Blog Post

Intune Customer Success
8 MIN READ

Support Tip: Getting Started with Microsoft Graph API

J.C. Hornbeck's avatar
J.C. Hornbeck
Iron Contributor
Mar 11, 2019
Hello everyone, today we have another post from Intune Support Escalation Engineer Mihai Lucian Androne. In this post, Mihai walks us through the concepts of Microsoft Graph API, shares how to get th...
Updated Mar 11, 2019
Version 3.0
MihaiLA's avatar
MihaiLA
Copper Contributor
Mar 12, 2019

EmilyLee1119 ,

 

Thanks for getting back to us!

The way I arranged the content, I am trying to start with a general perspective over Graph and then easily add more details that can help when we want to create a new application(using any programing language) from scratch and at the same time, present a more friendly alternative for our PowerShell savvy out there: https://github.com/microsoftgraph/powershell-intune-samples

 

When you use one of the PS sample from GitHub, you don't need to create a new application, thus you don't need to add new permissions to access the Intune resources. If you run for the first time one of these PS scripts, I would expect the following message to appear when you authenticate:

You can see that it already asks you to accept the permissions needed for Intune resources. If you tick the "Consent of behalf of your organization" , the application will get access to the specified resources for all the users within your organization. Next users will not be prompted with this message any more. Don't worry if you ticked that already, the directory permissions and RBAC roles still apply after the user signed in. Be aware that some of these are requesting Global Admin privileges. 

 

When you run any PS sample from GitHub, these are the permisions that you will need to grant:

"DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementRBAC.ReadWrite.All, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All"

 

These permissions are all documented https://docs.microsoft.com/en-us/graph/permissions-reference#group-permissions 

 

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547" refers to "Microsoft Intune PowerShell" application, you can see this name in the above screenshot. 

 

Yes, Intune PowerShell module is a good alternative and a more friendly one, depending on the scenario you are trying to achive.