page_type | products | languages | extensions | noDependencies | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
sample |
|
|
|
true |
Last year we announced a new Microsoft Intune GitHub repository here based on the Microsoft Graph SDK-based PowerShell module. This legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, starting on April 1, 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method is being removed.
If you are using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you will need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.
Before May 6, 2024, update your PowerShell scripts by:
- Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform.
- Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.
Review the "Updating App Registration" file for detailed instructions. (https://github.com/microsoftgraph/powershell-intune-samples/blob/master/Updating%20App%20Registration)
This repository of PowerShell sample scripts show how to access Intune service resources. They demonstrate this by making HTTPS RESTful API requests to the Microsoft Graph API from PowerShell.
Documentation for Intune and Microsoft Graph can be found here Intune Graph Documentation.
These samples demonstrate typical Intune administrator or Microsoft partner actions for managing Intune resources.
The following samples are included in this repository:
- AdminConsent
- AndroidEnterprise
- AppleEnrollment
- Applications
- ApplicationSync
- AppProtectionPolicy
- Auditing
- Authentication
- CertificationAuthority
- CheckStatus
- CompanyPortalBranding
- CompliancePolicy
- CorporateDeviceEnrollment
- DeviceConfiguration
- EnrollmentRestrictions
- IntuneDataExport
- LOB_Application
- ManagedDevices
- Paging
- RBAC
- RemoteActionAudit
- SoftwareUpdates
- TermsAndConditions
- UserPolicyReport
The scripts are licensed "as-is." under the MIT License.
Some script samples retrieve information from your Intune tenant, and others create, delete or update data in your Intune tenant.Β Understand the impact of each sample script prior to running it; samples should be run using a non-production or "test" tenant account.
The Intune Graph API enables access to Intune information programmatically for your tenant, and the API performs the same Intune operations as those available through the Azure Portal.
Intune provides data into the Microsoft Graph in the same way as other cloud services do, with rich entity information and relationship navigation.Β Use Microsoft Graph to combine information from other services and Intune to build rich cross-service applications for IT professionals or end users.
Use of these Microsoft Graph API Intune PowerShell samples requires the following:
- Install the Microsoft.Graph.Authentication PowerShell module by running
Install-Module Microsoft.Graph.Authentication
from an elevated PowerShell prompt - Legacy Support: AzureAD PowerShell module support is deprecated (Install-Module AzureAD or AzureADPreview)
- An Intune tenant which supports the Azure Portal with a production or trial license (https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/what-is-intune)
- Using the Microsoft Graph APIs to configure Intune controls and policies requires an Intune license.
- An account with permissions to administer the Intune Service
- PowerShell v5.0 or 7.x on Windows 11 x64 supported
- First time usage of these scripts requires a Global Administrator of the Tenant to accept the permissions of the application
After the prerequisites are installed or met, perform the following steps to use these scripts:
- Download the contents of the repository to your local Windows machine
- Extract the files to a local folder (e.g. C:\IntuneGraphSamples)
- Run PowerShell x64 from the start menu
- Browse to the directory (e.g. cd C:\IntuneGraphSamples)
- Install Microsoft Graph Authentication module:
Install-Module Microsoft.Graph.Authentication
- For each Folder in the local repository you can browse to that directory and then run the script of your choice
- Example Application script usage:
- To use the Manage Applications scripts, from C:\IntuneGraphSamples, run "cd .\Applications"
- Once in the folder run .\Application_MDM_Get.ps1 to get all MDM added applications
- New: Scripts automatically connect using
Connect-GraphAPI
with appropriate scopes - Multi-Cloud: Use
-Environment
parameter for different Microsoft clouds This sequence of steps can be used for each folder....
Graph Authentication (Recommended):
The scripts now use the modern Microsoft.Graph.Authentication
module. When you run any script, it will automatically:
- Call
Connect-GraphAPI
with the appropriate scopes for that script - Prompt you to sign in through a web browser (more secure)
- Cache the authentication token for the PowerShell session
# Examples of modern authentication
Connect-GraphAPI # Global cloud with default scopes
Connect-GraphAPI -Environment "USGov" # US Government cloud
Connect-GraphAPI -Environment "Germany" # Germany cloud
Legacy Authentication (Deprecated): The first time you run legacy scripts you will be asked to provide an account to authenticate with the service:
Please specify your user principal name for Azure Authentication:
Once you have provided a user principal name a popup will open prompting for your password. After a successful authentication with Azure Active Directory the user token will last for an hour, once the hour expires within the PowerShell session you will be asked to re-authenticate.
Permission Consent: If you are running the script for the first time against your tenant a popup will be presented stating:
Microsoft Intune PowerShell needs permission to:
* Sign you in and read your profile
* Read all groups
* Read directory data
* Read and write Microsoft Intune Device Configuration and Policies (preview)
* Read and write Microsoft Intune RBAC settings (preview)
* Perform user-impacting remote actions on Microsoft Intune devices (preview)
* Sign in as you
* Read and write Microsoft Intune devices (preview)
* Read and write all groups
* Read and write Microsoft Intune configuration (preview)
* Read and write Microsoft Intune apps (preview)
Note: If your user account is targeted for device based conditional access your device must be enrolled or compliant to pass authentication.
This repository has been modernized to use the latest Microsoft Graph PowerShell authentication methods and best practices. The following updates have been implemented:
- Updated Authentication: All scripts now use
Microsoft.Graph.Authentication
module instead of legacy authentication methods - Environment Support: Added support for all Microsoft Cloud environments:
- Global:
https://graph.microsoft.com
(default) - US Government:
https://graph.microsoft.us
- US Government DoD:
https://dod-graph.microsoft.us
- China:
https://microsoftgraph.chinacloudapi.cn
- Germany:
https://graph.microsoft.de
- Global:
- Dynamic Endpoint Management: Scripts automatically use the correct Graph endpoint based on your environment
- Global Variables: Added
$global:GraphEndpoint
variable for environment-aware operations - Flexible Authentication: Use
-Environment
parameter to connect to different clouds:Connect-GraphAPI -Environment "USGov" # US Government Connect-GraphAPI -Environment "Germany" # Germany Cloud
- Removed Legacy Functions: Eliminated old
Get-AuthToken
functions in favor of graph authentication
- New
Invoke-IntuneRestMethod
Function:- Replaced
Invoke-RestMethod
withAuthtoken
- Automatic paging support for large result sets
- Environment-aware URI handling (relative and absolute paths)
- Smart body parameter detection (JSON strings, plain strings, objects)
- Built-in error handling and verbose logging
- Replaced
- Type-Agnostic Body Parameters: Automatically detects and handles:
- Valid JSON strings (used as-is)
- Plain text strings (properly quoted)
- PowerShell objects (converted to JSON)
- Automatic URI Conversion: Seamlessly handles both relative and absolute URIs
- Trailing Whitespace Cleanup: Removed trailing whitespace from 4,593 lines across 133 files
- Character Encoding Fixes: Fixed 96 en-dash characters (β) replaced with proper hyphens (-)
- Consistent Formatting: Standardized code formatting across all scripts
- Automatic Scope Detection: Scripts automatically determine required permissions based on operation type:
- Read Operations: Read-only scopes (
DeviceManagementConfiguration.Read.All
) - Write Operations: ReadWrite scopes (
DeviceManagementConfiguration.ReadWrite.All
) - Context-Aware: Different scopes for different resource types (Apps, Devices, Policies, etc.)
- Read Operations: Read-only scopes (
- Seamless Migration: Existing script functionality remains the same
- Updated Examples: All code examples updated to use graph authentication module
-
Install Required Module:
Install-Module Microsoft.Graph.Authentication
-
Connect to Microsoft Graph:
Connect-GraphAPI # Global cloud (default) Connect-GraphAPI -Environment "USGov" # US Government cloud
-
Run Any Script: All scripts now use the graph authentication automatically
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
We'd love to get your feedback about the Intune PowerShell sample. You can send your questions and suggestions to us in the Issues section of this repository.
Your feedback is important to us. Connect with us on Stack Overflow. Tag your questions with [MicrosoftGraph] and [intune].
- Microsoft Graph API documentation
- Microsoft Graph Portal
- Microsoft code samples
- Intune Graph Documentation
Copyright (c) 2025 Microsoft. All rights reserved.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.