Intune

Microsoft Graph PowerShell 101: Querying Intune Data 

Topics: Intune

As I demonstrated in the Recast webinar two weeks ago, getting started with Microsoft Graph and PowerShell is straightforward. Also, if you need a refresher on endpoint anatomy, see my first post on Microsoft Graph.  

In this post, I’ll walk you through connecting to Graph, exploring common Intune endpoints, and running your first PowerShell queries. The steps below are drawn from the “Graph API & PowerShell 101” section of that webinar deck. 

Prerequisites 

  • PowerShell 7.x or later 
  • An Entra ID with at least Reader permissions on users and devices 
  • Network access to https://graph.microsoft.com 
  • Basic familiarity with PowerShell scripting 

What is MS Graph? 

Check out my first post, a primer on MS Graph

Microsoft Graph PowerShell - Flow

Install the Microsoft Graph PowerShell SDK 

  • Open PowerShell and run: 

Install-Module Microsoft.Graph -Scope CurrentUser 

  • This command installs the unified SDK covering both v1.0 Graph endpoints. 

Authenticate with ConnectMgGraph 

Authenticate interactively: 

Connect-MgGraph -Scopes “Device.Read.All”,”User.Read.All” 

  • Scopes define the permissions your session will have. 
  • After signing in, verify with: 

Get-MgProfile | Format-List DisplayName, UserPrincipalName 

Run Your First Graph Queries 

Retrieve Device Data 

# Top 10 managed Intune devices 

Get-MgDeviceManagementManagedDevice -Top 10 | 

  Select-Object DeviceName, OperatingSystem, ComplianceState 

  • Use the -Filter parameter to narrow results—for example, to return only non-compliant devices: 

Get-MgDeviceManagementManagedDevice -Filter “complianceState eq ‘noncompliant'” 

Retrieve User Data 

# Top 5 users with basic info 

Get-MgUser -Top 5 | 

  Select-Object DisplayName, UserPrincipalName, AccountEnabled 

  • Return only enabled accounts: 

Get-MgUser -Filter “accountEnabled eq true” 

Create a Security Group 

$params = @{ 

  DisplayName     = “All Devices Group” 

  MailEnabled     = $false 

  MailNickname    = “alldevices” 

  SecurityEnabled = $true 

New-MgGroup -BodyParameter $params 

This command creates a security group in Microsoft 365. 

Invoke-RestMethod vs. Microsoft.Graph Cmdlets 

 InvokeRestMethod Microsoft.Graph SDK 
Module requirement None Install Microsoft.Graph 
Authentication Manual token retrieval (MSAL, Managed Identity) Connect-MgGraph handles it 
Syntax Build headers + raw JSON Native cmdlets 
Pagination You must handle $skip/$top yourself SDK autopaginates 

Example using InvokeRestMethod 

$token = (Get-AzAccessToken -ResourceUrl “https://graph.microsoft.com”).Token 

$headers = @{ 

  Authorization = “Bearer $token” 

  “Content-Type” = “application/json” 

Invoke-RestMethod -Uri “https://graph.microsoft.com/v1.0/users” -Headers $headers 

Tips & Best Practices 

  • Least Privilege: Request only the scopes you need. 
  • Error Handling: Wrap REST calls in try/catch and validate JSON. 
  • OData Filters: Filter on the server to reduce payload size. 
  • Handle Paging: Use -Top/-Skip or rely on SDK’s paging support for large datasets. 

Next Steps 

With these basics you can: 

  • Automate bulk user and device management 
  • Generate custom Intune reports 
  • Deploy scripts as Azure Automation Runbooks (as covered in my next blog post) 
Back to Top