Automate Intune – the hidden APIs of Azure

Automate Intune – the hidden APIs of Azure

With the Microsoft.Graph.Intune PowerShell module you get over 900 commands and you could also do Invoke-MSGraphRequest to utilize the complete Microsoft Graph REST API.

But if you have played a bit with Graph API you probably have noticed that there are some functionality you miss, like device settings in Azure AD, MDM settings in Azure AD and Conditional Access in Intune.

Did you know that every time you hit submit in Azure, you actually call an API. We have Graph API, but there are also other APIs.

If you use developer mode in Chrome or a tool like Fiddler you can take a peek at what’s going on beyond the surface.

Here we can see that the URL are being called
If we scroll down to “Request Payload” and choose “view source” we get the request that was sent to the API

So, how could we use this in our automation? How do we connect to this API?

There is a way, but using this API are UNSUPPORTED – USE AT OWN RISK.
On the other side, we are not doing anything other then you do when you click around in the portal

Jos Lieben has found a way to connect to this API
To get an auth token, run the following script

$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = $context.TokenCache.ReadItems().RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'Content-Type' = 'application/json'
    'X-Requested-With'= 'XMLHttpRequest'
    'x-ms-client-request-id'= [guid]::NewGuid()
    'x-ms-correlation-id' = [guid]::NewGuid()

after getting the auth token we use the information gathered in developer mode to create commands like this one, Azure AD Device Settings :

$url = ""
$contentpart1 = '{"isEnabled":true,"deviceJoinAzureADSetting":1,"additionalAdminsForDevicesSetting":2,"deviceRegisterAzureADSetting":0,"requireMfaSetting":true,"maxDeviceNumberPerUserSetting":100,"deviceJoinAzureADIsAdminConfigurable":true,"additionalAdminsForDevicesIsAdminConfigurable":true,"deviceRegisterAzureADIsAdminConfigurable":false,"deviceJoinAzureADSelectedUsers":[{"id":"'
$contentpart2 = '","email":null,"displayName":"Group1","type":2,"hasThumbnail":false,"imageUrl":null}],"additionalAdminsForDevicesSelectedUsers":[]}'
$content = $contentpart1 + $groupid + $contentpart2
Invoke-RestMethod –Uri $url –Headers $header –Method PUT -Body $content -ErrorAction Stop


  1. […] Jens Tore Fremmegaard – Automate Intune – the hidden APIs of Azure […]

  2. Jos Lieben 09/04/2020 at 21:26 - Reply

    Thanks for the mention Jens 😉 For anyone reading above, if you want to do the above with an MFA enabled account:

Leave A Comment