Let’s learn Intune Graph Query and Sample queries in the Starters Guide. Microsoft Graph Explorer is a web application that helps system admins and developers.
MEM Intune Graph query samples are given in this post to help troubleshoot, understand and build tools and PowerShell scripts. You can also create a list of Intune Graph queries using the tips explained in this post.
The Microsoft Graph Explorer and Graph query details in this post mainly focus on starters. How to start using Intune Graph API queries using Graph Explorer and how Graph API would be helpful for IT Pros in their day-to-day life.
Added some additional cool things to get PowerShell commands directly from the MEM Admin center portal. This is the Microsoft Graph X-Ray (from Merill and Team). I heard it from Ben Whitemore (MS MVP) and this amazing extension will give you the PowerShell commands when you navigate through MEM Intune Portal.
Read More -> Learn how to Create Intune Policy using Graph Explorer API POST HTTP Method.
One of the examples of the real-world use of Intune Graph explorer is explained in the following blog post (Configuring Intune Bitlocker grace period). The grace period scenario described in the blog post can’t be configured through the MEM Admin Center portal.
I have seen system admins and developers using Microsoft Graph explorer to build PowerShell scripts and community tools. Microsoft Graph Explorer is a web application hosted on the Microsoft Graph developer center. This is an open-source project from Microsoft!
Read More -> 63 Episodes Of Free Intune Training -> Endpoint Manager For Device Management Admins
What is Intune Graph Query?
Intune Graph Query is the API call used in Microsoft Graph explorer to fetch, change, remove, etc., the information from Intune services. Graph explorer is one of the ways to fetch, change, or remove the data/configurations from Intune services.
The following diagram provides a high-level overview of Microsoft Graph API. Understanding the data flow between the MEM Admin center portal, REST API, and Graph API is important.
This is a very high-level diagram shared by Microsoft a few years back. I have added the screenshot of the new MEM Admin center (Intune) portal.
Video Tutorial – Intune Graph API Sample Queries
Let’s check Video Tutorial – Intune Graph API Sample Queries.
Intune Graph API Query Structure
Using the REST API, you can also use PowerShell or another scripting/programming method to interact with Intune services. Let’s check sample API calls to manage Intune configuration using the Graph Explorer web application.
Let’s look at the Intune Graph API query structure in the screenshot below. You can check the structure of the following query in the list below.
https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=(Notes eq 'bc3e5c73-e224-4e63-9b2b-0c36784b7e80')&$top=25&$skipToken=Skip='0'&$select=deviceName- Version = Beta or v1.0
- Resource = deviceManagement -> Devices Node (Intune Portal) or deviceAppManagement -> Apps Node (Intune Portal)
- ID = managedDevices or comanagementEligibleDevices or deviceConfigurations
- Query Parameter = ?$Filter or ?$select
Login to Graph Explorer
Let’s try login into Microsoft Graph Explorer. The Microsoft Graph API for Intune (MEM) requires an active Intune license for the tenant. The permissions and consents required to run Graph API queries must be reviewed.
Let’s follow the steps listed below to log in to Graph Explorer and run the Intune Graph queries. I recommend using the Microsoft Edge browser to perform the following step, but other supported browsers are also fine.
- Open the https://developer.microsoft.com/en-us/graph/graph-explorer
- Click on the button called Sign in to Graph Explorer.
- Enter the Intune administrator user name and password to log in.
After the successful login, you will be able to check the details of Intune details that you have permissions. You can also use some tricks mentioned in the below section to access Intune Graph API queries easily.
You can learn how the Graph API query works with the Sample Queries section, as I highlighted below. However, there are no Intune (MEM) specific sample queries in that section. But it’s a good resource to learn the generic Graph query formats.
How to Run Intune Graph Queries
Let’s learn how to run Intune Graph queries from the graph explorer web application. Let’s quickly look at the screenshot below to understand the different sections of Graph explorer.
