This blog is about how to assign an Intune Script via Graph API and Powershell.
Don’t you hate it when you read the Microsoft Docs and this happens:
Well, it happened to me today. So, I started to try something myself which worked and I want to share that with you!
Firstly, let me explain what I wanted to do. I wanted to assign a device management script (Powershell Script for Managed Devices) to “All Users” and/or “All Devices” via Graph API and Powershell. That was not yet in Microsoft Docs. Those only state how to assign to a custom group.
I am trying to automate my complete Intune Deployment and this is a part of that.
Prerequisites
You need a Powershell module called “MSAL.PS”. You can install this module by using the following code:
Install-Module MSAL.PS -Force
After that, you have a Powershell script in Intune which is not yet assigned:
Assignments via Powershell
Firstly, we need to authenticate to the Graph API. We are using the Microsoft Intune Powershell Client ID to do so. (This is the same in each tenant):
$authResult = Get-MsalToken -ClientId d1ddf0e4-d672-4dae-b554-9d5bdfd93547 -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Interactive
$AuthHeaders = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
An authentication pop-up shows:
After you logged on you can check whether your “$AuthHeaders” contain the right information. It should look like this:
We now need to grab the information about the script we want to create an assignment for. We can do so with the following code:
$graphApiVersion = 'beta' $Resource = "deviceManagement/deviceManagementScripts" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)/" (Invoke-RestMethod -Uri $uri -Headers $AuthHeaders -Method Get).value
It shows all the device management scripts in your tenant. For example:
Note: please copy the ID, we need that later on.
Fill in the ID at the $policyid variable:
$policyid = "d30077ba-75af-4c69-bd7b-d0cda399898e"
$Resource = "deviceManagement/deviceManagementScripts"
$policyuri = "https://graph.microsoft.com/beta/$($Resource)/$($policyid)/assign"
$JSON = @"
{
"deviceManagementScriptAssignments": [
{
"@odata.type": "#microsoft.graph.deviceManagementScriptAssignment",
"id": "$policyid",
"target": {
"@odata.type": "#microsoft.graph.allLicensedUsersAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none"
}
}
]
}
"@
Invoke-RestMethod -Uri $policyuri -Headers $AuthHeaders -Method Post -Body $JSON -ErrorAction Stop -ContentType 'application/json'
After that, run the code.
The result is that the script is assigned to “All Users”:
This is the code for “All Devices”:
$policyid = "d30077ba-75af-4c69-bd7b-d0cda399898e"
$Resource = "deviceManagement/deviceManagementScripts"
$policyuri = "https://graph.microsoft.com/beta/$($Resource)/$($policyid)/assign"
$JSON = @"
{
"deviceManagementScriptAssignments": [
{
"@odata.type": "#microsoft.graph.deviceManagementScriptAssignment",
"id": "$policyid",
"target": {
"@odata.type": "#microsoft.graph.allDevicesAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none"
}
}
]
}
"@
Invoke-RestMethod -Uri $policyuri -Headers $AuthHeaders -Method Post -Body $JSON -ErrorAction Stop -ContentType 'application/json'
And now you know how to assign Intune Script via Graph API and Powershell!
References
Other posts:
Proactive Remediations What? Why? How?
2 thoughts on “Assign Intune Script via Graph”