Using the Microsoft Graph API to access data in Microsoft Intune

Although for most administrators the Microsoft Intune administration console will be the primary method of looking at information in Microsoft Intune, developers and IT pros that have a level of technical knowledge to understand REST API calls may use Microsoft Graph to query data from the service backend of Intune. Microsoft Graph exposes multiple API’s from Microsoft cloud services through a single REST API endpoint ( Using the Microsoft Graph, you can turn formerly difficult or complex queries into simple navigations. Microsoft Intune has data that can be queried through these APIs. The data retrieved from these calls show data on devices, users, groups, and apps as they appear in the Intune service backend and can be used to troubleshoot various issues to verify the status of those in the Intune service.

Connecting to Graph Explorer

To connect to the Graph Explorer use this link:

1. Sign into Graph using your Intune account in order to be able to run commands against user/device data in your tenant.

2. The interface uses GET and POST REST APIs to communicate with the service backend to retrieve data for various items. The commands are URLs but they won't work in a browser, you must use them in the Graph Explorer URL bar.

WARNING - Do not use the DELETE option as this will delete objects in the tenant you are signed in to.


UPN - User Principal Name - this is the username with the domain (e.g.

DeviceId - GUID matching a device in Intune which is used to uniquely identify a device.

Managed - meaning the device is managed via a management authority i.e. Intune or Microsoft System Center Configuration Manager.

Compliant - the device meets the requirements enforced by the Intune service.

Graph Explorer Commands

Get data relating to a single user:<user UPN> e.g.

Get data relating to the devices of a single user:<user UPN>/ownedDevices

The following fields are important as they can help troubleshoot device related issues:

  • isCompliant - shows if this device is compliant in the service
  • isManaged - shows if this device is managed by the service
  • approximateLastSigninDateTime - the last time the device contacted the Intune service
  • deviceId - used to uniquely identify the device in the service

Find the owners of a device:<DeviceGUID>/registeredOwners

The following fields are important:

  • userPrincipleName - this is the UPN of the owner of the device

Find the users of a device:<DeviceGuid>/registeredUsers

The following fields are important:

  • userPrincipleName - this is the UPN of the owner of the device

List of apps uploaded to Intune:

Example: Check the compliance state of a device in Intune

1. Go to and sign in with your Intune credentials Graph_Blog1

2. Enter the command into the URL bar next to the GET dropdown to retrieve all the devices for a user using the UPN

response:{"@odata.context": "$metadata#directoryObjects","value": [


"@odata.type": "#microsoft.graph.device",

"id": "b100feed-ee04-4f43-b806-4607520e6283",

"accountEnabled": true,

"alternativeSecurityIds": [


"type": 2,

"identityProvider": null,

"key": "***"



"approximateLastSignInDateTime": "2016-08-03T00:09:54Z",

"deviceId": "89eac41b-cd54-4a4b1-a890-4021dfd1df30",

"deviceMetadata": null,

"deviceVersion": 2,

"displayName": "user_Android_8/3/2016_12:09 AM",

"isCompliant": true,

"isManaged": true,

"onPremisesLastSyncDateTime": null,

"onPremisesSyncEnabled": null,

"operatingSystem": "Android",

"operatingSystemVersion": "6.0.1",

"physicalIds": [],

"trustType": "Workplace"




3. We can see that the device is compliant from the "isCompliant" property. Another way to see the same data is to look it up using the deviceId:<deviceGUID> 


Iain Greer

Service Engineer



Comments (4)

  1. Alex Mrynsky says:

    Is it also possible to enroll, configure or retire devices using this API?
    Thanks in advance

    1. Iain Greer says:

      @Alex Yes it is possible to enroll, configure, and retire devices now. There are also options to create powershell scripts to automate these actions. See here for some of the sample scripts:

  2. Stefan van der Wiele says:

    Seems like there has been a change to the permissions. I needed to manually add rights for the service principle through PowerShell to be able to access the Intune API:

    #Connect to the service

    #Find the service principal trying to access Intune through the graph api
    Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize

    #Write down the app ID and use that in the next command:
    $app = Get-MsolServicePrincipal -AppPrincipalId ”

    #Add the right role to the service principal
    Add-MsolRoleMember -RoleName “Intune Service Administrator” -RoleMemberType ServicePrincipal -RoleMemberObjectId $app

    Sign out of the application, wait 5 min and then try again.

Skip to main content