There are five (5) different types of HTTP methods of queries available with Microsoft Graph. The methods help to determine what your request is doing. The API supports the following methods.
| Method | Description |
|---|---|
| GET | Read data from a resource. |
| POST | Create a new resource, or perform an action. |
| PATCH | Update a resource with new values. |
| PUT | Replace a resource with a new one. |
| DELETE | Remove a resource. |
In this post, I will be concentrating on the GET method. The GET queries are used to read and understand the data from Intune services. This is the first step of learning in Intune Graph API journey.
The Graph Explorer web interface is common for all Microsoft 365 technologies and other Microsoft solutions. This web interface for Graph explorer includes the following 5 elements. The last two elements are mainly for output or results purposes.
- HTTP verb drop-down list
- API version drop-down list
- Request query address bar
- Run Query button
- Sample Queries and documentation links
- Request Body/Request Header section for NON-GET commands
- Response Preview – Results Pane
Intune Graph Query – Device Management
Let’s check how to run Intune graph queries related to Device Management. There is a Graph API resource called deviceManagement in Graph API, and I’m going to use that to retreat some of the information.
I always try to use the beta version of the Graph API tool because that is the one MEM Admin Center portal also uses for most of the scenarios. Follow the steps below to get the Intune Account Number, and other details are given in the JSON below.
- Open the https://developer.microsoft.com/en-us/graph/graph-explorer
- Click on the button called Sign in to Graph Explorer.
- Enter the Intune administrator user name and password to log in.
- Select the GET method and Beta version from the drop-down (in the screenshot, I have selected v1.0)
- Enter the following Intune Graph query “Request Query Address Bar.”
- https://graph.microsoft.com/beta/deviceManagement
- Click on the Run Query button
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement",
"id": "deviceManagement",
"settings": null,
"maximumDepTokens": 100,
"intuneAccountId": "3853fc-ca4e-4w36-b620-78weq2ed39a",
"lastReportAggregationDateTime": "0001-01-01T00:00:00Z",
"deviceComplianceReportSummarizationDateTime": "2022-05-26T07:49:52.3066667Z",
"legacyPcManangementEnabled": false,
"unlicensedAdminstratorsEnabled": false
}
You can use the following resource ID called managedDevices to drill down to many details specific to each device, such as Intune Managed, Co-Managed, and ComanagementEligibleDevices.
You can also filter the results with different Intune Graph API query parameters such as $filter, $select, $top, etc. Let’s run the following Intune Graph query to get a list of all the devices in the tenant. I don’t run this query on the production tenants without any filters.
https://graph.microsoft.com/beta/deviceManagement/managedDevicesAs you see in the screenshot below, it gives a lot of information about each device in the tenant, and most of the time, this type of information is not very useful.
NOTE! – The Managed Devices won’t show the devices managed by SCCM (Tenant Attach).
How to Use Filters with Intune Graph API
Let’s see how to Use Filters with Intune Graph API. For example, if you want to see only the device names, not all the other properties of the device. You can try the following Intune Graph query with the $select option to show Device Names only.
https://graph.microsoft.com/beta/deviceManagement/managedDevices/?$select=deviceNameAs you can see in the screenshot below, the JSON result shows only the device name property for all the managed devices.
Th following Graph API query for Intune shows all the properties of the device mentioned in the query.
https://graph.microsoft.com/beta/deviceManagement/managedDevices/?$filter=(deviceName eq 'CPC-anoopb-L-DA')You can check the following query to get the SCCM Tenant Attach devices list from Intune service. These types of devices are not part of managed devices section; rather, it’s the comanagementEligibleDevices section in Graph API.
https://graph.microsoft.com/beta/deviceManagement/comanagementEligibleDevicesAs you can see in the screenshot below, the comanagement eligible device status is ineligible because it’s a server (check the operating system version).
