Skip to main content

Microsoft Endpoint Manager (Intune)

This Integration is part of the Microsoft Graph Device Management Pack.#

Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management

Authentication#

For more details about the authentication used in this integration, see Microsoft Integrations - Authentication.

Required Permissions#

  • DeviceManagementApps.ReadWrite.All - Application
  • DeviceManagementConfiguration.ReadWrite.All - Application
  • DeviceManagementManagedDevices.PrivilegedOperations.All - Application
  • DeviceManagementManagedDevices.ReadWrite.All - Application
  • DeviceManagementRBAC.ReadWrite.All - Application
  • DeviceManagementServiceConfig.ReadWrite.All - Application

Configure Microsoft Endpoint Manager on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Microsoft Endpoint Manager.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URLTrue
auth_idID (received from the admin consent - see Detailed Instructions (?)True
tenant_idToken (received from the admin consent - see Detailed Instructions (?) section)True
enc_keyKey (received from the admin consent - see Detailed Instructions (?)True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
self_deployedUse a self deployed Azure ApplicationFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

msgraph-get-managed-device-by-id#


Get managed devices

Required Permissions#

DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All

Base Command#

msgraph-get-managed-device-by-id

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

PathTypeDescription
MSGraphDeviceManagement.Device.IDStringThe ID of the managed device
MSGraphDeviceManagement.Device.UserIDStringUnique Identifier for the user associated with the device
MSGraphDeviceManagement.Device.NameStringName of the device
MSGraphDeviceManagement.Device.ManagedDeviceOwnerTypeStringOwnership of the device. Possible values are unknown, company, personal.
MSGraphDeviceManagement.Device.ActionResults.actionNameStringAction name
MSGraphDeviceManagement.Device.ActionResults.ActionStateStringState of the action. Possible values are none, pending, canceled, active, done, failed, notSupported
MSGraphDeviceManagement.Device.ActionResults.StartDateTimeDateTime the action was initiated
MSGraphDeviceManagement.Device.ActionResults.lastUpdatedDateTimeDateTime the action state was last updated
MSGraphDeviceManagement.Device.EnrolledDateTimeDateEnrollment time of the device
MSGraphDeviceManagement.Device.LastSyncDateTimeDateThe date and time that the device last completed a successful sync with Intune.
MSGraphDeviceManagement.Device.OperatingSystemStringOperating system of the device. Windows, iOS, etc.
MSGraphDeviceManagement.Device.ComplianceStateStringCompliance state of the device. Possible values are unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager
MSGraphDeviceManagement.Device.JailBrokenStringwhether the device is jail broken or rooted.
MSGraphDeviceManagement.Device.ManagementAgentStringManagement channel of the device. Possible values are eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController.
MSGraphDeviceManagement.Device.OSVersionStringOperating system version of the device.
MSGraphDeviceManagement.Device.EASDeviceIdStringExchange ActiveSync Id of the device.
MSGraphDeviceManagement.Device.EASActivationDateTimeDateExchange ActivationSync activation time of the device.
MSGraphDeviceManagement.Device.ActivationLockBypassCodeStringCode that allows the Activation Lock on a device to be bypassed.
MSGraphDeviceManagement.Device.EmailAddressStringEmail(s) for the user associated with the device
MSGraphDeviceManagement.Device.AzureADDeviceIdStringThe unique identifier for the Azure Active Directory device. Read only.
MSGraphDeviceManagement.Device.CategoryDisplayNameStringDevice category display name
MSGraphDeviceManagement.Device.ExchangeAccessStateStringThe Access State of the device in Exchange. Possible values are none, unknown, allowed, blocked, quarantined.
MSGraphDeviceManagement.Device.exchangeAccessStateReasonStringThe reason for the device's access state in Exchange. Possible values are none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp.
MSGraphDeviceManagement.Device.IsSupervisedBooleanDevice supervised status
MSGraphDeviceManagement.Device.IsEncryptedBooleanDevice encryption status
MSGraphDeviceManagement.Device.UserPrincipalNameStringDevice user principal name
MSGraphDeviceManagement.Device.ModelStringModel of the device
MSGraphDeviceManagement.Device.ManufacturerStringManufacturer of the device
MSGraphDeviceManagement.Device.IMEIStringIMEI of the device
MSGraphDeviceManagement.Device.SerialNumberStringSerial number of the device
MSGraphDeviceManagement.Device.PhoneNumberStringPhone number of the device
