Get Intune Reports using PowerShell leveraging Graph API

Get Intune Reports using PowerShell leveraging Graph API

As ZIP file or PS object ๐Ÿ‘


3 min read

In a previous post Get Intune Compliance data using PowerShell leveraging Graph API I wrote about getting compliance data from Intune.

Today I will show you how to retrieve Intune Reports as ZIP file or PS Object using PowerShell function leveraging Graph API.

Table of Contents

Available Intune reports

At this Microsoft page you can find all available Intune reports.

Below you can find screenshot from that page. On the left side is the report name used in Intune api request, on the right side is a path, where you can find such report on the Intune page. image.png All these reports can be retrieved by Graph API.


To programmatically access Intune API (Graph API), you have to create App Registration with correct permissions in your Azure first. I've used this nice tutorial to learn how to do it.

In a nutshell, you have to:

  1. Create App Registration
  2. Add permission to created App
    • Open your newly created App > API permissions > Add a permission > Add following Application permissions (probably not all of them are needed, but I was too lazy to test it, sorry)
      • Application.Read.All
      • Device.Read.All
      • DeviceManagementApps.Read.All
      • DeviceManagementConfiguration.Read.All
      • DeviceManagementManagedDevices.Read.All
      • ProgramControl.Read.All
      • Reports.Read.All

Don't forget to Grant admin consent

  1. Generate App Secret
    • Again in you App settings open Certificates & secrets > New client secret Choose validity period and some meaningful description. Don't forget to safely store generated password! We will need it later for requests authentication.

Get-IntuneReport PowerShell function

You can download my Get-IntuneReport function from my GitHub. You will also need function New-IntuneAuthHeader for authentication purposes (how to use it).

To create Get-IntuneReport function I've followed Microsoft official tutorial, which isn't very user friendly, but helped :).

In general, the function has to create a request for generating the report, then waits for it to finish and downloads it.

The function supports TAB completion of reportName parameter thanks to ๐Ÿ‘‡

[ValidateSet('DeviceCompliance', 'DeviceNonCompliance', 'Devices', 'DetectedAppsAggregate', 'FeatureUpdatePolicyFailuresAggregate', 'DeviceFailuresByFeatureUpdatePolicy', 'FeatureUpdateDeviceState', 'UnhealthyDefenderAgents', 'DefenderAgents', 'ActiveMalware', 'Malware', 'AllAppsList', 'AppInstallStatusAggregate', 'DeviceInstallStatusByApp', 'UserInstallStatusAggregateByApp')]
[string] $reportName

Some reports (FeatureUpdateDeviceState, DeviceInstallStatusByApp, UserInstallStatusAggregateByApp) requires selecting update/application you want the report for. So in case, you don't provide it, the function will offer you the list of all available updates/applications so you can easily make the choice. image.png

How to use this function?

  • Download both functions (Get-IntuneReport, New-IntuneAuthHeader) and import them to your PowerShell console
  • Create Azure App so you have credentials for unattended access
  • Call function like this ๐Ÿ‘‡

    $header = New-IntuneAuthHeader
    Get-IntuneReport -header $header -reportName UserInstallStatusAggregateByApp
    • The result will look like this image.png
  • Or if you want result as PS Object

    $header = New-IntuneAuthHeader
    Get-IntuneReport -header $header -reportName DeviceNonCompliance -asObject
    • The result will look like this image.png


How did I find all these Graph API request URIs you may ask? Using Web Browser Developer Mode (F12) and a lot of clicking ๐Ÿ˜€ image.png image.png

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!