AAD- Enable Intune MDM scope to all users using Powershell

Question

AAD- Enable Intune MDM scope to all users using Powershell

K Roja 56

Hello Team,

We are trying to automate intune MDM scope to all users using powershell.
Do we have any Microsoft graph api or powershell to enable below property

AAD-> Mobility -> Microsoft Intune -> Configure

Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-20T11:49:51.75+00:00

Hello @K Roja

Thank you for reaching out, I would have this reviewed and get back to you with an answer.

Harpreet Singh Matharoo 8,396 Microsoft Employee Moderator

Hello @K Roja

Please use following code when trying this with a user account if you are not flexible to use Graph Explorer.

Connect-MgGraph -Scopes Policy.Read.All, Policy.ReadWrite.MobilityManagement  
Select-MgProfile -Name beta  
$body = @{  
appliesTo = "none"  
}  
Invoke-MgGraphRequest -Method PATCH https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000 -Body $(ConvertTo-Json $body)  
Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000

I hope this helps.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

K Roja 56 Reputation points

2022-10-19T09:19:27.64+00:00

Hello @Harpreet Singh Matharoo ,

The above code requires user interaction, but we want to execute code without human intervention and generate token as sign-in user for delegated permissions.
Could you please help us with this
Krupa Gundraju (Larsen & Toubro Infotech Limit) 126 Reputation points

2022-10-26T11:42:27.143+00:00

@Harpreet Singh Matharoo

@K Roja has left the organization I am dealing with issue now.

Token issue is resolved now.

can you explain how to get mobilityManagementPolicyId?
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-31T08:29:01.567+00:00

Hello @K Roja

You can run following graph call to return all the MDM policies with id's:

https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies

I hope this helps.

3 answers

Your answer

Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-20T11:49:51.75+00:00

Hello @K Roja

Thank you for reaching out, I would have this reviewed and get back to you with an answer.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-19T09:09:35.347+00:00

Hello @K Roja

Please use following code when trying this with a user account if you are not flexible to use Graph Explorer.

Connect-MgGraph -Scopes Policy.Read.All, Policy.ReadWrite.MobilityManagement Select-MgProfile -Name beta $body = @{ appliesTo = "none" } Invoke-MgGraphRequest -Method PATCH https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000 -Body $(ConvertTo-Json $body) Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000

I hope this helps.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
K Roja 56 Reputation points

2022-10-19T09:19:27.64+00:00

Hello @Harpreet Singh Matharoo ,

The above code requires user interaction, but we want to execute code without human intervention and generate token as sign-in user for delegated permissions.
Could you please help us with this
Krupa Gundraju (Larsen & Toubro Infotech Limit) 126 Reputation points

2022-10-26T11:42:27.143+00:00

@Harpreet Singh Matharoo

@K Roja has left the organization I am dealing with issue now.

Token issue is resolved now.

can you explain how to get mobilityManagementPolicyId?
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-31T08:29:01.567+00:00

Hello @K Roja

You can run following graph call to return all the MDM policies with id's:

https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies

I hope this helps.

Answer 1

Hello @K Roja

I have reviewed the request and found that as of now we do not have any PowerShell command to edit Mobility (MDM and MAM) settings available in Azure Portal.

With respect to Microsoft Graph you can try below API queries to achieve this:

PATCH https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000
JSON Workload: { "appliesTo": "all" }
Documentation Reference: https://learn.microsoft.com/en-us/graph/api/mobiledevicemanagementpolicies-update?view=graph-rest-beta&tabs=http

I hope this answers your question.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

K Roja 56 Reputation points

2022-09-22T12:54:33.587+00:00

Hello @Harpreet Singh Matharoo ,

Thanks for your response.
But we are using service account and it's mandatory. Generating token using service account with below command is not a silent execution.
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationFlows" -UseDeviceAuthentication -ErrorAction Stop

So, our requirement is to automate this feature using powershell with silent execution (without human intervention)
Kindly suggest if it is possible to automate the above graph api using service account.

Answer 2

Hello @K Roja

Ideally, we do not recommend token generation with hardcoded UPN and Password for PowerShell scripts. However, if you wish to continue with this approach then you can try below:

**Things to consider: **

Make sure that you have delegated permission for Policy.Read.All and Policy.ReadWrite.MobilityManagement applied on the Application.
If end user or service account password is changed for some reason then you might need to update it in the script. $body = 'grant_type=password' + '&client_id=12345678-2b13-444b-9631-f2ff99c34e77' +
'&username=harpreet@Company portal .com' + '&password=testpassword!' +
'&resource=https://graph.microsoft.com' + '&client_secret=12345\~cRUe8o1AIyt7zLx7._NGREHcMhRXCvacgb' +
'&scope=Policy.Read.All,Policy.ReadWrite.MobilityManagement '
$token = (Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/common/oauth2/token -Body $body).access_token Connect-MgGraph -AccessToken $token
Select-MgProfile -Name beta
$body = @{
appliesTo = "none"
}
Invoke-MgGraphRequest -Method PATCH https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000 -Body $(ConvertTo-Json $body)
Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000

Output of the Script would be similar to something as shown below:

I hope this helps and resolves your concern.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Hello @K Roja

If the ask is specifically about how to automate and Connect-MgGraph then you can try using Access Token for an Application/Service principal registered on Azure AD. However, this would still not be able to get any output for MDM policies as it only support on Graph calls using a work school account.

As stated in the documentation shared in previous comment, this Graph call for mobileDeviceManagementPolicy currently do not support Application or Non-Interactive flows,

Additionally, I was reviewing multiple document references and found that currently Connect-MgGraph does not support "-Credential" parameter. More information can be found on following page: https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1366

To automate scripts, you would need following:

An Application Registration on Azure AD. Refer Document: Register an application with Azure AD
You need assign relevant Graph or other permissions on Application level. Refer Document: Add permissions to access your web API

Create a Secret. Refer Document: Add a client secret

 $TenantId = "Tenant ID/Domain Name here"  
 $AppClientId="Add you Application ID here"  
 $ClientSecret ="Enter Client-Secret here"  

 $RequestBody = @{client_id=$AppClientId;client_secret=$ClientSecret;grant_type="client_credentials";scope="https://graph.microsoft.com/.default";}  
 $OAuthResponse = Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token -Body $RequestBody  
 $AccessToken = $OAuthResponse.access_token  

 Connect-MgGraph -AccessToken $AccessToken

I hope this answers your question.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

K Roja 56 Reputation points

2022-09-26T08:19:29.513+00:00

Hello @Harpreet Singh Matharoo ,

We are getting unauthorized error even after giving all required api permission to SPN.

ERROR-

CODE
Below is the code which we are using
$TenantId = "XXXXXX"
$AppClientId="XXXXXXX"
$ClientSecret ="XXXXXX"

$RequestBody = @{client_id=$AppClientId;client_secret=$ClientSecret;grant_type="client_credentials";scope="https://graph.microsoft.com/.default";} $OAuthResponse = Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token -Body $RequestBody $token = $OAuthResponse.access_token Connect-MgGraph -AccessToken $token

$header = @{
'Authorization' = 'Bearer ' + $token
'Content-Type' = 'application/json'
}

$uri = "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000"
$Body = @{
appliesTo = "all"
}

Invoke-WebRequest -Uri $uri -Headers $header -Method Patch -Body $(ConvertTo-Json $body)

Are there any other permissions which we are missing?

Share via

AAD- Enable Intune MDM scope to all users using Powershell

3 answers

Your answer