MSGraphDeviceManagement.Device.AndroidSecurityPatchLevelStringAndroid security patch level of the device
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.inventoryBooleanWhether inventory is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.modernAppsBooleanWhether modern application is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.resourceAccessBooleanWhether resource access is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.deviceConfigurationBooleanWhether device configuration is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.compliancePolicyBooleanWhether compliance policy is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.windowsUpdateForBusinessBooleanWhether Windows Update for Business is managed by Intune
MSGraphDeviceManagement.Device.WiFiMacAddressStringWi-Fi MAC
MSGraphDeviceManagement.Device.HealthAttestationState.lastUpdateDateTimeStringThe Timestamp of the last update.
MSGraphDeviceManagement.Device.HealthAttestationState.issuedDateTimeDateThe DateTime when device was evaluated or issued to MDM
MSGraphDeviceManagement.Device.HealthAttestationState.resetCountNumberThe number of times a PC device has hibernated or resumed
MSGraphDeviceManagement.Device.HealthAttestationState.restartCountNumberThe number of times a PC device has rebooted
MSGraphDeviceManagement.Device.HealthAttestationState.bitLockerStatusStringOn or Off of BitLocker Drive Encryption
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerVersionStringThe version of the Boot Manager
MSGraphDeviceManagement.Device.HealthAttestationState.secureBootStringWhen Secure Boot is enabled, the core components must have the correct cryptographic signatures
MSGraphDeviceManagement.Device.HealthAttestationState.bootDebuggingStringWhen bootDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemKernelDebuggingStringWhen operatingSystemKernelDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityStringWhen code integrity is enabled, code execution is restricted to integrity verified code
MSGraphDeviceManagement.Device.HealthAttestationState.testSigningStringWhen test signing is allowed, the device does not enforce signature validation during boot
MSGraphDeviceManagement.Device.HealthAttestationState.safeMode,StringSafe mode is a troubleshooting option for Windows that starts your computer in a limited state
MSGraphDeviceManagement.Device.HealthAttestationState.windowsPEStringOperating system running with limited services that is used to prepare a computer for Windows
MSGraphDeviceManagement.Device.HealthAttestationState.earlyLaunchAntiMalwareDriverProtectionStringELAM provides protection for the computers in your network when they start up
MSGraphDeviceManagement.Device.HealthAttestationState.virtualSecureModeStringVSM is a container that protects high value assets from a compromised kernel
MSGraphDeviceManagement.Device.HealthAttestationState.pcrHashAlgorithmStringInformational attribute that identifies the HASH algorithm that was used by TPM
MSGraphDeviceManagement.Device.HealthAttestationState.bootAppSecurityVersionStringThe security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerSecurityVersionStringThe security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.tpmVersionStringThe security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.pcr0StringThe measurement that is captured in PCR[0]
MSGraphDeviceManagement.Device.HealthAttestationState.secureBootConfigurationPolicyFingerPrintStringFingerprint of the Custom Secure Boot Configuration Policy
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityPolicyStringThe Code Integrity policy that is controlling the security of the boot environment
MSGraphDeviceManagement.Device.HealthAttestationState.bootRevisionListInfoStringThe Boot Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemRevListInfoStringThe Operating System Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.healthStatusMismatchInfoStringThis attribute appears if DHA-Service detects an integrity issue
MSGraphDeviceManagement.Device.HealthAttestationState.healthAttestationSupportedStatusStringThis attribute indicates if DHA is supported for the device
MSGraphDeviceManagement.Device.SubscriberCarrierStringSubscriber Carrier
MSGraphDeviceManagement.Device.MEIDStringMEID
MSGraphDeviceManagement.Device.TotalStorageSpaceInBytesNumberTotal Storage in Bytes
MSGraphDeviceManagement.Device.FreeStorageSpaceInBytesNumberFree Storage in Bytes
MSGraphDeviceManagement.Device.ManagedDeviceNameStringAutomatically generated name to identify a device. Can be overwritten to a user friendly name.
MSGraphDeviceManagement.Device.PartnerReportedThreatStateStringIndicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured.

