Microsoft Graph PowerShell 101: Querying Intune Data 

As I demonstrated in the Recast webinar two weeks ago, getting started with Microsoft Graph and PowerShell is straightforward. Also, if you need a refresher on endpoint anatomy, see my first post on Microsoft Graph.  

In this post, I’ll walk you through connecting to Graph, exploring common Intune endpoints, and running your first PowerShell queries. The steps below are drawn from the “Graph API & PowerShell 101” section of that webinar deck. 

Prerequisites 

• PowerShell 7.x or later 
• An Entra ID with at least Reader permissions on users and devices 
• Network access to https://graph.microsoft.com 
• Basic familiarity with PowerShell scripting 

What is MS Graph? 

Check out my first post, a primer on MS Graph. 

Install the Microsoft Graph PowerShell SDK 

Open PowerShell and run: 

Install-Module Microsoft.Graph -Scope CurrentUser 

This command installs the unified SDK covering both v1.0 Graph endpoints. 

Authenticate with ConnectMgGraph 

Authenticate interactively: 

Connect-MgGraph -Scopes "Device.Read.All","User.Read.All" 

Scopes define the permissions your session will have. 

After signing in, verify with: 

Get-MgProfile | Format-List DisplayName, UserPrincipalName 

Run Your First Graph Queries 

Retrieve Device Data 

# Top 10 managed Intune devices 
Get-MgDeviceManagementManagedDevice -Top 10 | 
  Select-Object DeviceName, OperatingSystem, ComplianceState

Use the -Filter parameter to narrow results—for example, to return only non-compliant devices: 

Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" 

Retrieve User Data 

# Top 5 users with basic info 
Get-MgUser -Top 5 | 
  Select-Object DisplayName, UserPrincipalName, AccountEnabled

Return only enabled accounts: 

Get-MgUser -Filter "accountEnabled eq true" 

Create a Security Group 

$params = @{ 
  DisplayName     = "All Devices Group" 
  MailEnabled     = $false 
  MailNickname    = "alldevices" 
  SecurityEnabled = $true 
} 
New-MgGroup -BodyParameter $params

This command creates a security group in Microsoft 365. 

Invoke-RestMethod vs. Microsoft.Graph Cmdlets 

	InvokeRestMethod	Microsoft.Graph SDK
Module requirement	None	Install Microsoft.Graph
Authentication	Manual token retrieval (MSAL, Managed Identity)	Connect-MgGraph handles it
Syntax	Build headers + raw JSON	Native cmdlets
Pagination	You must handle $skip/$top yourself	SDK autopaginates

Example using InvokeRestMethod 

$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token 
$headers = @{ 
  Authorization = "Bearer $token" 
  "Content-Type" = "application/json" 
} 
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers $headers

Tips & Best Practices 

• Least Privilege: Request only the scopes you need. 
• Error Handling: Wrap REST calls in try/catch and validate JSON. 
• OData Filters: Filter on the server to reduce payload size. 
• Handle Paging: Use -Top/-Skip or rely on SDK’s paging support for large datasets. 

Next Steps 

With these basics you can: 

• Automate bulk user and device management 
• Generate custom Intune reports 
• Deploy scripts as Azure Automation Runbooks (as covered in my next blog post)