Microsoft Endpoint Manager (Intune)

This Integration is part of the Microsoft Graph Device Management Pack.#

Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management

Authentication#

For more details about the authentication used in this integration, see Microsoft Integrations - Authentication.

Required Permissions#

DeviceManagementApps.ReadWrite.All - Application
DeviceManagementConfiguration.ReadWrite.All - Application
DeviceManagementManagedDevices.PrivilegedOperations.All - Application
DeviceManagementManagedDevices.ReadWrite.All - Application
DeviceManagementRBAC.ReadWrite.All - Application
DeviceManagementServiceConfig.ReadWrite.All - Application

Configure Microsoft Endpoint Manager on Cortex XSOAR#

Navigate to Settings > Integrations > Servers & Services.
Search for Microsoft Endpoint Manager.
Click Add instance to create and configure a new integration instance.

Parameter	Description	Required
azure_cloud	Azure Cloud.	False
auth_id	The Auth ID.	False
tenant_id	Token or tenant ID.	False
enc_key	Key or client secret.	False
Certificate Thumbprint	Used for certificate authentication. As appears in the "Certificates & secrets" page of the app.	False
Private Key	Used for certificate authentication. The private key of the registered certificate.	False
Use Azure Managed Identities	Relevant only if the integration is running on Azure VM. If selected, authenticates based on the value provided for the Azure Managed Identities Client ID field. If no value is provided for the Azure Managed Identities Client ID field, authenticates based on the System Assigned Managed Identity. For additional information, see the Help tab.	False
Azure Managed Identities Client ID	The Managed Identities client id for authentication - relevant only if the integration is running on Azure VM.	False
url	Server URL, see note below regarding Azure cloud options.	False
insecure	Trust any certificate (not secure)	False
proxy	Use system proxy settings	False
self_deployed	Use a self deployed Azure Application	False

Azure cloud options

Azure Cloud	Description
Worldwide	The publicly accessible Azure Cloud.
US GCC	Azure cloud for the USA Government Cloud Community (GCC).
US GCC-High	Azure cloud for the USA Government Cloud Community High (GCC-High).
DoD	Azure cloud for the USA Department of Defense (DoD).
Germany	Azure cloud for the German Government.
China	Azure cloud for the Chinese Government.

Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

msgraph-get-managed-device-by-id#

Get managed devices Note: physicalMemoryInBytes will return 0 by default since Microsoft hasn't updated the v1.0 schema with that information yet

Required Permissions#

DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All

Base Command#

msgraph-get-managed-device-by-id

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

Path	Type	Description
MSGraphDeviceManagement.Device.ID	String	The ID of the managed device
MSGraphDeviceManagement.Device.UserID	String	Unique Identifier for the user associated with the device
MSGraphDeviceManagement.Device.Name	String	Name of the device
MSGraphDeviceManagement.Device.ManagedDeviceOwnerType	String	Ownership of the device. Possible values are unknown, company, personal.
MSGraphDeviceManagement.Device.ActionResults.actionName	String	Action name
MSGraphDeviceManagement.Device.ActionResults.ActionState	String	State of the action. Possible values are none, pending, canceled, active, done, failed, notSupported
MSGraphDeviceManagement.Device.ActionResults.StartDateTime	Date	Time the action was initiated
MSGraphDeviceManagement.Device.ActionResults.lastUpdatedDateTime	Date	Time the action state was last updated
MSGraphDeviceManagement.Device.EnrolledDateTime	Date	Enrollment time of the device
MSGraphDeviceManagement.Device.LastSyncDateTime	Date	The date and time that the device last completed a successful sync with Intune.
MSGraphDeviceManagement.Device.OperatingSystem	String	Operating system of the device. Windows, iOS, etc.
MSGraphDeviceManagement.Device.ComplianceState	String	Compliance state of the device. Possible values are unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager
MSGraphDeviceManagement.Device.JailBroken	String	whether the device is jail broken or rooted.
MSGraphDeviceManagement.Device.ManagementAgent	String	Management channel of the device. Possible values are eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController.
MSGraphDeviceManagement.Device.OSVersion	String	Operating system version of the device.
MSGraphDeviceManagement.Device.EASDeviceId	String	Exchange ActiveSync Id of the device.
MSGraphDeviceManagement.Device.EASActivationDateTime	Date	Exchange ActivationSync activation time of the device.
MSGraphDeviceManagement.Device.ActivationLockBypassCode	String	Code that allows the Activation Lock on a device to be bypassed.
MSGraphDeviceManagement.Device.EmailAddress	String	Email(s) for the user associated with the device
MSGraphDeviceManagement.Device.AzureADDeviceId	String	The unique identifier for the Azure Active Directory device. Read only.
MSGraphDeviceManagement.Device.CategoryDisplayName	String	Device category display name
MSGraphDeviceManagement.Device.ExchangeAccessState	String	The Access State of the device in Exchange. Possible values are none, unknown, allowed, blocked, quarantined.
MSGraphDeviceManagement.Device.exchangeAccessStateReason	String	The reason for the device's access state in Exchange. Possible values are none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp.
MSGraphDeviceManagement.Device.IsSupervised	Boolean	Device supervised status
MSGraphDeviceManagement.Device.IsEncrypted	Boolean	Device encryption status
MSGraphDeviceManagement.Device.UserPrincipalName	String	Device user principal name
MSGraphDeviceManagement.Device.Model	String	Model of the device
MSGraphDeviceManagement.Device.Manufacturer	String	Manufacturer of the device
MSGraphDeviceManagement.Device.IMEI	String	IMEI of the device
MSGraphDeviceManagement.Device.SerialNumber	String	Serial number of the device
MSGraphDeviceManagement.Device.PhoneNumber	String	Phone number of the device
MSGraphDeviceManagement.Device.AndroidSecurityPatchLevel	String	Android security patch level of the device
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.inventory	Boolean	Whether inventory is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.modernApps	Boolean	Whether modern application is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.resourceAccess	Boolean	Whether resource access is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.deviceConfiguration	Boolean	Whether device configuration is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.compliancePolicy	Boolean	Whether compliance policy is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.windowsUpdateForBusiness	Boolean	Whether Windows Update for Business is managed by Intune
MSGraphDeviceManagement.Device.WiFiMacAddress	String	Wi-Fi MAC
MSGraphDeviceManagement.Device.HealthAttestationState.lastUpdateDateTime	String	The Timestamp of the last update.
MSGraphDeviceManagement.Device.HealthAttestationState.issuedDateTime	Date	The DateTime when device was evaluated or issued to MDM
MSGraphDeviceManagement.Device.HealthAttestationState.resetCount	Number	The number of times a PC device has hibernated or resumed
MSGraphDeviceManagement.Device.HealthAttestationState.restartCount	Number	The number of times a PC device has rebooted
MSGraphDeviceManagement.Device.HealthAttestationState.bitLockerStatus	String	On or Off of BitLocker Drive Encryption
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerVersion	String	The version of the Boot Manager
MSGraphDeviceManagement.Device.HealthAttestationState.secureBoot	String	When Secure Boot is enabled, the core components must have the correct cryptographic signatures
MSGraphDeviceManagement.Device.HealthAttestationState.bootDebugging	String	When bootDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemKernelDebugging	String	When operatingSystemKernelDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrity	String	When code integrity is enabled, code execution is restricted to integrity verified code
MSGraphDeviceManagement.Device.HealthAttestationState.testSigning	String	When test signing is allowed, the device does not enforce signature validation during boot
MSGraphDeviceManagement.Device.HealthAttestationState.safeMode,	String	Safe mode is a troubleshooting option for Windows that starts your computer in a limited state
MSGraphDeviceManagement.Device.HealthAttestationState.windowsPE	String	Operating system running with limited services that is used to prepare a computer for Windows
MSGraphDeviceManagement.Device.HealthAttestationState.earlyLaunchAntiMalwareDriverProtection	String	ELAM provides protection for the computers in your network when they start up
MSGraphDeviceManagement.Device.HealthAttestationState.virtualSecureMode	String	VSM is a container that protects high value assets from a compromised kernel
MSGraphDeviceManagement.Device.HealthAttestationState.pcrHashAlgorithm	String	Informational attribute that identifies the HASH algorithm that was used by TPM
MSGraphDeviceManagement.Device.HealthAttestationState.bootAppSecurityVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerSecurityVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.tpmVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.pcr0	String	The measurement that is captured in PCR[0]
MSGraphDeviceManagement.Device.HealthAttestationState.secureBootConfigurationPolicyFingerPrint	String	Fingerprint of the Custom Secure Boot Configuration Policy
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityPolicy	String	The Code Integrity policy that is controlling the security of the boot environment
MSGraphDeviceManagement.Device.HealthAttestationState.bootRevisionListInfo	String	The Boot Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemRevListInfo	String	The Operating System Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.healthStatusMismatchInfo	String	This attribute appears if DHA-Service detects an integrity issue
MSGraphDeviceManagement.Device.HealthAttestationState.healthAttestationSupportedStatus	String	This attribute indicates if DHA is supported for the device
MSGraphDeviceManagement.Device.SubscriberCarrier	String	Subscriber Carrier
MSGraphDeviceManagement.Device.MEID	String	MEID
MSGraphDeviceManagement.Device.TotalStorageSpaceInBytes	Number	Total Storage in Bytes
MSGraphDeviceManagement.Device.FreeStorageSpaceInBytes	Number	Free Storage in Bytes
MSGraphDeviceManagement.Device.ManagedDeviceName	String	Automatically generated name to identify a device. Can be overwritten to a user friendly name.
MSGraphDeviceManagement.Device.PartnerReportedThreatState	String	Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured.

