Introduction

The Microsoft Graph Microsoft Graph enables you to access all your data and intelligence in Microsoft 365, Windows, and Enterprise Mobility + Security. Available under one single endpoint: https://graph.microsoft.com you can call Microsoft Graph from your REST APIs or SDKs. Through Graph it is possible to build own experiences and services in the Microsoft sphere.

This blog post will give a brief overview of Microsoft Graph, combining features from Graph Explorer and Powershell to import and export Intune profiles as this is a likely usecase.

Prerequisites

First, you should sign in to your tenant at the top right in Graph Explorer. There are a tremendous amount of permissions, that grant access to the data in your tenant. Graph permissions reference It is also quite useful to Understand application management > consents in terms of security.

Microsoft Graph will register an Enterprise Application in Azure AD, this is how the connection and access is established, controlled and monitored.
graph-enterprise-application


Graph Explorer

Graph Explorer is a web-based application to interact with Graph in an easy, lightweight and powerful way. In summary it consists of:

  • HTTP request methods - create, read, update and delete operations (CRUD)
  • Graph request resource URL https://graph.microsoft.com/{version}/{resource}?[query_parameters]
  • Request
    • Request body = JSON contents of the query
    • Request headers = context and metadata to the query
    • Modify permissions (preview) = Graph API permissions to fetch tenant data
    • Access token = authentication for the application to the Graph API
  • Request
    • Response preview = JSON response
    • Response headers = context of the response
    • Code snippets = similar code snippets in other languages (CSharp, JavaScript, Java, Go, PowerShell)
  • Sample queries

graph-explorer-overview

As you can see in this example, I did run a query that yields my user information. This was a GET operation, specified to https://graph.microsoft.com/v1.0/me (Graph request URL), no additional request body or headers. The response is in JSON format.

This is a list of all device configuration Graph URL request returns. For Intune profiles, the most important are:

Profile type Graph request URL
Settings Catalog https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
Configuration profiles from templates https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Enrollment settings (global) https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations
Endpoint Security https://graph.microsoft.com/beta/deviceManagement/intents
Compliance policies https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies
Powershell scripts https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts
Proactive remediation https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts

Import/Export an Intune profile

Let's get started with some hands-on experience with Graph. I will now explain how to export and import an Intune configuration profile with all its settings through Graph Explorer and Powershell.

Graph Explorer

Export the profile

It is a little bit tricky to export Intune profiles, I would recommend to find the payload with Dev tools. You can use any browser and activate the Dev Tools (usually with F12). Now choose any Intune configuration profile, edit the configuration settings and save it afterwards. (You don't need to actually edit anything)

intune-edit-policy-sample-1

Simultaneously you have the Dev Tools opened and choose "Network". You can start and stop the recording of Dev Tools with the red marked button to only track the activity when you performed your action. (when you clicked "Review and save")

Next, look for an entry named "ConfigurationPolicies" and verify if this entry has a "payload" section. There you can do a right-click and "view source".

dev-tools-payload-view-source-1

Now you can copy the unformatted, cleartext JSON of the Intune configuration. In here we can find all metadata and payload, respectively configured settings in the profile. Of course you can modify everything or use this in an automation process.

dev-tools-clear-text-policy

Pro tip: format the payload in Visual Studio Code with ALT + SHIFT + F

Import the profile

To import the profile, you open the Graph Explorer and do the following:

Alright, click on "Run query" and the result gets displayed in the response preview. If anything didn't work, you will recieve an error output. (usually wrong request URL, insufficient permissions or syntax errors in the request body)

graph-explorer-post-settingsprofile

This is it! Now the profile was successfully created with all its settings through Graph API and is also visible in the Endpoint Manager Admin center.

intune-new-policy-through-graph-explorer


Powershell

Export the profile

This is a similar procedure like before; edit and save any Intune profile.

intune-edit-policy-sample-3

Search again for a "ConfigurationPolicy" entry in the "Network" tab and ensure the entry has a payload.

Now this is the trick: right-click on the entry and select "Copy">"Copy as PowerShell".

graph-explorer-copy-as-powershell

Pro tip: use the Graph X-Ray extension for Microsoft Edge for finding Graph requests translated to Powershell

Import the profile

What we then have is PowerShell code that would do the exact same thing as the Dev Tools activity recorded. But we have to do a few adjustments:

  • Change Invoke-WebRequest to Invoke-RestMethod
  • Change the method from PUT to POST
  • Delete the profile ID from the Graph request URL
  • Replace the authorization token (as described below)

Before

powershell-import-adjustments

After

powershell-import-successful

Get an authorization token

Option 1 (recommended): Graph Explorer Access token
The access/authorization token is always fully displayed in Graph Explorer, there you can copy it.

graph-explorer-access-token

Option 2: Dev Tools trick
You could also sign in to any Microsoft service, have the Dev Tools opened and look for a "telemetry" entry in the "Network" tab.

dev-tools-authorization-token

You can then run it and it should work and create a new profile in Intune:

intune-new-policy-through-powershell


Sources and more

This post was inspired by the following sources:

You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.