Brief background on Intune Setup
- Intune Integration uses Oauth authentication mechanism
- Following inputs are needed to use the Microsoft Graph API to hit the Intune REST endpoints
- Client ID
- Client Credential
- Tenant ID
- You will get the above credential information when you register an application to use Graph API. Following link will provide details on how to register an application. This is also referenced in the Intune Integration guided setup process.
https://docs.microsoft.com/en-us/mem/intune/developer/intune-graph-apis
After the application is registered with Intune, perform the following steps to grant Graph API permissions for the registered application:
1. Click on API Permissions under your application in Intune
2. Click on 'Add a permission'
3. Click on 'Microsoft Graph'
4. Click on 'Application Permissions'
5. Under the 'Select permissions' search, type in 'DeviceManagementServiceConfig.Read.All'
6. Select the checkbox next to the permission
7. Click 'Add permissions'
8. Grant admin consent for the permission (*** Intune Admin should do this step)
9. Repeat steps 5 through 8 to add the following permissions also, replacing the permission in step#5:
DeviceManagementManagedDevices.Read.All
DeviceManagementApps.Read.All
Directory.Read.All
User.Read (Add only if it is not added by default)
***Note: See the below screenshot for reference on permissions once the grant is all complete
Take the following actions to troubleshoot a connection issue with Intune
- If the integration throws a connection error, the first place to debug a connection issue will be the Integration Hub/Flow Designer
- Intune uses many different data stream actions and you can pick one to troubleshoot. Picking ‘mobiledevices’ data stream action from the list of actions will be a good one to start.
- Open the action and click ‘Test’ to test the connection
- If the connection fails there too, then go through the Intune setup mentioned above
- Verify you have entered the correct credentials in the Oauth setup page
- Verify you have ‘read’ permissions for the Graph API. For a detailed permissions, see the attachment 'IntunePermissionExamples'. All of the permissions may not be required for your setup. Important thing to notice is that the permission type should be ‘Application’ and not ‘Delegated’ and read permissions exist for devices and applications.
- If all of the above seems to be correct, then the best course of action is to test it in a REST tool like Postman (link below) to see if you can hit the REST endpoint with the credentials that were put in during the guided set up for Intune. An example collection of REST API calls are attached 'IntunePostmanCollection.zip'.
- Performing a test with Postman will prove out that the client credentials are valid.
- If installing an app like Postman is not allowed within your environment, then you can use curl commands to test out the connection locally mentioned under ‘Curl Commands’ section below
- If the Postman or Curl commands work locally, then the next action could be to test it from the MID Server if a MID Server is being used in the integration setup. Either install Postman in the MID server or test using Curl commands to see if you can hit the REST endpoint.
- If the connection works locally and also through MID if MID is being used, then you need to open up a case task to engage the CMDB Integrations team (Assignment Group: App-CMDB-Integrations) for further help
Curl Commands
1. Get the token
curl -X POST \
https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token \
-H 'Accept: */*' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Host: login.microsoftonline.com' \
-d 'grant_type=client_credentials&client_id=<client id>&client_secret=<client secret> &scope%20=https%3A%2F%2Fgraph.microsoft.com%2F.default'
2. Get devices
curl -X GET \
'https://graph.microsoft.com/beta/deviceManagement/managedDevices?filter=deviceType%20eq%20%27android%27%20or%20deviceType%20eq%20%27iPad%27%20or%20deviceType%20eq%20%27iPhone%27%20or%20deviceType%20eq%20%27androidForWork%27%20or%20deviceType%20eq%20%27androidEnterprise%27%20or%20deviceType%20eq%20%27nokia%27%20or%20deviceType%20eq%20%27windowsPhone%27%20or%20deviceType%20eq%20%27blackberry%27%20or%20deviceType%20eq%20%27palm%27' \
-H ‘Accept: */*’ \
-H ‘Authorization: <access token>’
3. Get detected applications
curl -X GET \
https://graph.microsoft.com/beta/deviceManagement/detectedApps \
-H 'Accept: */*' \
-H 'Authorization: <access token>'
Useful Links
Graph API:
1.0 - https://docs.microsoft.com/en-us/graph/api/resources/intune-graph-overview?view=graph-rest-1.0
Beta - https://docs.microsoft.com/en-us/graph/api/resources/intune-graph-overview?view=graph-rest-beta
Postman:
https://www.postman.com/
26 Comments