Command Example#

!msgraph-get-managed-device-by-id device_id=DEVICE_ID_VALUE

Context Example#

{
    "MSGraphDeviceManagement": {
        "Device": {
            "AzureADDeviceID": "AZURE_AD_DEVICE_ID",
            "ComplianceState": "compliant",
            "EASActivationDateTime": "0001-01-01T00:00:00Z",
            "EmailAddress": "EMAIL_ADDRESS",
            "EnrolledDateTime": "2020-03-03T11:32:54.6467627Z",
            "ExchangeAccessState": "none",
            "ExchangeAccessStateReason": "none",
            "FreeStorageSpaceInBytes": -1247805440,
            "ID": "ID_VALUE",
            "IsEncrypted": false,
            "IsSupervised": false,
            "JailBroken": "Unknown",
            "LastSyncDateTime": "2020-05-05T10:34:20.9574056Z",
            "ManagedDeviceName": "MANAGED_DEVICE_NAME",
            "ManagedDeviceOwnerType": "company",
            "ManagementAgent": "MANAGEMENT_AGENT",
            "Manufacturer": "MANUFACTURER_VALUE",
            "Model": "MODEL_VALUE",
            "Name": "NAME_VALUE",
            "OSVersion": "10.0.18363.778",
            "OperatingSystem": "Windows",
            "PartnerReportedThreatState": "highSeverity",
            "SerialNumber": "SERIAL_NUMBER_VALUE",
            "TotalStorageSpaceInBytes": -2097152,
            "UserID": "USER_ID_VALUE",
            "UserPrincipalName": "USER_PRINCIPAL_VALUE_NAME"
        }
    }
}

Human Readable Output#

Managed device DESKTOP-S2455R8#
ID User ID Device Name Operating System OS Version Email Address Manufacturer Model
DEVICE_ID_VALUE 2827c1e7-edb6-4529-b50d-25984e968637 DESKTOP-S2455R8 Windows 10.0.18363.778 dev@demistodev.onmicrosoft.com VMware, Inc. VMware7,1

ID	User ID	Device Name	Operating System	OS Version	Email Address	Manufacturer	Model
DEVICE_ID_VALUE	2827c1e7-edb6-4529-b50d-25984e968637	DESKTOP-S2455R8	Windows	10.0.18363.778	dev@demistodev.onmicrosoft.com	VMware, Inc.	VMware7,1

msgraph-sync-device#

Check the device with Intune, immediately receive pending actions and policies

Required Permissions#

DeviceManagementManagedDevices.PrivilegedOperations.All

Base Command#

msgraph-sync-device

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-sync-device device_id=DEVICE_ID_VALUE

Human Readable Output#

Sync device action activated successfully.

msgraph-device-disable-lost-mode#

Disable the lost mode of the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-disable-lost-mode

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-windows-device-defender-scan device_id=DEVICE_ID_VALUE

Human Readable Output#

Windows device defender scan action activated successfully.

msgraph-locate-device#

Gets the GPS location of a device (iOS only)

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-locate-device

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-locate-device device_id=DEVICE_ID_VALUE

Human Readable Output#

Locate device action activated successfully.

msgraph-device-reboot-now#

Immediately reboots the device

Required Permissions#

DeviceManagementManagedDevices.PrivilegedOperations.All

Base Command#

msgraph-device-reboot-now

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-reboot-now device_id=DEVICE_ID_VALUE

Human Readable Output#

Device reboot now action activated successfully..

msgraph-device-shutdown#

Immideately shuts down the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-shutdown

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-shutdown device_id=DEVICE_ID_VALUE

Human Readable Output#

Device shutdown action activated successfully.

msgraph-device-bypass-activation-lock#

Removes the activation lock (iOS devices only)

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-bypass-activation-lock

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-bypass-activation-lock device_id=DEVICE_ID_VALUE

Human Readable Output#

Device bypass activation lock action activated successfully.

msgraph-device-retire#

Remove the device from intune management

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-retire

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-retire device_id=DEVICE_ID_VALUE

Human Readable Output#

Retire device action activated successfully.

msgraph-device-reset-passcode#

Resets the passcode for the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-reset-passcode

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-reset-passcode device_id=DEVICE_ID_VALUE

Human Readable Output#

Device reset passcode action activated successfully.

msgraph-device-remote-lock#

Lock the device, to unlock the user will have to use the passcode

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-remote-lock

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-remote-lock device_id=DEVICE_ID_VALUE

Human Readable Output#

Device remote lock action activated successfully.

msgraph-device-request-remote-assistance#

Request a remote access via TeamViewer

Required Permissions#

DeviceManagementManagedDevices.ReadWrite.All

Base Command#

msgraph-device-request-remote-assistance

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-request-remote-assistance device_id=DEVICE_ID_VALUE

Human Readable Output#

Device request remote assistance action activated successfully.

msgraph-device-recover-passcode#

Recovers the passcode from the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-recover-passcode

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-recover-passcode device_id=DEVICE_ID_VALUE

Human Readable Output#

Device recover passcode action activated successfully.

msgraph-logout-shared-apple-device-active-user#

logs out the current user on a shared iPad device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-logout-shared-apple-device-active-user

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-logout-shared-apple-device-active-user device_id=DEVICE_ID_VALUE

Human Readable Output#

Logout shard apple device active user action activated successfully.

msgraph-delete-user-from-shared-apple-device#

deletes a user that you select from the local cache on a shared iPad device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-delete-user-from-shared-apple-device

Input#

Argument Name	Description	Required
user_principal_name	The principal name of the user to be deleted.	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-delete-user-from-shared-apple-device device_id=DEVICE_ID_VALUE user_principal_name=USER_PRINCIPAL_NAME_VALUE

Human Readable Output#

Delete user from shared apple device action activated successfully.

msgraph-windows-device-defender-update-signatures#

Forece update windows defender signatures

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-windows-device-defender-update-signatures

Input#

Argument Name	Description	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-windows-device-defender-update-signatures device_id=DEVICE_ID_VALUE

Human Readable Output#

Windows device defender update signatures action activated successfully.

msgraph-clean-windows-device#

removes any apps that are installed on a PC running Windows 10. it helps remove pre-installed (OEM) apps that are typically installed with a new PC

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-clean-windows-device

Input#

Argument Name	Description	Required
keep_user_data	Whether to keep the user's data or not. (Default is set to true)	Optional
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-clean-windows-device device_id=DEVICE_ID_VALUE keep_user_data=false

Human Readable Output#

Clean windows device action activated successfully.

msgraph-windows-device-defender-scan#

Scans the device with windows defender (windows devices only)

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-windows-device-defender-scan

Input#

Argument Name	Description	Required
quick_scan	Whether to peformn quick scan or not. (Default is set to true)	Optional
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-windows-device-defender-scan device_id=DEVICE_ID_VALUE quick_scan=false

Human Readable Output#

Windows device defender scan action activated successfully.

msgraph-wipe-device#

restores a device to its factory default settings

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All, DeviceManagementManagedDevices.ReadWrite.All

Base Command#

msgraph-wipe-device

Input#

Argument Name	Description	Required
keep_enrollment_data	Whether to keep enrollment data or not. (Default is set to true)	Optional
keep_user_data	Whether to keep the user's data or not. (Default is set to true)	Optional
mac_os_unlock_code	The MacOS unlock code.	Optional
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-wipe-device device_id=DEVICE_ID_VALUE keep_enrollment_data=false keep_user_data=true

Human Readable Output#

Wipe device action activated successfully.

msgraph-update-windows-device-account#

Updates the windows account of the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-update-windows-device-account

Input#

Argument Name	Description	Required
session_initiation_protocal_address	SIP address	Required
exchange_server	Exchenge servier adddress	Required
calendar_sync_enabled	Whether to enable calendar sync or not. (Default is set to false)	Optional
password_rotation_enabled	Whether to enable password rotation or not. (Default is set to false)	Optional
device_account_password	The device account password.	Required
device_account_email	The device account email.	Required
device_id	The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)	Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-update-windows-device-account device_id=DEVICE_ID_VALUE session_initiation_protocal_address=PA_VALUE device_account_password=PW_VALUE device_account_email=MAIL_VALUE

Human Readable Output#

Update windows device account action activated successfully.

msgraph-list-managed-devices#

List of managed devices

Required Permissions#

DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All

Base Command#

msgraph-list-managed-devices

Input#

Argument Name	Description	Required
limit	The number of managed devices to fetch.	Optional

Context Output#

Path	Type	Description
MSGraphDeviceManagement.Device.ID	String	The ID of the managed device
MSGraphDeviceManagement.Device.UserID	String	Unique Identifier for the user associated with the device
MSGraphDeviceManagement.Device.Name	String	Name of the device
MSGraphDeviceManagement.Device.ManagedDeviceOwnerType	String	Ownership of the device. Possible values are unknown, company, personal.
MSGraphDeviceManagement.Device.ActionResults.actionName	String	Action name
MSGraphDeviceManagement.Device.ActionResults.ActionState	String	State of the action. Possible values are none, pending, canceled, active, done, failed, notSupported
MSGraphDeviceManagement.Device.ActionResults.StartDateTime	Date	Time the action was initiated
MSGraphDeviceManagement.Device.ActionResults.lastUpdatedDateTime	Date	Time the action state was last updated
MSGraphDeviceManagement.Device.EnrolledDateTime	Date	Enrollment time of the device
MSGraphDeviceManagement.Device.LastSyncDateTime	Date	The date and time that the device last completed a successful sync with Intune.
MSGraphDeviceManagement.Device.OperatingSystem	String	Operating system of the device. Windows, iOS, etc.
MSGraphDeviceManagement.Device.ComplianceState	String	Compliance state of the device. Possible values are unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager
MSGraphDeviceManagement.Device.JailBroken	String	whether the device is jail broken or rooted.
MSGraphDeviceManagement.Device.ManagementAgent	String	Management channel of the device. Possible values are eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController.
MSGraphDeviceManagement.Device.OSVersion	String	Operating system version of the device.
MSGraphDeviceManagement.Device.EASDeviceId	String	Exchange ActiveSync Id of the device.
MSGraphDeviceManagement.Device.EASActivationDateTime	Date	Exchange ActivationSync activation time of the device.
MSGraphDeviceManagement.Device.ActivationLockBypassCode	String	Code that allows the Activation Lock on a device to be bypassed.
MSGraphDeviceManagement.Device.EmailAddress	String	Email(s) for the user associated with the device
MSGraphDeviceManagement.Device.AzureADDeviceId	String	The unique identifier for the Azure Active Directory device. Read only.
MSGraphDeviceManagement.Device.CategoryDisplayName	String	Device category display name
MSGraphDeviceManagement.Device.ExchangeAccessState	String	The Access State of the device in Exchange. Possible values are none, unknown, allowed, blocked, quarantined.
MSGraphDeviceManagement.Device.exchangeAccessStateReason	String	The reason for the device's access state in Exchange. Possible values are none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp.
MSGraphDeviceManagement.Device.IsSupervised	Boolean	Device supervised status
MSGraphDeviceManagement.Device.IsEncrypted	Boolean	Device encryption status
MSGraphDeviceManagement.Device.UserPrincipalName	String	Device user principal name
MSGraphDeviceManagement.Device.Model	String	Model of the device
MSGraphDeviceManagement.Device.Manufacturer	String	Manufacturer of the device
MSGraphDeviceManagement.Device.IMEI	String	IMEI of the device
MSGraphDeviceManagement.Device.SerialNumber	String	Serial number of the device
MSGraphDeviceManagement.Device.PhoneNumber	String	Phone number of the device
MSGraphDeviceManagement.Device.AndroidSecurityPatchLevel	String	Android security patch level of the device
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.inventory	Boolean	Whether inventory is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.modernApps	Boolean	Whether modern application is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.resourceAccess	Boolean	Whether resource access is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.deviceConfiguration	Boolean	Whether device configuration is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.compliancePolicy	Boolean	Whether compliance policy is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.windowsUpdateForBusiness	Boolean	Whether Windows Update for Business is managed by Intune
MSGraphDeviceManagement.Device.WiFiMacAddress	String	Wi-Fi MAC
MSGraphDeviceManagement.Device.HealthAttestationState.lastUpdateDateTime	String	The Timestamp of the last update.
MSGraphDeviceManagement.Device.HealthAttestationState.issuedDateTime	Date	The DateTime when device was evaluated or issued to MDM
MSGraphDeviceManagement.Device.HealthAttestationState.resetCount	Number	The number of times a PC device has hibernated or resumed
MSGraphDeviceManagement.Device.HealthAttestationState.restartCount	Number	The number of times a PC device has rebooted
MSGraphDeviceManagement.Device.HealthAttestationState.bitLockerStatus	String	On or Off of BitLocker Drive Encryption
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerVersion	String	The version of the Boot Manager
MSGraphDeviceManagement.Device.HealthAttestationState.secureBoot	String	When Secure Boot is enabled, the core components must have the correct cryptographic signatures
MSGraphDeviceManagement.Device.HealthAttestationState.bootDebugging	String	When bootDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemKernelDebugging	String	When operatingSystemKernelDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrity	String	When code integrity is enabled, code execution is restricted to integrity verified code
MSGraphDeviceManagement.Device.HealthAttestationState.testSigning	String	When test signing is allowed, the device does not enforce signature validation during boot
MSGraphDeviceManagement.Device.HealthAttestationState.safeMode,	String	Safe mode is a troubleshooting option for Windows that starts your computer in a limited state
MSGraphDeviceManagement.Device.HealthAttestationState.windowsPE	String	Operating system running with limited services that is used to prepare a computer for Windows
MSGraphDeviceManagement.Device.HealthAttestationState.earlyLaunchAntiMalwareDriverProtection	String	ELAM provides protection for the computers in your network when they start up
MSGraphDeviceManagement.Device.HealthAttestationState.virtualSecureMode	String	VSM is a container that protects high value assets from a compromised kernel
MSGraphDeviceManagement.Device.HealthAttestationState.pcrHashAlgorithm	String	Informational attribute that identifies the HASH algorithm that was used by TPM
MSGraphDeviceManagement.Device.HealthAttestationState.bootAppSecurityVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerSecurityVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.tpmVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.pcr0	String	The measurement that is captured in PCR[0]
MSGraphDeviceManagement.Device.HealthAttestationState.secureBootConfigurationPolicyFingerPrint	String	Fingerprint of the Custom Secure Boot Configuration Policy
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityPolicy	String	The Code Integrity policy that is controlling the security of the boot environment
MSGraphDeviceManagement.Device.HealthAttestationState.bootRevisionListInfo	String	The Boot Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemRevListInfo	String	The Operating System Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.healthStatusMismatchInfo	String	This attribute appears if DHA-Service detects an integrity issue
MSGraphDeviceManagement.Device.HealthAttestationState.healthAttestationSupportedStatus	String	This attribute indicates if DHA is supported for the device
MSGraphDeviceManagement.Device.SubscriberCarrier	String	Subscriber Carrier
MSGraphDeviceManagement.Device.MEID	String	MEID
MSGraphDeviceManagement.Device.TotalStorageSpaceInBytes	Number	Total Storage in Bytes
MSGraphDeviceManagement.Device.FreeStorageSpaceInBytes	Number	Free Storage in Bytes
MSGraphDeviceManagement.Device.ManagedDeviceName	String	Automatically generated name to identify a device. Can be overwritten to a user friendly name.
MSGraphDeviceManagement.Device.PartnerReportedThreatState	String	Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured.

