Get started with Graph API + Explorer and Powershell - how to import/export Intune profiles
Introduction
The Microsoft Graph Microsoft Graph enables you to access all your data and intelligence in Microsoft 365, Windows, and Enterprise Mobility + Security. Available under one single endpoint: https://graph.microsoft.com you can call Microsoft Graph from your REST APIs or SDKs. Through Graph it is possible to build own experiences and services in the Microsoft sphere.
This blog post will give a brief overview of Microsoft Graph, combining features from Graph Explorer and Powershell to import and export Intune profiles as this is a likely usecase.
Prerequisites
First, you should sign in to your tenant at the top right in Graph Explorer. There are a tremendous amount of permissions, that grant access to the data in your tenant. Graph permissions reference It is also quite useful to Understand application management > consents in terms of security.
Microsoft Graph will register an Enterprise Application in Azure AD, this is how the connection and access is established, controlled and monitored.
Graph Explorer
Graph Explorer is a web-based application to interact with Graph in an easy, lightweight and powerful way. In summary it consists of:
- HTTP request methods - create, read, update and delete operations (CRUD)
- Graph request resource URL https://graph.microsoft.com/{version}/{resource}?[query_parameters]
- Request
- Request body = JSON contents of the query
- Request headers = context and metadata to the query
- Modify permissions (preview) = Graph API permissions to fetch tenant data
- Access token = authentication for the application to the Graph API
- Response
- Response preview = JSON response
- Response headers = context of the response
- Code snippets = similar code snippets in other languages (CSharp, JavaScript, Java, Go, PowerShell)
- Sample queries
As you can see in this example, I did run a query that yields my user information. This was a GET operation, specified to https://graph.microsoft.com/v1.0/me (Graph request URL), no additional request body or headers. The response is in JSON format.
This is a list of all device configuration Graph URL request returns. For Intune profiles, the most important are:
| Profile type | Graph request URL |
|---|---|
| Settings Catalog | https://graph.microsoft.com/beta/deviceManagement/configurationPolicies |
| Configuration profiles from templates | https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations |
| Enrollment settings (global) | https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations |
| Endpoint Security | https://graph.microsoft.com/beta/deviceManagement/intents |
| Compliance policies | https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies |
| Powershell scripts | https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts |
| Proactive remediation | https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts |
Import/Export an Intune profile
Let's get started with some hands-on experience with Graph. I will now explain how to export and import an Intune configuration profile with all its settings through Graph Explorer and Powershell.
Graph Explorer
Export the profile
It is a little bit tricky to export Intune profiles, I would recommend to find the payload with Dev tools. You can use any browser and activate the Dev Tools (usually with F12). Now choose any Intune configuration profile, edit the configuration settings and save it afterwards. (You don't need to actually edit anything)
Simultaneously you have the Dev Tools opened and choose "Network". You can start and stop the recording of Dev Tools with the red marked button to only track the activity when you performed your action. (when you clicked "Review and save")
Next, look for an entry named "ConfigurationPolicies" and verify if this entry has a "payload" section. There you can do a right-click and "view source".
Now you can copy the unformatted, cleartext JSON of the Intune configuration. In here we can find all metadata and payload, respectively configured settings in the profile. Of course you can modify everything or use this in an automation process.
Pro tip: format the payload in Visual Studio Code with ALT + SHIFT + F
Import the profile
To import the profile, you open the Graph Explorer and do the following:
- Set the method to POST
- Adjust the Graph request URL (take a look at the above table), in this case it is: https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
- Insert the previously copied payload to the request payload
Alright, click on "Run query" and the result gets displayed in the response preview. If anything didn't work, you will recieve an error output. (usually wrong request URL, insufficient permissions or syntax errors in the request body)
This is it! Now the profile was successfully created with all its settings through Graph API and is also visible in the Endpoint Manager Admin center.
Powershell
Export the profile
This is a similar procedure like before; edit and save any Intune profile.
Search again for a "ConfigurationPolicy" entry in the "Network" tab and ensure the entry has a payload.
Now this is the trick: right-click on the entry and select "Copy">"Copy as PowerShell".
Pro tip: use the Graph X-Ray extension for Microsoft Edge for finding Graph requests translated to Powershell
Import the profile
What we then have is PowerShell code that would do the exact same thing as the Dev Tools activity recorded. But we have to do a few adjustments:
- Change Invoke-WebRequest to Invoke-RestMethod
- Change the method from PUT to POST
- Delete the profile ID from the Graph request URL
- Replace the authorization token (as described below)
Before
After
Get an authorization token
Option 1 (recommended): Graph Explorer Access token
The access/authorization token is always fully displayed in Graph Explorer, there you can copy it.
Option 2: Dev Tools trick
You could also sign in to any Microsoft service, have the Dev Tools opened and look for a "telemetry" entry in the "Network" tab.
You can then run it and it should work and create a new profile in Intune:
Sources and more
This post was inspired by the following sources: