Microsoft Intune Management - Connect securely to Intune with Microsoft Graph and PowerShell!

MVP

 

Dear Microsoft Intune friends,

 

In this article I will show you how to create a "secure" connection to Microsoft Intune with Microsoft Graph and PowerShell! 

 

In this example, we use an app registration in Microsoft Entra ID and a certificate created on the local machine.

 

Create and export the certificate.

 

I use Visual Studio Code and PowerShell 7.
 
$certName = 'IntuneGraphAppCert'

$cert = New-SelfSignedCertificate -Subject "CN=$certName" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (get-date).AddYears(1)

Export-Certificate -Cert $cert -FilePath "C:\certs\$certName.cer"

 

Note: The certificate is created in the local certificate store and exported to the folder C:\certs. The certificate is valid for one year.

Example_1.png

 

Create an app registration in Microsoft Azure AD.

 

1. Go to the Azure portal and create a new app registration in Azure AD.

Example_2.png

 

2. Give the app a name and notice the following.

Example_3.png

 

4. Go to the API permissions and add the following permissions (These serve only as an example).

Example_4.png

 

5. Do not forget to grant admin consent.
Example_5.png

 

6. Go to the certificate and secrets and upload the certificate.

Example_6.png

 

Back in Visual Studio Code and PowerShell!
 
1. Install the Microsoft.Graph.
Install-Module -Name Microsoft.Graph -Verbose -Force -AllowClobber
 
2. Import the Microsoft.Graph module.
Import-Module Microsoft.Graph
 
3. Create some variables.
$TenantId = '77e01716-a6a2-4f99-b864-xxxxxxxxxxxx'
$AppId = '5c14b994-2290-4f84-9069-xxxxxxxxxxxx'
$certName = 'IntuneGraphAppCert'
 
$Cert = Get-ChildItem -Path 'Cert:\CurrentUser\My' | Where-Object { $_.Subject -eq "CN=$CertName" }

 

4. Connect to Microsoft Graph.
Connect-MgGraph -TenantId $TenantId -ClientId $AppId -Certificate $Cert

 

5. We check the permissions.
(Get-MgContext).Scopes
Example_7.png 
HAPPY CONNECTING!!
 
I am fully aware that this is only as good as the physical machine is secured. However, I would like to share my experiences with you. Thank you for taking the time to read the article.
 

Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler

0 Replies