Get Intune Reports using PowerShell leveraging Graph API
As ZIP file or PS object ๐
In a previous post Get Intune Compliance data using PowerShell leveraging Graph API I wrote about getting compliance data from Intune.
Today I will show you how to retrieve Intune Reports as ZIP file or PS Object using PowerShell function leveraging Graph API.
Table of Contents
Available Intune reports
At this Microsoft page you can find all available Intune reports.
Below you can find screenshot from that page. On the left side is the report name used in Intune api request, on the right side is a path, where you can find such report on the Intune page. All these reports can be retrieved by Graph API.
Prerequisite
To programmatically access Intune API (Graph API), you have to create App Registration
with correct permissions in your Azure first. I've used this nice tutorial to learn how to do it.
In a nutshell, you have to:
- Create App Registration
- Head to portal.azure.com/#blade/Microsoft_AAD_IAM/A.. >
New registration
> Choose App name and clickRegister
- Head to portal.azure.com/#blade/Microsoft_AAD_IAM/A.. >
- Add permission to created App
- Open your newly created App >
API permissions
>Add a permission
> Add followingApplication
permissions (probably not all of them are needed, but I was too lazy to test it, sorry)- Application.Read.All
- Device.Read.All
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementManagedDevices.Read.All
- ProgramControl.Read.All
- Reports.Read.All
- Open your newly created App >
Don't forget to
Grant admin consent
- Generate App Secret
- Again in you App settings open
Certificates & secrets
>New client secret
Choose validity period and some meaningful description. Don't forget to safely store generated password! We will need it later for requests authentication.
- Again in you App settings open
Get-IntuneReport PowerShell function
You can download my Get-IntuneReport
function from my GitHub. You will also need function New-IntuneAuthHeader for authentication purposes (how to use it).
To create Get-IntuneReport
function I've followed Microsoft official tutorial, which isn't very user friendly, but helped :).
In general, the function has to create a request for generating the report, then waits for it to finish and downloads it.
The function supports TAB completion of reportName
parameter thanks to ๐
[ValidateSet('DeviceCompliance', 'DeviceNonCompliance', 'Devices', 'DetectedAppsAggregate', 'FeatureUpdatePolicyFailuresAggregate', 'DeviceFailuresByFeatureUpdatePolicy', 'FeatureUpdateDeviceState', 'UnhealthyDefenderAgents', 'DefenderAgents', 'ActiveMalware', 'Malware', 'AllAppsList', 'AppInstallStatusAggregate', 'DeviceInstallStatusByApp', 'UserInstallStatusAggregateByApp')]
[string] $reportName
Some reports (FeatureUpdateDeviceState, DeviceInstallStatusByApp, UserInstallStatusAggregateByApp) requires selecting update/application you want the report for. So in case, you don't provide it, the function will offer you the list of all available updates/applications so you can easily make the choice.
How to use this function?
- Download both functions (Get-IntuneReport, New-IntuneAuthHeader) and import them to your PowerShell console
- Create Azure App so you have credentials for unattended access
Call function like this ๐
$header = New-IntuneAuthHeader Get-IntuneReport -header $header -reportName UserInstallStatusAggregateByApp
- The result will look like this
Or if you want result as PS Object
$header = New-IntuneAuthHeader Get-IntuneReport -header $header -reportName DeviceNonCompliance -asObject
- The result will look like this
TIP
How did I find all these Graph API request URIs you may ask? Using Web Browser Developer Mode (F12) and a lot of clicking ๐