The following Intune Graph API query gives you the details about the policies and Configuration profiles in Intune.
https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
I tried to test the following Intune Graph queries for Configuration Settings. However, I couldn’t make it work as expected. I would recommend trying these queries in staging or pre-prod environments first.
There are similar filter options (based on displayname of the configuration settings?) with policies and configuration settings or settings catalogs.
https://graph.microsoft.com/beta/deviceManagement/reusableSettings
https://graph.microsoft.com/beta/deviceManagement/complianceSettings
https://graph.microsoft.com/beta/deviceManagement/configurationSettings
https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/{deviceManagementConfigurationPolicyId}/settings/{deviceManagementConfigurationSettingId}/settingDefinitions
https://graph.microsoft.com/beta/deviceManagement/configurationPolicyTemplates/{deviceManagementConfigurationPolicyTemplateId}/settingTemplates/{deviceManagementConfigurationSettingTemplateId}/settingDefinitionsAdvanced Threat Protection Related Query is given below, and you can also use the following link to open this query from the browser directly.
https://graph.microsoft.com/beta/deviceManagement/advancedThreatProtectionOnboardingStateSummary/advancedThreatProtectionOnboardingDeviceSettingStates/Intune Graph Query – Device App Management
Let’s check Device App Management Intune Graph Query options. There are many Microsoft Graph API queries for Intune application management. I’m going to share the basics that will get you started with the Graph API query learning.
Like devices, you can query and fetch all the application details from Intune service using the Graph API query. I don’t recommend using this query without any filters in production. The output data of this query won’t be of much use.
https://graph.microsoft.com/beta/deviceAppManagement/mobileApps
You can use the following query to see only the display names of the applications in the JSON format.
https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/?$select=displayName
You can check the specific version of the application based on the application display name using the following Graph API query with the $filter option.
https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/?$filter=(displayname eq '7-Zip 19.00')The following is the direct link to launch Graph Explorer with the query results.
Intune Graph API Query to get PowerShell Script Details
Let’s find out Intune Graph API Query to get PowerShell Script Details. The PowerShell Script is part of the Device Management object. The Graph API ID to get PowerShell Script deployed through Intune is deviceManagementScripts.
You can use the following command to fetch all the PowerShell scripts deployed in your tenant. The information you get out of this query might not be very useful. My recommendation is to use filters to drill down to some particular use cases.
https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts
Using the following query, you can query Graph API and display only one property in the JSON response preview in Graph Explorer.
https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/?$select=displayNameYou can query Graph API to filter down only one particular PS script using the following Intune Graph query based on Display Name properties.
https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/?$filter=(displayname eq 'Add Admin User for WVD')You can get direct access to results using the following link. This link provides the same results as the above Graph API query.
Easy Method to Get Access to Intune Graph Sample Queries
Let’s check the easiest way to access the Intune Graph Sample Queries. There are some tricks to get the complex queries from MEM Admin Center (Intune) portal.
I recommend using Microsoft Edge or any chromium-based browser to make your life easy to create complex Intune Graph API queries. Follow the steps explained below:
- Login to the Endpoint.Microsoft.com (MEM Admin Center) portal.
- Press F12 to open Developer Tools, or you can use the Settings -> More Tools -> Developer Tools option.
Navigate to the Devices node in the MEM Admin Center portal, and on the right side of the browser, make sure that the Developer Tools -> Network section is opened.
- Make sure you are on the Network tab of developer tools.
- Click on the CLEAR but remove all the existing network traffic details from the tool.
Click on the All Devices node to get the complex Intune Graph API query from developer tools -> Network tab. Follow the steps below to continue.
- Click on the STOP button once Devices start showing up in MEM Admin center All Devices node.
- Network traces related to the activity of fetching All Devices will be at the bottom of the network trace page.
- Click on the Entry with manageddevices.
- From the Header tab, right-click on the Request URL section
- Click on the Copy Value button to copy Intune Graph API Query.
