This blog is about a request from a project manager. He wanted to be automatically updated about the new intune devices enrolled. So, I decided to build an Intune devices report via Graph and update it weekly in a Microsoft Teams channel post.
I am not really a Power Automate/Logic App guy (I know these are incredible but I need to find the time to gain knowledge about these products), I decided to build everything in an Azure Automation Account.
The only prerequisite is that you have an Azure subscription.
Azure Automation Account – Intune Devices Report
Firstly, we need an automation account. Log on to Microsoft Azure. Search for “Automation Accounts”:
After that, create a new Automation Account:
- Put in a New Resource Group
- Give the Automation Account a Name
- Select the appropriate Region
- Give the automation account a System Assigned Managed Identity
- Make sure it has Public Access (you can change this later on with a private endpoint)
- Assign Tags if you like and create the automation account.
As a result, you should have the following displayed:
We need to add a couple of things to the automation account.
Firstly, we need to add an “Azure Run As Account”. Click on the Automation Account and click on “Run as accounts“:
Click on Azure Run As Account and after that on create.
The result should look like this:
Next, we need to add some API permissions to this Run As Account. We need to be able to create a report from all the managed devices and upload this file to SharePoint.
When we created the Azure Run As Account, an App Registration was created. Go to this App Registration:
After that, add the following permissions:
We need to add the following modules to the automation account:
Go to Modules in the automation account and click on Add a module:
You can grab Microsoft.Graph.Intune, MSAL.PS & PSTeams from the gallery: (Do this for each module)
The PNP.Powershell module needs to be installed manually via a file (At the moment of writing there is a bug in the newest version (1.11.0))
You can save the previous version of the module via the following command:
save-module PNP.Powershell -RequiredVersion 1.10 -Path C:\Temp\Modules\
After that, zip the folder where the module resides and upload it into the automation account:
Make sure All Modules are available in the automation account:
Create the Teams webhook
We need the webhook application for teams to post a channel message with our report. Make sure you have the appropriate permissions to add this application to a Teams channel.
I have a separate channel in Team called reports:
Here, we add the webhook. Click on the +:
Click on more apps:
And search for “Incoming Webhook“
Add the runbook to the Automation Account – Intune Devices Report
Go to Automation Account and add a runbook:
Paste this in the runbook.
After that, we edit some variables:
PNPSiteCollection –> This is the site collection URL for the teams channel
LibrarytoUploadReport –> Library in the site collection in teams
TeamsWebhookURL –> URL we noted in the notepad from creating the incoming webhook
TenantID –> Your tenant id
LinktoManagedDeviceReport –> Only change this part of the URL to PNPSiteCollection/LibrarytoUploadReport
Lastly, start the runbook and find yourself a managed devices report chat in the Teams channel:
It states how many devices are currently managed and the button views the report:
Domain Join Profile Intune via Powershell
Intune Assign Store Applications via Powershell
9 thoughts on “Intune Devices Report via Graph and Teams”
Receiving 0 devices in my report.
The remote server returned an error: (401) Unauthorized.
I am receivng this in Errors
Did you add the API permissions to the service principal? Can you try to log in with the service principal manually?
I found 2 errors:
1) I forgot to grant the permissions that I added
2) I addedd the domain.onmicrosoft.com to the tenantID like the picture for the walk through. I changed it to the actual tenantID value the 1u8139520-2399235-XXX and worked like a charm.
Good to hear! Enjoy the report. 🙂
[…] Intune Devices Report via Graph and Teams […]
[…] the Microsoft Store by Andrew TaylorUpdate Lenovo BIOS by Damian van RobaeysOther posts by me:Intune Managed Device Rapport with a post in TeamsPacker YAML Windows 365 […]
I got the output that “20 Access denied.” Do you know what that means?
I think the error is at ” Add file to SharePoint Part ” this part. I already uploaded the PNP.Powershell 1.10.0, so not sure where it was wrong.
Maybe the variables LibrarytoUploadReport and LinktoManagedDeviceReport? I am still a bit confused about them. What is the right way to set them up?
thanks so much!
Are you able to create the report outside of the runbook? So run it manually in Powershell on your Pc?