Command Example#

!msgraph-get-managed-device-by-id device_id=DEVICE_ID_VALUE

Context Example#

{
"MSGraphDeviceManagement": {
"Device": {
"AzureADDeviceID": "AZURE_AD_DEVICE_ID",
"ComplianceState": "compliant",
"EASActivationDateTime": "0001-01-01T00:00:00Z",
"EmailAddress": "EMAIL_ADDRESS",
"EnrolledDateTime": "2020-03-03T11:32:54.6467627Z",
"ExchangeAccessState": "none",
"ExchangeAccessStateReason": "none",
"FreeStorageSpaceInBytes": -1247805440,
"ID": "ID_VALUE",
"IsEncrypted": false,
"IsSupervised": false,
"JailBroken": "Unknown",
"LastSyncDateTime": "2020-05-05T10:34:20.9574056Z",
"ManagedDeviceName": "MANAGED_DEVICE_NAME",
"ManagedDeviceOwnerType": "company",
"ManagementAgent": "MANAGEMENT_AGENT",
"Manufacturer": "MANUFACTURER_VALUE",
"Model": "MODEL_VALUE",
"Name": "NAME_VALUE",
"OSVersion": "10.0.18363.778",
"OperatingSystem": "Windows",
"PartnerReportedThreatState": "highSeverity",
"SerialNumber": "SERIAL_NUMBER_VALUE",
"TotalStorageSpaceInBytes": -2097152,
"UserID": "USER_ID_VALUE",
"UserPrincipalName": "USER_PRINCIPAL_VALUE_NAME"
}
}
}

Human Readable Output#

Managed device DESKTOP-S2455R8#

IDUser IDDevice NameOperating SystemOS VersionEmail AddressManufacturerModel
DEVICE_ID_VALUE2827c1e7-edb6-4529-b50d-25984e968637DESKTOP-S2455R8Windows10.0.18363.778dev@demistodev.onmicrosoft.comVMware, Inc.VMware7,1

msgraph-sync-device#


Check the device with Intune, immediately receive pending actions and policies

Required Permissions#

DeviceManagementManagedDevices.PrivilegedOperations.All

Base Command#

msgraph-sync-device

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-sync-device device_id=DEVICE_ID_VALUE

Human Readable Output#

Sync device action activated successfully.

msgraph-device-disable-lost-mode#


Disable the lost mode of the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-disable-lost-mode

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-windows-device-defender-scan device_id=DEVICE_ID_VALUE

Human Readable Output#

Windows device defender scan action activated successfully.

msgraph-locate-device#


Gets the GPS location of a device (iOS only)

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-locate-device

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-locate-device device_id=DEVICE_ID_VALUE

Human Readable Output#

Locate device action activated successfully.

msgraph-device-reboot-now#


Immediately reboots the device

Required Permissions#

DeviceManagementManagedDevices.PrivilegedOperations.All

Base Command#

msgraph-device-reboot-now

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-reboot-now device_id=DEVICE_ID_VALUE

Human Readable Output#

Device reboot now action activated successfully..

msgraph-device-shutdown#


Immideately shuts down the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-shutdown

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-shutdown device_id=DEVICE_ID_VALUE

Human Readable Output#

Device shutdown action activated successfully.

msgraph-device-bypass-activation-lock#


Removes the activation lock (iOS devices only)

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-bypass-activation-lock

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-bypass-activation-lock device_id=DEVICE_ID_VALUE

Human Readable Output#

Device bypass activation lock action activated successfully.

msgraph-device-retire#


Remove the device from intune management

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-retire

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-retire device_id=DEVICE_ID_VALUE

Human Readable Output#

Retire device action activated successfully.

msgraph-device-reset-passcode#


Resets the passcode for the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-reset-passcode

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-reset-passcode device_id=DEVICE_ID_VALUE

Human Readable Output#

Device reset passcode action activated successfully.

msgraph-device-remote-lock#


Lock the device, to unlock the user will have to use the passcode

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-remote-lock

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-remote-lock device_id=DEVICE_ID_VALUE

Human Readable Output#

Device remote lock action activated successfully.

