This blog is about a request from a project manager. He wanted to be automatically updated about the new intune devices enrolled. So, I decided to build an Intune devices report via Graph and update it weekly in a Microsoft Teams channel post.

Prerequisites

I am not really a Power Automate/Logic App guy (I know these are incredible but I need to find the time to gain knowledge about these products), I decided to build everything in an Azure Automation Account.

The only prerequisite is that you have an Azure subscription.

Azure Automation Account – Intune Devices Report

Firstly, we need an automation account. Log on to Microsoft Azure. Search for “Automation Accounts”:

After that, create a new Automation Account:

  • Put in a New Resource Group
  • Give the Automation Account a Name
  • Select the appropriate Region
  • Give the automation account a System Assigned Managed Identity
  • Make sure it has Public Access (you can change this later on with a private endpoint)
  • Assign Tags if you like and create the automation account.

As a result, you should have the following displayed:

We need to add a couple of things to the automation account.

Firstly, we need to add an “Azure Run As Account”. Click on the Automation Account and click on “Run as accounts“:

Click on Azure Run As Account and after that on create.

The result should look like this:

Next, we need to add some API permissions to this Run As Account. We need to be able to create a report from all the managed devices and upload this file to SharePoint.

When we created the Azure Run As Account, an App Registration was created. Go to this App Registration:

After that, add the following permissions:

We need to add the following modules to the automation account:

  • PNP.Powershell
  • PSTeams
  • Microsoft.Graph.Intune
  • MSAL.PS

Go to Modules in the automation account and click on Add a module:

You can grab Microsoft.Graph.Intune, MSAL.PS & PSTeams from the gallery: (Do this for each module)

The PNP.Powershell module needs to be installed manually via a file (At the moment of writing there is a bug in the newest version (1.11.0))

You can save the previous version of the module via the following command:

save-module PNP.Powershell -RequiredVersion 1.10 -Path C:\Temp\Modules\

After that, zip the folder where the module resides and upload it into the automation account:

Make sure All Modules are available in the automation account:

Create the Teams webhook

We need the webhook application for teams to post a channel message with our report. Make sure you have the appropriate permissions to add this application to a Teams channel.

I have a separate channel in Team called reports:

Here, we add the webhook. Click on the +:

Click on more apps:

And search for “Incoming Webhook

Lastly, click on add to a team and select the appropriate channel:
Fill in the name, click on create, and note this URL in a notepad:

Add the runbook to the Automation Account – Intune Devices Report

Go to Automation Account and add a runbook:

Fill in the variables and click on create:
After that, add this code via the link on my Github Account.

Paste this in the runbook.

After that, we edit some variables:

PNPSiteCollection –> This is the site collection URL for the teams channel
LibrarytoUploadReport –> Library in the site collection in teams
TeamsWebhookURL –> URL we noted in the notepad from creating the incoming webhook
TenantID –> Your tenant id
LinktoManagedDeviceReport –> Only change this part of the URL to PNPSiteCollection/LibrarytoUploadReport

Lastly, start the runbook and find yourself a managed devices report chat in the Teams channel:
It states how many devices are currently managed and the button views the report:

References:

LazyAdmin
Practical365
PSTeams

Other Posts:
Domain Join Profile Intune via Powershell
Intune Assign Store Applications via Powershell

7 thoughts on “Intune Devices Report via Graph and Teams”
    1. Hi Colton,

      Did you add the API permissions to the service principal? Can you try to log in with the service principal manually?

      Regards,
      Niels

      1. I found 2 errors:
        1) I forgot to grant the permissions that I added
        2) I addedd the domain.onmicrosoft.com to the tenantID like the picture for the walk through. I changed it to the actual tenantID value the 1u8139520-2399235-XXX and worked like a charm.

        Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *