Create Intune iOS Policy using Microsoft Graph API and Powershell

This is my first post in a while but I'm returning in great style with a very interesting topic to talk about.

The Microsoft Graph API is a very powerful way to consume, integrate and interact with Microsoft Cloud services. In this post, I will run you through the steps required to create an iOS compliance policy in Intune using the Graph API.

My intention here is to make you realize how important and ground breaking this is. Imagine yourself having to configure an Intune tenant. All the compliance policies, configuration policies, applications, etc. Now imagine you can automate everything and set up an Intune tenant in minutes instead of hours or even days. This is the new reality. This is what the Microsoft Graph API empowers us to do.

Assumptions:

• Intune tenant in the new Azure portal (portal.azure.com)
• An app in Azure registered with the correct delegations to create policies in Intune. Refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications

Once you have your app registered, run the following code in PowerShell to get an access token:

Add-Type -AssemblyName System.Web
$graphURL = "https://graph.microsoft.com"
$appID = "Replace-with-AppicationID"
$appKey = "Replace-with-Key-Value"
$appUri = "https://localhost:8000"
$appIDEncoded = [System.Web.HttpUtility]::UrlEncode($appID)
$appKeyEncoded = [System.Web.HttpUtility]::UrlEncode($appKey)
$appUriEncoded =  [System.Web.HttpUtility]::UrlEncode($appUri)
$graphEncoded = [System.Web.HttpUtility]::UrlEncode($graphURL)
$delEncoded = [System.Web.HttpUtility]::UrlEncode("https://outlook.office.com/user.readwrite.all")

Function Get-AuthCode {
    Add-Type -AssemblyName System.Windows.Forms

    $form = New-Object -TypeName System.Windows.Forms.Form -Property @{Width=440;Height=640}
    $web  = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{Width=420;Height=600;Url=($url -f ($Scope -join "%20")) }

    $DocComp  = {
        $Global:uri = $web.Url.AbsoluteUri        
        if ($Global:uri -match "error=[^&]*|code=[^&]*") {$form.Close() }
    }
    $web.ScriptErrorsSuppressed = $true
    $web.Add_DocumentCompleted($DocComp)
    $form.Controls.Add($web)
    $form.Add_Shown({$form.Activate()})
    $form.ShowDialog() | Out-Null

    $queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)
    $output = @{}
    foreach($key in $queryOutput.Keys){
        $output["$key"] = $queryOutput[$key]
    }

}

$url = "https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=$appUriEncoded&client_id=$appID&resource=$graphEncoded&prompt=admin_consent&scope=$delEncoded"
Get-AuthCode

$regex = '(?<=code=)(.*)(?=&)'
$authCode  = ($uri | Select-string -pattern $regex).Matches[0].Value

$body = "grant_type=authorization_code&redirect_uri=$appUri&client_id=$appId&client_secret=$appKeyEncoded&code=$authCode&resource=$resource"
$Authorization = Invoke-RestMethod https://login.microsoftonline.com/common/oauth2/token `
    -Method Post -ContentType "application/x-www-form-urlencoded" `
    -Body $body `
    -ErrorAction STOP

$accesstoken = $Authorization.access_token

$body = "grant_type=authorization_code&redirect_uri=$redirectUri&client_id=$clientId&client_secret=$clientSecretEncoded&code=$authCode&resource=$resource"
$Authorization = Invoke-RestMethod https://login.microsoftonline.com/common/oauth2/token `
    -Method Post -ContentType "application/x-www-form-urlencoded" `
    -Body $body `
    -ErrorAction STOP

$accesstoken = $Authorization.access_token

Now that you have the access token, run the following code to create a new iOS compliance policy in Intune. We interact with the Microsoft Graph API using JSON objects. In the example below we convert a hashtable to a JSON object before feeding it to the Invoke-RestMethod cmdlet.

$odata = "@odata.type"
$policy = 
@{
  $odata = "#microsoft.graph.iosCompliancePolicy"
  "description"= "Created using Microsoft Graph"
  "lastModifiedDateTime"= "2017-01-01T00:00:35.1329464-08:00"
  "displayName"= "iOS Compliance Policy"
  "version"= 7
  "passcodeBlockSimple"= $true
  "passcodeExpirationDays"= 6
  "passcodeMinimumLength"= 5
  "passcodeMinutesOfInactivityBeforeLock"= 5
  "passcodePreviousPasscodeBlockCount"= 2
  "passcodeMinimumCharacterSetCount"= 0
  "passcodeRequiredType"= "alphanumeric"
  "passcodeRequired"= $true
  "osMinimumVersion"= "8.0"
  "osMaximumVersion"= "10.0"
  "securityBlockJailbrokenDevices"= $true
  "deviceThreatProtectionEnabled"= $true
  "deviceThreatProtectionRequiredSecurityLevel"= "low"
} | ConvertTo-Json

Invoke-RestMethod -Headers @{Authorization = "Bearer $accesstoken"} `
                         -Uri  https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/ `
                         -Method POST `
			 -Body $policy `
                         -ContentType "application/json"

Wow! So powerful. And this is just one example! I will provide 2 more examples to wrap this up.

The following code will list of Intune enrolled devices or Azure AD joined devices:

Invoke-RestMethod -Headers @{Authorization = "Bearer $accesstoken"} `
                        -Uri  https://graph.microsoft.com/v1.0/devices `
                        -Method Get | select -expand value

The following code will create a new user in Azure AD:

$user = @{
  "accountEnabled" = $true
  "displayName" = "Donald Trump"
  "mailNickname" = "donald.trump"
  "userPrincipalName" = "donald.trump@felipebinottohotmail.onmicrosoft.com"
  "passwordProfile" = @{
    "forceChangePasswordNextSignIn" = $false
    "password" = "P@ssw0rd1!"
  }
  
} | ConvertTo-Json

$newuser = Invoke-RestMethod -Headers @{Authorization = "Bearer $accesstoken"} `
                         -Uri https://graph.microsoft.com/v1.0/users `
                         -Method POST `
                         -Body $user `
                         -ContentType "application/json"

As you can see there is so much you can do leveraging the Microsoft Graph API. Some APIs are still in Beta but I'm sure Microsoft will soon make them production ready and expand their functionality. Very exciting to say the least.