Using the Microsoft Graph API to access data in Microsoft Intune


Although for most administrators the Microsoft Intune administration console will be the primary method of looking at information in Microsoft Intune, developers and IT pros that have a level of technical knowledge to understand REST API calls may use Microsoft Graph to query data from the service backend of Intune. Microsoft Graph exposes multiple API’s from Microsoft cloud services through a single REST API endpoint (https://graph.microsoft.com). Using the Microsoft Graph, you can turn formerly difficult or complex queries into simple navigations. Microsoft Intune has data that can be queried through these APIs. The data retrieved from these calls show data on devices, users, groups, and apps as they appear in the Intune service backend and can be used to troubleshoot various issues to verify the status of those in the Intune service.

Connecting to Graph Explorer

To connect to the Graph Explorer use this link: https://graph.microsoft.io/en-us/graph-explorer

1. Sign into Graph using your Intune account in order to be able to run commands against user/device data in your tenant.

2. The interface uses GET and POST REST APIs to communicate with the service backend to retrieve data for various items. The commands are URLs but they won’t work in a browser, you must use them in the Graph Explorer URL bar.

WARNING – Do not use the DELETE option as this will delete objects in the tenant you are signed in to.

Definitions

UPN – User Principal Name – this is the username with the domain (e.g. user@contoso.com)

DeviceId – GUID matching a device in Intune which is used to uniquely identify a device.

Managed – meaning the device is managed via a management authority i.e. Intune or Microsoft System Center Configuration Manager.

Compliant – the device meets the requirements enforced by the Intune service.

Graph Explorer Commands

Get data relating to a single user: https://graph.microsoft.com/v1.0/users/<user UPN> e.g. https://graph.microsoft.com/v1.0/users/user@contoso.com

Get data relating to the devices of a single user: https://graph.microsoft.com/v1.0/users/<user UPN>/ownedDevices

The following fields are important as they can help troubleshoot device related issues:

  • isCompliant – shows if this device is compliant in the service
  • isManaged – shows if this device is managed by the service
  • approximateLastSigninDateTime – the last time the device contacted the Intune service
  • deviceId – used to uniquely identify the device in the service

Find the owners of a device: https://graph.microsoft.com/v1.0/devices/deviceId_<DeviceGUID>/registeredOwners

The following fields are important:

  • userPrincipleName – this is the UPN of the owner of the device

Find the users of a device: https://graph.microsoft.com/v1.0/devices/deviceId_<DeviceGuid>/registeredUsers

The following fields are important:

  • userPrincipleName – this is the UPN of the owner of the device

List of apps uploaded to Intune: https://graph.microsoft.com/beta/applications

Example: Check the compliance state of a device in Intune

1. Go to https://graph.microsoft.com and sign in with your Intune credentials Graph_Blog1

2. Enter the command into the URL bar next to the GET dropdown to retrieve all the devices for a user using the UPN https://graph.microsoft.com/v1.0/users/user@contoso.com/ownedDevices

response:{“@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#directoryObjects”,”value”: [

{

“@odata.type”: “#microsoft.graph.device”,

“id”: “b100feed-ee04-4f43-b806-4607520e6283”,

“accountEnabled”: true,

“alternativeSecurityIds”: [

{

“type”: 2,

“identityProvider”: null,

“key”: “***”

}

],

“approximateLastSignInDateTime”: “2016-08-03T00:09:54Z”,

“deviceId”: “89eac41b-cd54-4a4b1-a890-4021dfd1df30”,

“deviceMetadata”: null,

“deviceVersion”: 2,

“displayName”: “user_Android_8/3/2016_12:09 AM”,

“isCompliant”: true,

“isManaged”: true,

“onPremisesLastSyncDateTime”: null,

“onPremisesSyncEnabled”: null,

“operatingSystem”: “Android”,

“operatingSystemVersion”: “6.0.1”,

“physicalIds”: [],

“trustType”: “Workplace”

}

]

}

3. We can see that the device is compliant from the “isCompliant” property. Another way to see the same data is to look it up using the deviceId: https://graph.microsoft.com/v1.0/devices/deviceId_<deviceGUID> 

 

Iain Greer

Service Engineer

 

 


Comments (2)

  1. Alex Mrynsky says:

    Is it also possible to enroll, configure or retire devices using this API?
    Thanks in advance

Skip to main content