# Get Intune Reports using PowerShell leveraging Graph API

In a previous post [Get Intune Compliance data using PowerShell leveraging Graph API](https://doitpsway.com/get-intune-compliance-data-using-powershell-leveraging-graph-api) I wrote about getting **compliance data** from Intune. 

Today I will show you how to retrieve Intune **Reports** as ZIP file or PS Object using PowerShell function leveraging Graph API.

---

# Table of Contents
- [Available Intune reports](#available-intune-reports)
- [Prerequisite](#prerequisite)
- [Get-IntuneReport PowerShell function](#get-intunereport-powershell-function)
  - [How to use this function?](#how-to-use-this-function)
- [TIP](#tip)

---

# Available Intune reports
At this [Microsoft page](https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports-export-graph-available-reports) you can find all available Intune reports. 

Below you can find screenshot from that page. On the left side is the report name used in Intune api request, on the right side is a path, where you can find such report on the Intune page.
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626941109343/-OsbLxwZU.png)
All these reports can be retrieved by Graph API.

---

# Prerequisite
To programmatically access Intune API (Graph API), you have to create `App Registration` with correct permissions in your Azure first. I've used this [nice tutorial](https://thesleepyadmins.com/2020/10/24/connecting-to-microsoft-graphapi-using-powershell/) to learn how to do it.

In a nutshell, you have to:
1. Create App Registration
 - Head to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps > `New registration` > Choose App name and click `Register`
2. Add permission to created App
 - Open your newly created App > `API permissions` > `Add a permission` > Add following `Application` permissions (**probably not all of them are needed**, but I was too lazy to test it, sorry)
    - Application.Read.All
    - Device.Read.All
    - DeviceManagementApps.Read.All
    - DeviceManagementConfiguration.Read.All
    - DeviceManagementManagedDevices.Read.All
    - ProgramControl.Read.All
    - Reports.Read.All

>  
Don't forget to `Grant admin consent`

3. Generate App Secret
 - Again in you App settings open `Certificates & secrets` > `New client secret`
Choose validity period and some meaningful description. **Don't forget to safely store generated password**! We will need it later for requests authentication.

---

# Get-IntuneReport PowerShell function
You can download my `Get-IntuneReport` function from my [GitHub](https://github.com/ztrhgf/useful_powershell_functions/blob/master/INTUNE/Get-IntuneReport.ps1). You will also need function [New-IntuneAuthHeader](https://github.com/ztrhgf/useful_powershell_functions/blob/master/INTUNE/New-IntuneAuthHeader.ps1) for authentication purposes ([how to use it](https://hashnode.com/edit/ckrbuqdf200bp1fs1hwca11vr#function-for-creating-authentication-header)).

To create `Get-IntuneReport` function I've followed [Microsoft official tutorial](https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports-export-graph-apis), which isn't very user friendly, but helped :).

In general, the function has to create a request for generating the report, then waits for it to finish and downloads it.

The function supports TAB completion of `reportName` parameter thanks to 👇

```
[ValidateSet('DeviceCompliance', 'DeviceNonCompliance', 'Devices', 'DetectedAppsAggregate', 'FeatureUpdatePolicyFailuresAggregate', 'DeviceFailuresByFeatureUpdatePolicy', 'FeatureUpdateDeviceState', 'UnhealthyDefenderAgents', 'DefenderAgents', 'ActiveMalware', 'Malware', 'AllAppsList', 'AppInstallStatusAggregate', 'DeviceInstallStatusByApp', 'UserInstallStatusAggregateByApp')]
[string] $reportName
```

Some reports (FeatureUpdateDeviceState, DeviceInstallStatusByApp, UserInstallStatusAggregateByApp) requires selecting update/application you want the report for. So in case, you don't provide it, the function will offer you the list of all available updates/applications so you can easily make the choice.
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626960505966/40NFK7UlW.png)

## How to use this function?
- Download both functions ([Get-IntuneReport](https://github.com/ztrhgf/useful_powershell_functions/blob/master/INTUNE/Get-IntuneReport.ps1), [New-IntuneAuthHeader](https://github.com/ztrhgf/useful_powershell_functions/blob/master/INTUNE/New-IntuneAuthHeader.ps1)) and import them to your PowerShell console
- Create [Azure App](#prerequisite) so you have credentials for unattended access
- Call function like this 👇
```
$header = New-IntuneAuthHeader
Get-IntuneReport -header $header -reportName UserInstallStatusAggregateByApp
```
 - The result will look like this 
 ![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626977678751/KgcaSD2lE.png)

- Or if you want result as PS Object
```
$header = New-IntuneAuthHeader
Get-IntuneReport -header $header -reportName DeviceNonCompliance -asObject
```
 - The result will look like this
 ![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626977904041/gf9ZVgc3u.png)

---

# TIP
How did I find all these Graph API request URIs you may ask? Using Web Browser Developer Mode (F12) and a lot of clicking 😀 ![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626772777085/fHCKTgoyce.png)
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1626977529675/S41eIIpWk.png)

