Integrating Intune and APIs with Windows Powershell

This image has an empty alt attribute; its file name is image-40.png

In this article we are going to discuss the integration of Powershell with Intune and how to leverage the same to make REST API calls.

My name Saurabh Sarkar and I am an Intune engineer in Microsoft. I have a YouTube channel and you can subscribe to the same to learn more about Microsoft Intune. 


Before we go through this article I would strongly suggest reading the below one first wherein i have explained the basics of an API and how can we make use of Microsoft Graph Explorer.

The entire demonstration of this article can be found in my below video:

In this article first we are going to talk about-

#How we can integrate Intune with PowerShell.
#Then we will talk about How we can integrate API with Powershell


For managing Intune via Powershell, first we need an Intune module. Having this Intune module installed in the machine provides us the commandlets that we would need to manage Intune from the commandline.

If we go to an elevated Powershell prompt and do ‘Get-Module’, we wont see any Intune Module installed.

Now if we do a Show-command, we wont see any commands available for Intune.(as it should be as the Intune module is not there)

So lets install the Intune module for powershell so that we can leverage the same.

Downloading and Installing the Intune-Module from Github

We are going to go to Google and search for ‘Intune Module for Windows Powershell’ and the first link in the search is the relevant one.(from Github)

Click on the First link>Go to “Releases”

Download the “”

Now lets extract the contents of the zipped folder to the machine where we want to install the PS module.

Once exrtracted we see that it has 2 folders.
“net471 is the one relevant to us in this case which contains the Intune module

Before we run this module, we will have to set the define the Execution policy.

Now we are all set to import and install the Intune module for powershell by browsing to the net471 folder as below-

The module would take a couple of min to get installed. Once done, run ‘Get-Module’ again to verify that the same has been installed successfully

Now if we run ‘Show-commands’we whould be able to see the Intune commandlets available that came with the installation of the Intune module.

Installing the Azure AD Module

Now we can proceed with the installation of AAD module. We just have to run “Install-Module AzureAD”

Both the modules are installed! Now we are all set to use powershell to interact with the Intune service.

Authorize and Authenticate:

Before we can use PS to manage Intune, we’ll have to get authenticated which would provide us the needed toke. We use the ‘Connect-MSGraph’ for the same.

Now we are all set to run the Intune commands.

We get the exact same information if we browse through the blades of the Intune portal-

Support TIP- Make use of the Show-Command.
We might not know all the commandlets for this module, so this would give us an option to search etc…

#Sample commands:

Find a list of managed devices-

#By using the show command we can get the same info as below-

This is equivalent to getting the same info from the portal as below-

Which is equivalent to running the below from graph Explorer-


When we are clicking on any balde- it does a rest api call which is the same thing the PS is doing or we are manually doing using GE

This is how we integrate Intune with Powershell


The very first thing that we need is a AAD token to achieve this integration

So to get the AAD token, the best and the easiest way is to run a script which would automatically do the same for us.

We need to go to google and search for “Powershell Intune Samples”.

Now lest just get hold of a sample script from this location (which is a Read Only, hence would not make any change)

Running this script does 3 things for us-

1- Checks to ensure that the AAD module is installed

2-Before it can do the same, it generates an AAD Token for us which it leverages within the script. –>This is what we actually need here!

3- It shows us the information related to App protection policy as per the script as it should from our portal.

Note- Before we continue here, i would like to stress and explain that the goal of running this script was NOT getting the app policies from the portal but was getting the AAD Token.

Understanding the script-

If we look at the script, 90% of the script talks about getting the auth token and checking if the AAD module is in place.
Once the auth token is there, the same is used by the PS session to get the status of policy from our tenant
The auth token is stored in the variable $authtoken

And then we see something like this in the script which i would explain later-

So now we know what the script is doing, so lets run it!

Running the script gives us the output as below and we get the list of MAM policies in our tenant.

But that was never the goal here! The goal was getting the Auth Token which we have got now!

The “$authtoken” variable contains the AAD token which we need.

Now we can see what the token contains as shown below-

This is actually a Jason Web Token (JWT)

To know more about what this token is, and decode it, we can go to a website “” and paste the token there which would decode it and show us the content of the token

So now we have the AAD Auth token and we know what it contains(info of the user it is assigned to, the application it can be used in, its permissions etc). So now we can use the token!

Note- We really didnot need to run the entire script to get the auth token, we can just run the function which generates the token and skip the rest however since it was doing only GET, I ran the entire thing.

Running the API calls from Powershell

To do this we need to-

#Have the AAD token (which we already have now in the $auth variable)

#AAD module and Intune module installed.(which also we already have)

We have to make use of the commandlet “Invoke-RestMethod” to do this. If you noticed closely, this is exactly what the above script was also doing which we used to generate the Auth token.

So lets run a command with the similar above syntax in the same PS session.Running it in the same PS session as where the above script was run is essential because the $authtoken variable does not exist outside that PS session terminal

We get the following output-

This output is same as what we would have got, if we ran the same API call via Graph Explorer-

So we have successfully made a REST API call using Powershell by querying the same endpoint which we were using Graph Explorer (which the portal was also doing for us).

We can do a POST/Patch/Delete as well just like we could from Graph Explorer.

We will have to provide the policy body in JSON format.

Now that we are able to get this information for 1 REST API endpoint, we can feed the value from a .csv and automate the above command


Now we have understood that Powershell can be integrated with Intune and APIs can also be integrated with Powershell. Thus we can reach a great level of automation! Both graph explorer and Powershell are very powerful tools and if leveraged wisely, they both can assist us in various purposes like reporting, auditing, healthchecks, app/policy creation/deletion/updation.