Command Example#

!msgraph-find-managed-devices-by-name

Context Example#

{
    "MSGraphDeviceManagement": {
        "Device": {
            "AzureADDeviceID": "AZURE_AD_DEVICE_ID",
            "ComplianceState": "compliant",
            "EASActivationDateTime": "0001-01-01T00:00:00Z",
            "EmailAddress": "EMAIL_ADDRESS",
            "EnrolledDateTime": "2020-03-03T11:32:54.6467627Z",
            "ExchangeAccessState": "none",
            "ExchangeAccessStateReason": "none",
            "FreeStorageSpaceInBytes": -1247805440,
            "ID": "ID_VALUE",
            "IsEncrypted": false,
            "IsSupervised": false,
            "JailBroken": "Unknown",
            "LastSyncDateTime": "2020-05-05T10:34:20.9574056Z",
            "ManagedDeviceName": "MANAGED_DEVICE_NAME",
            "ManagedDeviceOwnerType": "company",
            "ManagementAgent": "MANAGEMENT_AGENT",
            "Manufacturer": "MANUFACTURER_VALUE",
            "Model": "MODEL_VALUE",
            "Name": "NAME_VALUE",
            "OSVersion": "10.0.18363.778",
            "OperatingSystem": "Windows",
            "PartnerReportedThreatState": "highSeverity",
            "SerialNumber": "SERIAL_NUMBER_VALUE",
            "TotalStorageSpaceInBytes": -2097152,
            "UserID": "USER_ID_VALUE",
            "UserPrincipalName": "USER_PRINCIPAL_VALUE_NAME"
        }
    }
}

Human Readable Output#

Managed device DESKTOP-S2455R8#
ID User ID Device Name Operating System OS Version Email Address Manufacturer Model
DEVICE_ID_VALUE 2827c1e7-edb6-4529-b50d-25984e968637 DESKTOP-S2455R8 Windows 10.0.18363.778 dev@demistodev.onmicrosoft.com VMware, Inc. VMware7,1

ID	User ID	Device Name	Operating System	OS Version	Email Address	Manufacturer	Model
DEVICE_ID_VALUE	2827c1e7-edb6-4529-b50d-25984e968637	DESKTOP-S2455R8	Windows	10.0.18363.778	dev@demistodev.onmicrosoft.com	VMware, Inc.	VMware7,1

msgraph-find-managed-devices-by-name#

Search of managed devices by name

Required Permissions#

DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All

Base Command#

msgraph-find-managed-devices-by-name

Input#

Argument Name	Description	Required
device_name	Search of managed devices by name	Required

Context Output#

Path	Type	Description
MSGraphDeviceManagement.Device.ID	String	The ID of the managed device
MSGraphDeviceManagement.Device.UserID	String	Unique Identifier for the user associated with the device
MSGraphDeviceManagement.Device.Name	String	Name of the device
MSGraphDeviceManagement.Device.ManagedDeviceOwnerType	String	Ownership of the device. Possible values are unknown, company, personal.
MSGraphDeviceManagement.Device.ActionResults.actionName	String	Action name
MSGraphDeviceManagement.Device.ActionResults.ActionState	String	State of the action. Possible values are none, pending, canceled, active, done, failed, notSupported
MSGraphDeviceManagement.Device.ActionResults.StartDateTime	Date	Time the action was initiated
MSGraphDeviceManagement.Device.ActionResults.lastUpdatedDateTime	Date	Time the action state was last updated
MSGraphDeviceManagement.Device.EnrolledDateTime	Date	Enrollment time of the device
MSGraphDeviceManagement.Device.LastSyncDateTime	Date	The date and time that the device last completed a successful sync with Intune.
MSGraphDeviceManagement.Device.OperatingSystem	String	Operating system of the device. Windows, iOS, etc.
MSGraphDeviceManagement.Device.ComplianceState	String	Compliance state of the device. Possible values are unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager
MSGraphDeviceManagement.Device.JailBroken	String	whether the device is jail broken or rooted.
MSGraphDeviceManagement.Device.ManagementAgent	String	Management channel of the device. Possible values are eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController.
MSGraphDeviceManagement.Device.OSVersion	String	Operating system version of the device.
MSGraphDeviceManagement.Device.EASDeviceId	String	Exchange ActiveSync Id of the device.
MSGraphDeviceManagement.Device.EASActivationDateTime	Date	Exchange ActivationSync activation time of the device.
MSGraphDeviceManagement.Device.ActivationLockBypassCode	String	Code that allows the Activation Lock on a device to be bypassed.
MSGraphDeviceManagement.Device.EmailAddress	String	Email(s) for the user associated with the device
MSGraphDeviceManagement.Device.AzureADDeviceId	String	The unique identifier for the Azure Active Directory device. Read only.
MSGraphDeviceManagement.Device.CategoryDisplayName	String	Device category display name
MSGraphDeviceManagement.Device.ExchangeAccessState	String	The Access State of the device in Exchange. Possible values are none, unknown, allowed, blocked, quarantined.
MSGraphDeviceManagement.Device.exchangeAccessStateReason	String	The reason for the device's access state in Exchange. Possible values are none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp.
MSGraphDeviceManagement.Device.IsSupervised	Boolean	Device supervised status
MSGraphDeviceManagement.Device.IsEncrypted	Boolean	Device encryption status
MSGraphDeviceManagement.Device.UserPrincipalName	String	Device user principal name
MSGraphDeviceManagement.Device.Model	String	Model of the device
MSGraphDeviceManagement.Device.Manufacturer	String	Manufacturer of the device
MSGraphDeviceManagement.Device.IMEI	String	IMEI of the device
MSGraphDeviceManagement.Device.SerialNumber	String	Serial number of the device
MSGraphDeviceManagement.Device.PhoneNumber	String	Phone number of the device
MSGraphDeviceManagement.Device.AndroidSecurityPatchLevel	String	Android security patch level of the device
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.inventory	Boolean	Whether inventory is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.modernApps	Boolean	Whether modern application is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.resourceAccess	Boolean	Whether resource access is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.deviceConfiguration	Boolean	Whether device configuration is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.compliancePolicy	Boolean	Whether compliance policy is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.windowsUpdateForBusiness	Boolean	Whether Windows Update for Business is managed by Intune
MSGraphDeviceManagement.Device.WiFiMacAddress	String	Wi-Fi MAC
MSGraphDeviceManagement.Device.HealthAttestationState.lastUpdateDateTime	String	The Timestamp of the last update.
MSGraphDeviceManagement.Device.HealthAttestationState.issuedDateTime	Date	The DateTime when device was evaluated or issued to MDM
MSGraphDeviceManagement.Device.HealthAttestationState.resetCount	Number	The number of times a PC device has hibernated or resumed
MSGraphDeviceManagement.Device.HealthAttestationState.restartCount	Number	The number of times a PC device has rebooted
MSGraphDeviceManagement.Device.HealthAttestationState.bitLockerStatus	String	On or Off of BitLocker Drive Encryption
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerVersion	String	The version of the Boot Manager
MSGraphDeviceManagement.Device.HealthAttestationState.secureBoot	String	When Secure Boot is enabled, the core components must have the correct cryptographic signatures
MSGraphDeviceManagement.Device.HealthAttestationState.bootDebugging	String	When bootDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemKernelDebugging	String	When operatingSystemKernelDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrity	String	When code integrity is enabled, code execution is restricted to integrity verified code
MSGraphDeviceManagement.Device.HealthAttestationState.testSigning	String	When test signing is allowed, the device does not enforce signature validation during boot
MSGraphDeviceManagement.Device.HealthAttestationState.safeMode,	String	Safe mode is a troubleshooting option for Windows that starts your computer in a limited state
MSGraphDeviceManagement.Device.HealthAttestationState.windowsPE	String	Operating system running with limited services that is used to prepare a computer for Windows
MSGraphDeviceManagement.Device.HealthAttestationState.earlyLaunchAntiMalwareDriverProtection	String	ELAM provides protection for the computers in your network when they start up
MSGraphDeviceManagement.Device.HealthAttestationState.virtualSecureMode	String	VSM is a container that protects high value assets from a compromised kernel
MSGraphDeviceManagement.Device.HealthAttestationState.pcrHashAlgorithm	String	Informational attribute that identifies the HASH algorithm that was used by TPM
MSGraphDeviceManagement.Device.HealthAttestationState.bootAppSecurityVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerSecurityVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.tpmVersion	String	The security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.pcr0	String	The measurement that is captured in PCR[0]
MSGraphDeviceManagement.Device.HealthAttestationState.secureBootConfigurationPolicyFingerPrint	String	Fingerprint of the Custom Secure Boot Configuration Policy
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityPolicy	String	The Code Integrity policy that is controlling the security of the boot environment
MSGraphDeviceManagement.Device.HealthAttestationState.bootRevisionListInfo	String	The Boot Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemRevListInfo	String	The Operating System Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.healthStatusMismatchInfo	String	This attribute appears if DHA-Service detects an integrity issue
MSGraphDeviceManagement.Device.HealthAttestationState.healthAttestationSupportedStatus	String	This attribute indicates if DHA is supported for the device
MSGraphDeviceManagement.Device.SubscriberCarrier	String	Subscriber Carrier
MSGraphDeviceManagement.Device.MEID	String	MEID
MSGraphDeviceManagement.Device.TotalStorageSpaceInBytes	Number	Total Storage in Bytes
MSGraphDeviceManagement.Device.FreeStorageSpaceInBytes	Number	Free Storage in Bytes
MSGraphDeviceManagement.Device.ManagedDeviceName	String	Automatically generated name to identify a device. Can be overwritten to a user friendly name.
MSGraphDeviceManagement.Device.PartnerReportedThreatState	String	Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured.

Command Example#

!msgraph-find-managed-devices-by-name device_name=NAME_VALUE

Context Example#

{
    "MSGraphDeviceManagement": {
        "Device": {
            "AzureADDeviceID": "AZURE_AD_DEVICE_ID",
            "ComplianceState": "compliant",
            "EASActivationDateTime": "0001-01-01T00:00:00Z",
            "EmailAddress": "EMAIL_ADDRESS",
            "EnrolledDateTime": "2020-03-03T11:32:54.6467627Z",
            "ExchangeAccessState": "none",
            "ExchangeAccessStateReason": "none",
            "FreeStorageSpaceInBytes": -1247805440,
            "ID": "ID_VALUE",
            "IsEncrypted": false,
            "IsSupervised": false,
            "JailBroken": "Unknown",
            "LastSyncDateTime": "2020-05-05T10:34:20.9574056Z",
            "ManagedDeviceName": "MANAGED_DEVICE_NAME",
            "ManagedDeviceOwnerType": "company",
            "ManagementAgent": "MANAGEMENT_AGENT",
            "Manufacturer": "MANUFACTURER_VALUE",
            "Model": "MODEL_VALUE",
            "Name": "NAME_VALUE",
            "OSVersion": "10.0.18363.778",
            "OperatingSystem": "Windows",
            "PartnerReportedThreatState": "highSeverity",
            "SerialNumber": "SERIAL_NUMBER_VALUE",
            "TotalStorageSpaceInBytes": -2097152,
            "UserID": "USER_ID_VALUE",
            "UserPrincipalName": "USER_PRINCIPAL_VALUE_NAME"
        }
    }
}

Human Readable Output#

Managed device DESKTOP-S2455R8#
ID User ID Device Name Operating System OS Version Email Address Manufacturer Model
DEVICE_ID_VALUE 2827c1e7-edb6-4529-b50d-25984e968637 DESKTOP-S2455R8 Windows 10.0.18363.778 dev@demistodev.onmicrosoft.com VMware, Inc. VMware7,1

ID	User ID	Device Name	Operating System	OS Version	Email Address	Manufacturer	Model
DEVICE_ID_VALUE	2827c1e7-edb6-4529-b50d-25984e968637	DESKTOP-S2455R8	Windows	10.0.18363.778	dev@demistodev.onmicrosoft.com	VMware, Inc.	VMware7,1

msgraph-device-auth-reset#

Run this command if for some reason you need to rerun the authentication process.

Base Command#

msgraph-device-auth-reset

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.