How To: Use Logic Apps to Query Intune for Device Information

April 7, 2020 1 Comment

This article will show you how to query device information from Intune using Logic Apps. This is a foundational article and will be used in several other scenarios going forward.

Why?

Why would we want to do this? The simple (and vague) answer is ‘for many types of process automation.” I’m currently building a scenario to show you how to use this process to create/update an asset record in CMDB. In a few weeks, we’ll dive into other scenarios where we also need device information from Intune.

Following are the basic steps for this article:

  1. Create an Application Registration and grant read-only access.
  2. Build a sample Logic App to query Intune (via Graph) and send an email with the details.

This article will lay the groundwork-You’ll see this better in action when we incorporate it into the scenarios mentioned above.

Prerequisites

In order to accomplish this task, you must have Intune with managed devices, as well as access to Azure AD to grant rights.

Create an Azure Application Registration

In order for Logic Apps to query Graph, we must register an application and grant read rights to Intune.

Registering an Application in Azure

  1. In the Azure portal, navigate to Azure Active Directory and select App Registrations.
  2. Select New registration.
  3. Enter the Name as Intune Get Device
  4. Review the settings shown in Figure 1 and click Register.
Figure 1 – Registering a new application
  1. After clicking Register, you should now see a page similar to Figure 2, which shows the details of your new application registration. Copy the Application (client) ID and the Directory (tenant) ID, as you will need them when we create the Logic App.
Figure 2 – The Application registration properties page

Congrats! you’ve registered a pretty boring application (so far). Now we need to grant API Permissions:

Granting Read Rights to Intune

  1. Click on View API permissions
  2. Click Add a permission
  3. Select Microsoft Graph as shown in Figure 3.
Figure 3 – Adding Microsoft Graph
  1. After selecting Microsoft Graph, you are prompted for the type of permissions your application requires. Select Application Permissions as shown in Figure 4.
  2. Type DeviceManagement in the text box to filter the list, then choose DeviceManagementManagedDevices.Read.All as shown in Figure 4, then click Add permissions.
Figure 4 – Configuring the API permissions
  1. Next, you (as an administrator) must grant consent for the specified rights. Click the Grant admin consent for … button as shown in Figure 5.
Figure 5 – Granting admin consent
  1. Click Yes in the confirmation dialog to grant consent. The result should be similar to Figure 6.
Figure 6 – Consent Granted
  1. Next, click on Certificates & secrets and click New client secret.
  2. Enter a clever description and set the secret expiration time as shown in Figure 7, and then click Add.
Figure 7 – Adding a client secret
  1. Under Client secrets, you should see the description and the secret value as shown in Figure 8. Copy this secret value and store it securely for use in your Logic App.
Figure 8 – The client secret

Create a Test Logic App

Finally, we are ready to roll from an application registration perspective. Next, we create a test logic App to verify that all is well.

  1. From the Azure Portal select Logic Apps, then Add.
  2. Choose your desired Resource Group, enter the name “Test-GetIntuneDevice”, and choose a location.
  3. Click Review + Create, and then Create.
  4. Once created, go to your new Logic Apps resource.
  5. For this test, select Recurrence as the common trigger as shown in Figure 9.
Figure 9 – Choose Recurrent for the test Logic App
  1. Set the Interval to 3 and the Frequency to “Month”, so that this runs every three months (once we’ve tested, we’ll delete this test Logic App).
  2. Create a new step and search for “initialize”, then choose Initialize variable as shown in Figure 10.
Figure 10 – Choosing the action Initialize variable
  1. Enter “ComputerName” for Name, set the Type as “String” and for the value, set it to an existing computer name in Intune as shown in Figure 11.
Figure 11 – Initialize The ComputerName
  1. Next, create a new step, then search for and choose HTTP as shown in Figure 12.
Figure 12 – Choosing the HTTP action
  1. Choose Get for the type
  2. For the URI, enter the following: https:// graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=startswith(deviceName,””) Next, insert your cursor between the single quotes near the end of the line and select the ComputerName variable under Dynamic content as shown in Figure 13. Also please note that you may need to remove a space between https:// and graph in that url, due to formatting issues.

This step uses the Get managedDevice API from Graph. For this example, we configured the API call to filter based on the deviceName.

Figure 13 – Setting the ComputerName variable
  1. For Headers add “Content-Type” as “application/json” as shown in Figure 14.
  2. Click Add new parameter, select Authentication, and then click off of the dialog to add the Authentication Type to the step.
  3. Select Active Directory OAuth for the Authentication type.
  4. Add your Tenant, Client ID and Secret (the ones you copied earlier while creating the App registration).
  5. For Audience, enter https://graph.microsoft.com.
  6. Review settings and compare them to Figure 14.
Figure 14 – Configuring the HTTP action

Most importantly, click Save and ensure the Logic App successfully saved.

Run a Test

You should be set to just click Run on the Logic App, and give it a few minutes to complete. After completion, you should see green checkboxes across all three steps as shown in Figure 15.

Figure 15 – A successful run of the Logic App

Finish the Logic App

Now that we’ve performed a successful run, we need to complete our Logic App.

  1. Expand the HTTP step to view the output.
  2. Copy the contents of the Body as shown in Figure 16. We will use this information to provide the schema to parse the JSON.
Figure 16 – Copy the Body of the JSON
  1. Next, Edit the Logic App and click New step.
  2. Type “Parse JSON” into the search bar and select Data Operations->Parse JSON.
  3. For Content, select the dynamic content of the Body from the HTTP step.
  4. Click Use sample payload to generate schema, paste the body that you copied in Step 2 of this section and click Done so that the Parse JSON step looks similar to Figure 17.
Figure 17 – The Parse JSON step
  1. Click New step and find the Send an Email(V2) step for Outlook.
  2. Enter the desired To email address, and a catchy Subject line.
  3. In the Body, Type “Device Name:” and then expand the Parse JSON dynamic content (as shown in Figure 18) and then select deviceName.
Figure 18 – Choosing the deviceName variable
  1. Note that as soon as you select deviceName, the Logic App Designer realized that this is an array (based on the schema from the Parse JSON step) and automatically created a For each loop. Expand the Send and email (V2) step and populate the Body as shown in Figure 19.
Figure 19 – Populating the email Body
  1. Save your work!

Perform a Full test

At this point, you should be ready for a full test. Click Run in the Logic Apps Designer and wait a few minutes to (hopefully) receive an email. You should also see the completed steps appear in the Logic Apps Designer as shown in Figure 20.

Figure 20 – A successful run of our Logic App

And if all worked out as planned, you also have an email in your inbox that looks similar to Figure 21.

Figure 21 – Test email success!

Congrats! This is a huge step in preparing for future automation. Hopefully, this article has laid the groundwork for you to learn more about extracting data from Intune using Graph. Stay tuned for scenarios that leverage this functionality.

When finished, remove the test Logic App, but be sure to capture the secret and other information so that you can use it for future automation.

Greg

Filed under Intune, Logic Apps Tagged with ,

About Greg Ramsey
Greg Ramsey is a Senior Distinguished Engineer for Dell Digital - Services. He has a B.S. in Computer Sciences and Engineering from The Ohio State University and has co-authored many books over the years. Greg is also a board member of the Northwest System Center User Group and the Midwest Management Summit. ​Greg has been a Microsoft Endpoint Manager (ConfigMgr, Intune) MVP for over 18 years.

One Response to How To: Use Logic Apps to Query Intune for Device Information

  1. Pingback: Processing an Azure Alert with a Logic App | Greg's Systems Management Blog

Leave a comment