The Intune Graph API query copied from the Request URL value is the query that the MEM admin portal used to fetch All Devices details from Intune services.
The following is the complex Graph API query copied from developer tools. This query shows the top 25 devices from the Intune tenant. It also has filters to show particular properties, same as the MEM Admin center portal All Devices node.
https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=(Notes eq 'bc3e5c73-e224-4e63-9b2b-0c36784b7e80')&$top=25&$skipToken=Skip='0'&$select=deviceName,managementAgent,ownerType,complianceState,deviceType,userId,userPrincipalName,osVersion,lastSyncDateTime,userPrincipalName,id,deviceRegistrationState,managementState,exchangeAccessState,exchangeAccessStateReason,deviceActionResults,deviceEnrollmentTypeThis is an example of copying the complex Graph API queries that the MEM admin center uses. You can use this method to prepare scripts and develop community tools.
Get Graph API PowerShell Script using Edge Extension
Let’s get Graph API PowerShell Script using Edge Extension. This is an amazing extension created by Merill and the team to help IT folks to perform task automation pretty quickly using Graph API + PowerShell.
Download Microsoft Graph X-Ray Edge Extension – https://microsoftedge.microsoft.com/addons/detail/graph-xray/oplgganppgjhpihgciiifejplnnpodak
Once the extension is installed, you can go to Developer Tools and open the Microsoft Graph X-Ray tab to get all these amazing PowerShell scripts while you navigate via Intune MEM Admin center portal. One example of Intune Configuration Profiles node is given below.
Import-Module Microsoft.Graph.DeviceManagement
Get-MgDeviceManagementManagedDevice -Filter "(Notes%20eq%20%27bc3e5c73-e224-4e63-9b2b-0c36784b7e80%27)%20and%20(((deviceType%20eq%20%27desktop%27)%20or%20(deviceType%20eq%20%27windowsRT%27)%20or%20(deviceType%20eq%20%27winEmbedded%27)%20or%20(deviceType%20eq%20%27surfaceHub%27)%20or%20(deviceType%20eq%20%27desktop%27)%20or%20(deviceType%20eq%20%27windowsRT%27)%20or%20(deviceType%20eq%20%27winEmbedded%27)%20or%20(deviceType%20eq%20%27surfaceHub%27)%20or%20(deviceType%20eq%20%27windowsPhone%27)%20or%20(deviceType%20eq%20%27holoLens%27)))" -Top 25 -Skiptoken "Skip" -Property "deviceName,managementAgent,ownerType,complianceState,deviceType,userId,userPrincipalName,osVersion,lastSyncDateTime,userPrincipalName,id,deviceRegistrationState,managementState,exchangeAccessState,exchangeAccessStateReason,deviceActionResults,deviceEnrollmentType"
Import-Module Microsoft.Graph.Devices.CorporateManagement
Get-MgDeviceAppMgtMobileAppConfiguration -Filter "microsoft.graph.androidManagedStoreAppConfiguration/appSupportsOemConfig%20eq%20true"
Import-Module Microsoft.Graph.DeviceManagement
Get-MgDeviceManagementGroupPolicyConfiguration -Top 1000
Import-Module Microsoft.Graph.DeviceManagement
Get-MgDeviceManagementDeviceConfiguration -Property "id,displayName,lastModifiedDateTime,roleScopeTagIds,microsoft.graph.unsupportedDeviceConfiguration/originalEntityTypeName" -Top 1000 
FIX Intune Graph Explorer Error – 403 Forbidden
In this section, let’s see how to fix Intune Graph Explorer Error – 403 Forbidden. This is one of the forbidden errors because I have not given consent to the permissions on the Modify permissions (preview tab).
You can click on the 3 vertical dots (…) near to profile picture -> Select Permissions. You will need to select the required permissions from the new blade and click on the CONSENT box.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 17 years of experience (calculation done in 2018) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V, etc…
We are getting only 1000 records in one query, any suggestion on how to call all object?