Intune Devices Report via Graph and Teams

This blog is about a request from a project manager. He wanted to be automatically updated about the new intune devices enrolled. So, I decided to build an Intune devices report via Graph and update it weekly in a Microsoft Teams channel post.

Prerequisites

I am not really a Power Automate/Logic App guy (I know these are incredible but I need to find the time to gain knowledge about these products), I decided to build everything in an Azure Automation Account.

The only prerequisite is that you have an Azure subscription.

Azure Automation Account – Intune Devices Report

Firstly, we need an automation account. Log on to Microsoft Azure. Search for “Automation Accounts”:

After that, create a new Automation Account:

  • Put in a New Resource Group
  • Give the Automation Account a Name
  • Select the appropriate Region
  • Give the automation account a System Assigned Managed Identity
  • Make sure it has Public Access (you can change this later on with a private endpoint)
  • Assign Tags if you like and create the automation account.

As a result, you should have the following displayed:

We need to add a couple of things to the automation account.

Firstly, we need to add an “Azure Run As Account”. Click on the Automation Account and click on “Run as accounts“:

Click on Azure Run As Account and after that on create.

The result should look like this:

Next, we need to add some API permissions to this Run As Account. We need to be able to create a report from all the managed devices and upload this file to SharePoint.

When we created the Azure Run As Account, an App Registration was created. Go to this App Registration:

After that, add the following permissions:

We need to add the following modules to the automation account:

  • PNP.Powershell
  • PSTeams
  • Microsoft.Graph.Intune
  • MSAL.PS

Go to Modules in the automation account and click on Add a module:

You can grab Microsoft.Graph.Intune, MSAL.PS & PSTeams from the gallery: (Do this for each module)

The PNP.Powershell module needs to be installed manually via a file (At the moment of writing there is a bug in the newest version (1.11.0))

You can save the previous version of the module via the following command:

save-module PNP.Powershell -RequiredVersion 1.10 -Path C:\Temp\Modules\

After that, zip the folder where the module resides and upload it into the automation account:

Make sure All Modules are available in the automation account:

Create the Teams webhook

We need the webhook application for teams to post a channel message with our report. Make sure you have the appropriate permissions to add this application to a Teams channel.

I have a separate channel in Team called reports:

Here, we add the webhook. Click on the +:

Click on more apps:

And search for “Incoming Webhook

Lastly, click on add to a team and select the appropriate channel:
Fill in the name, click on create, and note this URL in a notepad:

Add the runbook to the Automation Account – Intune Devices Report

Go to Automation Account and add a runbook:

Fill in the variables and click on create:
After that, add this code via the link on my Github Account.

Paste this in the runbook.

After that, we edit some variables:

PNPSiteCollection –> This is the site collection URL for the teams channel
LibrarytoUploadReport –> Library in the site collection in teams
TeamsWebhookURL –> URL we noted in the notepad from creating the incoming webhook
TenantID –> Your tenant id
LinktoManagedDeviceReport –> Only change this part of the URL to PNPSiteCollection/LibrarytoUploadReport

Lastly, start the runbook and find yourself a managed devices report chat in the Teams channel:
It states how many devices are currently managed and the button views the report:

References:

LazyAdmin
Practical365
PSTeams

Other Posts:
Domain Join Profile Intune via Powershell
Intune Assign Store Applications via Powershell

9 thoughts on “Intune Devices Report via Graph and Teams”

    • Hi Colton,

      Did you add the API permissions to the service principal? Can you try to log in with the service principal manually?

      Regards,
      Niels

      Reply
      • I found 2 errors:
        1) I forgot to grant the permissions that I added
        2) I addedd the domain.onmicrosoft.com to the tenantID like the picture for the walk through. I changed it to the actual tenantID value the 1u8139520-2399235-XXX and worked like a charm.

        Thank you!

        Reply
  1. Hi Niels,
    I got the output that “20 Access denied.” Do you know what that means?
    I think the error is at ” Add file to SharePoint Part ” this part. I already uploaded the PNP.Powershell 1.10.0, so not sure where it was wrong.
    Maybe the variables LibrarytoUploadReport and LinktoManagedDeviceReport? I am still a bit confused about them. What is the right way to set them up?

    thanks so much!

    Reply

Leave a Comment