
  • View and modify OneNote notebooks that you can access (preview)  
  • Access your data anytime  
  • Have full access to the application's folder  
  • Read and write to your mailbox settings (preview)  
  • Have full access to all files you have access to  
  • Read identity risk event information  
  • Create pages in your OneNote notebooks (preview)  
  • Read all users' full profiles  
  • Read all users' basic profiles  
  • Read and update your profile  
  • Read your relevant people list (preview)  
  • Read and write directory data  
  • Have full access of your contacts   
  • Read all files that you have access to  
  • View OneNote notebooks that you can access (preview)  
  • Sign you in and read your profile  
  • Send mail as you   
  • Limited access to your OneNote notebooks for this app (preview)  
  • Read your tasks  
  • Read your contacts
You have to accept this to continue.....


....and now you're ready to query for information.

So how does it work?

The interface uses GET and POST REST APIs to communicate with the service backend to retrieve data for various items. The commands are URLs but they won’t work in a browser, you must use them in the Graph Explorer URL bar.

So what kind of information can we get?

Here are some examples:

1. Get data relating to all devices for a specific user (replace the user UPN in the URL)



In my case the URL is:


See the output for a specific device. Useful troubleshooting information is returned.

"approximateLastSignInDateTime": "2016-04-25T12:25:58Z",
"deviceId": "85a9e8e4-21cb-45cc-87f5-8c2056a3c18e",
"deviceMetadata": null,
"deviceVersion": 2,
"displayName": "gerry_Android_4/25/2016_12:26 PM",
"isCompliant": false,
"isManaged": true,
"onPremisesLastSyncDateTime": null,
"onPremisesSyncEnabled": null,
"operatingSystem": "Android",
"operatingSystemVersion": "4.4.2",
"physicalIds": [],
"trustType": "Workplace"


2. Get data for a specific user

In my case the URL is:

See the output for a specific user

"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "c5ab8188-7124-4a97-bdfe-66bda5f634a0",
"businessPhones": [],
"displayName": "Gerry",
"givenName": "Gerry",
"jobTitle": null,
"mail": "gerry@gerryhampson.onmicrosoft.com",
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": null,
"userPrincipalName": "gerry@emslab.ie"

See the full Microsoft article here

I hope this is useful. Until next time.....


1 comment: