This repository of PowerShell sample scripts show how to access Intune service resources. They demonstrate this by making HTTPS RESTful API requests to the Microsoft Graph API from PowerShell.
Documentation for Intune and Microsoft Graph can be found here Intune Graph Documentation.
Some script samples retrieve information from your Intune tenant, and others create, delete or update data in your Intune tenant. Understand the impact of each sample script prior to running it; samples should be run using a non-production or "test" tenant account.
Within this section there are the following scripts with the explanation of usage.
This script demonstrates how to use Application Authentication against Graph API. To enable the usage of Application Authentication please review the following documentation from the Microsoft Graph Team:
https://docs.microsoft.com/en-us/graph/auth-v2-service?context=graph/api/1.0 https://docs.microsoft.com/en-us/graph/auth-register-app-v2
The Get-AuthToken function requires the following variable input:
- $Tenant - The name of your tenant your authenticating against e.g. tenantname.onmicrosoft.com
- $ClientId - The Client / Application ID created after following https://docs.microsoft.com/en-us/graph/auth-v2-service?context=graph/api/1.0 documentation
- $ClientSecret - The client secret can be created after you've created your app registration in Azure AD - https://docs.microsoft.com/en-us/graph/auth-register-app-v2
Get-AuthToken -Tenant "tenantname.onmicrosoft.com" -ClientId "ClientId/ApplicationId" -ClientSecret "ClientSecret"
You will have to assign Microsoft Graph permissions that are "Application" permissions, otherwise when you authenticate against the service Graph calls could fail. Please review documentation above.
This script demonstrates how to store a password as a secure string in a file. The file's contents are used during authentication to supply the password, rather than requiring an interactive user login.
The Authentication region defines two variables: $User and $Password. The $User variable indicates the user principal name for the credentials, and the $Password variable indicates the location of the file which has the password string (the password file).
You must change these values prior to running the script.
To create a password file, run the following command from within a PowerShell prompt:
Read-Host -Prompt "Enter your tenant password" -AsSecureString | ConvertFrom-SecureString | Out-File "c:\temp\IntuneExport\credentials.txt"
In this example, the c:\credentials\credentials.txt file contains a secure string that was generated from the entered password. That file is used by the Auth_From_File.ps1 as the password.
The password file that is generated is only valid for use in the authentication PowerShell script on the computer that was used to generate the file. It cannot be transferred or used on any other computer.
As with any security-related script, ensure that you review the code and the code behavior with your company's security department or security representative to ensure it complies with your security policy.
This function is used to authenticate with the Microsoft Graph API REST interface. It has been updated to add the following:
if($Password -eq $null){
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
}
else {
if(test-path "$Password"){
$UserPassword = get-Content "$Password" | ConvertTo-SecureString
$userCredentials = new-object Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential -ArgumentList $userUPN,$UserPassword
$authResult = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($authContext, $resourceAppIdURI, $clientid, $userCredentials).Result;
}
else {
Write-Host "Path to Password file" $Password "doesn't exist, please specify a valid path..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
}
Within the Authentication region there are two variables that are used to pass to the Get-AuthToken function. These need to be changed to represent your environment.
$User = "serviceaccount@tenant.onmicrosoft.com"
$Password = "c:\credentials\credentials.txt"
Once these have been configured to your environment the Get-AuthToken function supports passing the -User and -Password parameter.
$global:authToken = Get-AuthToken -User $User -Password "$Password"
Note: There are two occurrences of the $global:authToken in the Authentication region.