In a previous post Get Intune Compliance data using PowerShell leveraging Graph API I wrote about getting compliance data from Intune.

Today I will show you how to retrieve Intune Reports as ZIP file or PS Object using PowerShell function leveraging Graph API.

---

Table of Contents

• Available Intune reports
• Prerequisite
• Get-IntuneReport PowerShell function
  • How to use this function?
• TIP

---

Available Intune reports

At this Microsoft page you can find all available Intune reports.

Below you can find screenshot from that page. On the left side is the report name used in Intune api request, on the right side is a path, where you can find such report on the Intune page. All these reports can be retrieved by Graph API.

---

Prerequisite

To programmatically access Intune API (Graph API), you have to create App Registration with correct permissions in your Azure first. I've used this nice tutorial to learn how to do it.

In a nutshell, you have to:

1. Create App Registration
   • Head to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps > New registration > Choose App name and click Register
2. Add permission to created App
   • Open your newly created App > API permissions > Add a permission > Add following Application permissions (probably not all of them are needed, but I was too lazy to test it, sorry)
     • Application.Read.All
     • Device.Read.All
     • DeviceManagementApps.Read.All
     • DeviceManagementConfiguration.Read.All
     • DeviceManagementManagedDevices.Read.All
     • ProgramControl.Read.All
     • Reports.Read.All

Don't forget to Grant admin consent

1. Generate App Secret
   • Again in you App settings open Certificates & secrets > New client secret Choose validity period and some meaningful description. Don't forget to safely store generated password! We will need it later for requests authentication.

---

Get-IntuneReport PowerShell function

You can download my Get-IntuneReport function from my GitHub. You will also need function New-IntuneAuthHeader for authentication purposes (how to use it).

To create Get-IntuneReport function I've followed Microsoft official tutorial, which isn't very user friendly, but helped :).

In general, the function has to create a request for generating the report, then waits for it to finish and downloads it.

The function supports TAB completion of reportName parameter thanks to 👇

[ValidateSet('DeviceCompliance', 'DeviceNonCompliance', 'Devices', 'DetectedAppsAggregate', 'FeatureUpdatePolicyFailuresAggregate', 'DeviceFailuresByFeatureUpdatePolicy', 'FeatureUpdateDeviceState', 'UnhealthyDefenderAgents', 'DefenderAgents', 'ActiveMalware', 'Malware', 'AllAppsList', 'AppInstallStatusAggregate', 'DeviceInstallStatusByApp', 'UserInstallStatusAggregateByApp')]
[string] $reportName

Some reports (FeatureUpdateDeviceState, DeviceInstallStatusByApp, UserInstallStatusAggregateByApp) requires selecting update/application you want the report for. So in case, you don't provide it, the function will offer you the list of all available updates/applications so you can easily make the choice.

How to use this function?

• Download both functions (Get-IntuneReport, New-IntuneAuthHeader) and import them to your PowerShell console
• Create Azure App so you have credentials for unattended access

• Call function like this 👇

  $header = New-IntuneAuthHeader
  Get-IntuneReport -header $header -reportName UserInstallStatusAggregateByApp
  

  • The result will look like this

• Or if you want result as PS Object

  $header = New-IntuneAuthHeader
  Get-IntuneReport -header $header -reportName DeviceNonCompliance -asObject
  

  • The result will look like this

---

TIP

How did I find all these Graph API request URIs you may ask? Using Web Browser Developer Mode (F12) and a lot of clicking 😀