Automate creation of Intune Reports using Microsoft Graph and Powershell

Question

I'm trying to export intune reports using Graph APIs
I created an Azure AD app with MS Graph with the below API permissions.

https://github.com/ztrhgf/useful_powershell_functions/blob/master/INTUNE/New-GraphAPIAuthHeader.ps1
https://github.com/ztrhgf/useful_powershell_functions/blob/master/INTUNE/Get-IntuneReport.ps1

I'm getting the below error messages:

PS C:\> import-module "C:\Users\anton_bfsozsf\OneDrive - Kaplan International\Kaplan\2023\new-intuneauthheader.ps1" -Force
PS C:\> import-module "C:\Users\anton_bfsozsf\OneDrive - Kaplan International\Kaplan\2023\Get-IntuneReport.ps1" -Force
PS C:\> $header = New-IntuneAuthHeader -TenantDomainName kaplanint.onmicrosoft.com
PS C:\> Get-IntuneReport -header $header -reportName FeatureUpdateDeviceState -filter "PolicyId eq '6e5c6129-0c5f-4c09-9f2f-4b3ece8e3c42'"
WARNING: Requesting the report FeatureUpdateDeviceState
Invoke-RestMethod: C:\Users\anton_bfsozsf\OneDrive - Kaplan International\Kaplan\2023\Get-IntuneReport.ps1:166:23
Line |
 166 |  …   $result = Invoke-RestMethod -Headers $header -Uri "https://graph.mi …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | {"error":{"code":"Forbidden","message":"{\r\n  \"_version\": 3,\r\n  \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes:
     | DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.Read.All,
     | DeviceManagementManagedDevices.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: ae422747-3994-49d4-99be-bee37d24b044 - Url:
     | https://fef.msua01.manage.microsoft.com/ReportingService/StatelessReportingFEService/deviceManagement/reports/exportJobs?api-version=5021-09-01\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\":  
     | null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\":
     | \"{}\"\r\n}","innerError":{"date":"2023-03-17T11:08:01","request-id":"ae422747-3994-49d4-99be-bee37d24b044","client-request-id":"ae422747-3994-49d4-99be-bee37d24b044"}}}
PS C:\>

Answer 1

Hi @Antonio Olivar Admin,

Thanks for reaching out!

As per my understanding you are trying to fetch the export Intune reports using Graph APIs. As per the attached screen shot, I can see that You have consented the app with delegated permissions to use List deviceManagementExportJobs API. Usually 403- Forbidden- Access is denied error occurs when the user might not have enough permission to access the app. I suggest consent the app with required application permissions and then executing the API.  

You can check your scopes by decoding access token in https://jwt.ms/

For application permission token, the permissions are in the “roles” claim: Note:  the “scp” claim is not available for application permission

For delegated permission token, the permissions are in the “scp” claim instead. Note:  the “roles” claim still may be present in the delegated permission and they contain the roles the user is assigned to in the API app.

Please make sure that your Intune license is active, as the Microsoft Graph API for Intune requires an active Intune license for the tenant. 

Hope this helps.

If the reply is helpful, please click "Accept Answer" and kindly upvote it. If you have additional questions about this answer, please click "Comment".