Intune – Connect MSGraph using PowerShell

In this article, I am going to show you how to connect Intune from PowerShell using registry stored credentials and also a sample script to get groups that are assigned to the volume purchased apps.

Section 1: Storing Credentials in the registry

It is in a way safe and easy approach to connect various azure modules like Exchange Online, SP Online, Azure AD, AzureRm, Azure Automation and so on.

Step1: Store the credentials in the registry

Copy the below script into a notepad and save it as (.ps1) and then run it in an elevated powershell and the output would look like below

# It will create an application name in the registry

$OrgName = Read-Host "Enter Organization or Application Name"
Write-Host -ForegroundColor Green Storing $OrgName as $OrgName.Replace(" ","")
$OrgName = $OrgName.Replace(" ","")
If (!(Test-Path "HKCU:\Software\$OrgName\Credentials"))
    { 
    Try
        {
        Write-Host -ForegroundColor Red "Credentials Path Not Found."
        New-Item -Path "HKCU:\Software\$OrgName" -Name "Credentials" -Force
        }
    Catch
        {
        [System.Exception]
        Write-Host -Foreground Red "Unable to create path."
        }
    Finally
        {
        }
    }

# Get Credentials from UI and then it converts it to Secure String 

$secureCredential = Get-Credential -Message "Enter service account credential in DOMAIN\Username or Username@Domain.com format."
$credentialName = Read-Host "Enter a name for this credential"
$securePasswordString = $secureCredential.Password | ConvertFrom-SecureString
$userNameString = $secureCredential.Username


# Below it saves the Converted Secure Password String to the below Reg

Write-Host -ForegroundColor Green "Storing credential '$usernameString' under HKCU:\Software\$OrgName\Credentials\$credentialName."

New-Item -Path HKCU:\Software\$OrgName\Credentials\$credentialName
New-ItemProperty -Path HKCU:\Software\$OrgName\Credentials\$credentialName -PropertyType String -Name UserName -Value $userNameString
New-ItemProperty -Path HKCU:\Software\$OrgName\Credentials\$credentialName -PropertyType String -Name Password -Value $securePasswordString

Write-Host "To retrieve this credential, you must be logged in as the current user and copy/paste this"
Write-Host "into the credential area of your PowerShell script, referencing your credential as" '$credential'":"
Write-Host `n
Write-Host -ForegroundColor yellow "     " '$secureCredUserName' "= (Get-ItemProperty -Path HKCU:\Software\$OrgName\Credentials\$credentialName).UserName"
Write-Host -ForegroundColor yellow "     " '$secureCredPassword' "= (Get-ItemProperty -Path HKCU:\Software\$OrgName\Credentials\$credentialName).Password"
Write-Host -ForegroundColor yellow "     " '$securePassword' "= ConvertTo-SecureString" '$secureCredPassword'
Write-Host -ForegroundColor yellow "     " '$credential' "= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList" '$secureCredUserName, $securePassword'

Step 2: Install Intune-PowerShell-SDK

Ref: https://github.com/Microsoft/Intune-PowerShell-SDK/

Install-Module -Name Microsoft.Graph.Intune

Step 3: An admin user must provide consent for this app to be used in their organization. This can be done with the following command:


Connect-MSGraph -AdminConsent

Step 2: Connect to Intune using the below-stored credentials.

$secureCredUserName = (Get-ItemProperty -Path HKCU:\Software\contoso\Credentials\ContosoAppServiceCredential).UserName
$secureCredPassword = (Get-ItemProperty -Path HKCU:\Software\contoso\Credentials\ContosoAppServiceCredential).Password
$securePassword = ConvertTo-SecureString $secureCredPassword

$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $secureCredUserName, $securePassword

Connect-MSGraph -PSCredential $credential

Remember from step 1, from the output screenshot above you must have noticed the four lines, copy them paste it in the script you are trying to connect Intune.

Using this link where you can download PowerShell sample scripts to know how to access Intune service resources.

Sample Script to find out Azure AD groups that are assigned for iOS VPP Apps. In this sample script, I have included (Outlook, OneDrive, Teams, and SharePoint).please note no need to give any input. just connect to MS Graph before running the script and the output will be like below screenshotGroup

Here is the script to find groups that are assigned to VPP Apps (Outlook, OneDrive, Teams and Sharepoint)

# Create a temp directory and a file to output the results
$TestPath = "C:\temp\test.csv"
$folder = "C:\temp"

if ( -Not (Test-Path $folder.trim() ))
{
New-Item -Path $folder -ItemType directory
 New-Item -Path $TestPath -ItemType File
}


# Get a current date in the report
$ReportedDate = Get-Date -Format g

# Get Volume Purchased App ID
$Outlook = Get-IntuneMobileApp | Where-Object {($_.'@odata.type' -eq "#microsoft.graph.iosVppApp") -and ($_.displayName -like "Microsoft Outlook")} | Select-Object '@odata.type',id,displayName
$OneDrive = Get-IntuneMobileApp | Where-Object {($_.'@odata.type' -eq "#microsoft.graph.iosVppApp") -and ($_.displayName -like "Microsoft OneDrive")} | Select-Object '@odata.type',id,displayName
$Teams = Get-IntuneMobileApp | Where-Object {($_.'@odata.type' -eq "#microsoft.graph.iosVppApp") -and ($_.displayName -like "Microsoft Teams")} | Select-Object '@odata.type',id,displayName
$Sharepoint = Get-IntuneMobileApp | Where-Object {($_.'@odata.type' -eq "#microsoft.graph.iosVppApp") -and ($_.displayName -like "Microsoft Sharepoint")} | Select-Object '@odata.type',id,displayName
$PowerBI = Get-IntuneMobileApp | Where-Object {($_.'@odata.type' -eq "#microsoft.graph.iosVppApp") -and ($_.displayName -like "Microsoft Power*")}

# Outlook App Assignment Groups

$AppAssignsOutlook = Get-IntuneMobileAppAssignment -mobileAppId $Outlook.id
$AppAssignsTeams = Get-IntuneMobileAppAssignment -mobileAppId $OneDrive.id
$AppAssignsSharePoint = Get-IntuneMobileAppAssignment -mobileAppId $Teams.id
$AppAssignsOneDrive = Get-IntuneMobileAppAssignment -mobileAppId $Sharepoint.id
$AppAssignsBI = Get-IntuneMobileAppAssignment -mobileAppId $PowerBI.id

Foreach($AppAssign in $AppAssignsOutlook){

$ResultOutlook = @()

$AssignedGroup = $AppAssign.target.groupId
$GroupAssigned = Get-AADGroup -groupId $AssignedGroup | Select-Object displayName 
$AssignmentType = $AppAssign.intent
$useDeviceLicensing = $AppAssign.settings.useDeviceLicensing
$AppName = "Microsoft Outlook for iOS"



$Properties = @{

DeviceLicensing = $useDeviceLicensing
AppName = $AppName
GroupName = $GroupAssigned.displayName
AssignType = $AssignmentType
ReportdDate = $ReportedDate

}
$ResultOutlook += New-Object psobject -Property $Properties
#$ResultOutlook | Select-Object ReportdDate,ProcessedDate,AssignType,AppName,DeviceLicensing,GroupName
$ResultOutlook | Export-Csv -Path $TestPath -Append -NoTypeInformation
}

# Teams App Assignment Groups

Foreach($AppAssignTeam in $AppAssignsTeams){

$ResultTeams = @()

$AssignedGroupTeam = $AppAssignTeam.target.groupId
$GroupAssigned = Get-AADGroup -groupId $AssignedGroupTeam | Select-Object displayName
$AssignmentType = $AppAssignTeam.intent
$useDeviceLicensing = $AppAssignTeam.settings.useDeviceLicensing
$AppName = "Microsoft Teams for iOS"

$Properties = @{

DeviceLicensing = $useDeviceLicensing
AppName = $AppName
GroupName = $GroupAssigned.displayName
AssignType = $AssignmentType
ReportdDate = $ReportedDate

}
$ResultTeams += New-Object psobject -Property $Properties
#$ResultTeams | Select-Object ReportdDate,AssignType,AppName,DeviceLicensing,GroupName
$ResultTeams | Export-Csv -Path $TestPath -Append -NoTypeInformation
}

# Sharpoint App Group Status

Foreach($AppAssignshare in $AppAssignsSharePoint){

$ResultSahrepoint = @()

$AssignedGroupTeam = $AppAssignshare.target.groupId
$GroupAssigned = Get-AADGroup -groupId $AssignedGroupTeam | Select-Object displayName 
$AssignmentType = $AppAssignshare.intent
$useDeviceLicensing = $AppAssignshare.settings.useDeviceLicensing
$AppName = "Microsoft SharePoint for iOS"


$Properties = @{

DeviceLicensing = $useDeviceLicensing
AppName = $AppName
GroupName = $GroupAssigned.displayName
AssignType = $AssignmentType
ReportdDate = $ReportedDate
}
$ResultSahrepoint += New-Object psobject -Property $Properties
#$ResultSahrepoint | Select-Object ReportdDate,AssignType,AppName,DeviceLicensing,GroupName
$ResultSahrepoint | Export-Csv -Path $TestPath -Append -NoTypeInformation
}

# OneDrive App Group Status

Foreach($AppAssignOne in $AppAssignsOneDrive){

$Resultone = @()

$AssignedGroupTeam = $AppAssignOne.target.groupId
$GroupAssigned = Get-AADGroup -groupId $AssignedGroupTeam | Select-Object displayName 
$AssignmentType = $AppAssignOne.intent
$useDeviceLicensing = $AppAssignOne.settings.useDeviceLicensing
$AppName = "Microsoft OneDrive for iOS"


$Properties = @{

DeviceLicensing = $useDeviceLicensing
AppName = $AppName
GroupName = $GroupAssigned.displayName
AssignType = $AssignmentType
ReportdDate = $ReportedDate
}
$ResultOne += New-Object psobject -Property $Properties
#$ResultOne | Select-Object ReportdDate,AssignType,AppName,DeviceLicensing,GroupName
$ResultOne | Export-Csv -Path $TestPath -Append -NoTypeInformation
}

# PowerBi App Group Status

Foreach($AppAssignPBI in $AppAssignsBI){

$ResultBI = @()

$AssignedGroupTeam = $AppAssignPBI.target.groupId
$GroupAssigned = Get-AADGroup -groupId $AssignedGroupTeam | Select-Object displayName 
$AssignmentType = $AppAssignPBI.intent
$useDeviceLicensing = $AppAssignPBI.settings.useDeviceLicensing
$AppName = "Microsoft PowerBi for iOS"


$Properties = @{

DeviceLicensing = $useDeviceLicensing
AppName = $AppName
GroupName = $GroupAssigned.displayName
AssignType = $AssignmentType
ReportdDate = $ReportedDate

}
$ResultBI += New-Object psobject -Property $Properties
#$ResultBI | Select-Object ReportdDate,AssignType,AppName,DeviceLicensing,GroupName
$ResultBI | Export-Csv -Path $TestPath -Append -NoTypeInformation
}



Published by sujithcy

Resourceful IT Professional consistently responds to a wide range of technical challenges with a specific focus on Azure Cloud and Office 365. Provide technical solutions, performance optimization, and technical improvements with a good understanding of the latest cutting-edge technologies and creative approach.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: