Forum Discussion

TomWechsler's avatar
TomWechsler
MVP
Nov 14, 2023

Microsoft Intune Management - Connect securely to Intune with Microsoft Graph and PowerShell!

 

Dear Microsoft Intune friends,

 

In this article I will show you how to create a "secure" connection to Microsoft Intune with Microsoft Graph and PowerShell! 

 

In this example, we use an app registration in Microsoft Entra ID and a certificate created on the local machine.

 

Create and export the certificate.

 

I use Visual Studio Code and PowerShell 7.
 
$certName = 'IntuneGraphAppCert'

$cert = New-SelfSignedCertificate -Subject "CN=$certName" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (get-date).AddYears(1)

Export-Certificate -Cert $cert -FilePath "C:\certs\$certName.cer"

 

Note: The certificate is created in the local certificate store and exported to the folder C:\certs. The certificate is valid for one year.

 

Create an app registration in Microsoft Azure AD.

 

1. Go to the Azure portal and create a new app registration in Azure AD.

 

2. Give the app a name and notice the following.

 

4. Go to the API permissions and add the following permissions (These serve only as an example).

 

5. Do not forget to grant admin consent.

 

6. Go to the certificate and secrets and upload the certificate.

 

Back in Visual Studio Code and PowerShell!
 
1. Install the Microsoft.Graph.
Install-Module -Name Microsoft.Graph -Verbose -Force -AllowClobber
 
2. Import the Microsoft.Graph module.
Import-Module Microsoft.Graph
 
3. Create some variables.
$TenantId = '77e01716-a6a2-4f99-b864-xxxxxxxxxxxx'
$AppId = '5c14b994-2290-4f84-9069-xxxxxxxxxxxx'
$certName = 'IntuneGraphAppCert'
 
$Cert = Get-ChildItem -Path 'Cert:\CurrentUser\My' | Where-Object { $_.Subject -eq "CN=$CertName" }

 

4. Connect to Microsoft Graph.
Connect-MgGraph -TenantId $TenantId -ClientId $AppId -Certificate $Cert

 

5. We check the permissions.
(Get-MgContext).Scopes
 
HAPPY CONNECTING!!
 
I am fully aware that this is only as good as the physical machine is secured. However, I would like to share my experiences with you. Thank you for taking the time to read the article.
 

Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler

Graph API
Intune
  • LosFla's avatar
    LosFla
    Copper Contributor
    Nov 23, 2024

    Nice and Secure way to Connect.

    This created self signed certificate is only valid for one device, right?

    Is there a way to have a solution which can be used from multiple devices in the environment?

    with this solution I have to create a self signed certificate for each device and upload the public key to the app registration. If I have e. g. 9000 devices, I have to upload 9000 public keys?

    • Joe Loveless's avatar
      Joe Loveless
      Copper Contributor
      Nov 23, 2024

      Should just be a matter of distributing the cert to your devices rather than having 9000 certs.

    • RajkumarRR's avatar
      RajkumarRR
      Copper Contributor
      Nov 30, 2024

      hope, here in this article, explained Intune management for administrative activities/operations, for limited devices (one or two). so, it's not required to have such huge devices.

Resources