msgraph-device-request-remote-assistance#


Request a remote access via TeamViewer

Required Permissions#

DeviceManagementManagedDevices.ReadWrite.All

Base Command#

msgraph-device-request-remote-assistance

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-request-remote-assistance device_id=DEVICE_ID_VALUE

Human Readable Output#

Device request remote assistance action activated successfully.

msgraph-device-recover-passcode#


Recovers the passcode from the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-device-recover-passcode

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-device-recover-passcode device_id=DEVICE_ID_VALUE

Human Readable Output#

Device recover passcode action activated successfully.

msgraph-logout-shared-apple-device-active-user#


logs out the current user on a shared iPad device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-logout-shared-apple-device-active-user

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-logout-shared-apple-device-active-user device_id=DEVICE_ID_VALUE

Human Readable Output#

Logout shard apple device active user action activated successfully.

msgraph-delete-user-from-shared-apple-device#


deletes a user that you select from the local cache on a shared iPad device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-delete-user-from-shared-apple-device

Input#

Argument NameDescriptionRequired
user_principal_nameThe principal name of the user to be deleted.Required
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-delete-user-from-shared-apple-device device_id=DEVICE_ID_VALUE user_principal_name=USER_PRINCIPAL_NAME_VALUE

Human Readable Output#

Delete user from shared apple device action activated successfully.

msgraph-windows-device-defender-update-signatures#


Forece update windows defender signatures

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-windows-device-defender-update-signatures

Input#

Argument NameDescriptionRequired
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-windows-device-defender-update-signatures device_id=DEVICE_ID_VALUE

Human Readable Output#

Windows device defender update signatures action activated successfully.

msgraph-clean-windows-device#


removes any apps that are installed on a PC running Windows 10. it helps remove pre-installed (OEM) apps that are typically installed with a new PC

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-clean-windows-device

Input#

Argument NameDescriptionRequired
keep_user_dataWhether to keep the user's data or not. (Default is set to true)Optional
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-clean-windows-device device_id=DEVICE_ID_VALUE keep_user_data=false

Human Readable Output#

Clean windows device action activated successfully.

msgraph-windows-device-defender-scan#


Scans the device with windows defender (windows devices only)

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-windows-device-defender-scan

Input#

Argument NameDescriptionRequired
quick_scanWhether to peformn quick scan or not. (Default is set to true)Optional
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-windows-device-defender-scan device_id=DEVICE_ID_VALUE quick_scan=false

Human Readable Output#

Windows device defender scan action activated successfully.

msgraph-wipe-device#


restores a device to its factory default settings

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All, DeviceManagementManagedDevices.ReadWrite.All

Base Command#

msgraph-wipe-device

Input#

Argument NameDescriptionRequired
keep_enrollment_dataWhether to keep enrollment data or not. (Default is set to true)Optional
keep_user_dataWhether to keep the user's data or not. (Default is set to true)Optional
mac_os_unlock_codeThe MacOS unlock code.Optional
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-wipe-device device_id=DEVICE_ID_VALUE keep_enrollment_data=false keep_user_data=true

Human Readable Output#

Wipe device action activated successfully.

msgraph-update-windows-device-account#


Updates the windows account of the device

Required Permissions#

DeviceManagementManagedDevices.PriviligedOperation.All

Base Command#

msgraph-update-windows-device-account

Input#

Argument NameDescriptionRequired
session_initiation_protocal_addressSIP addressRequired
exchange_serverExchenge servier adddressRequired
calendar_sync_enabledWhether to enable calendar sync or not. (Default is set to false)Optional
password_rotation_enabledWhether to enable password rotation or not. (Default is set to false)Optional
device_account_passwordThe device account password.Required
device_account_emailThe device account email.Required
device_idThe ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command)Required

Context Output#

There is no context output for this command.

Command Example#

!msgraph-update-windows-device-account device_id=DEVICE_ID_VALUE session_initiation_protocal_address=PA_VALUE device_account_password=PW_VALUE device_account_email=MAIL_VALUE

Human Readable Output#

Update windows device account action activated successfully.

msgraph-list-managed-devices#


List of managed devices

Required Permissions#

DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementManagedDevices.Read.All

Base Command#

msgraph-list-managed-devices

Input#

Argument NameDescriptionRequired
limitThe number of managed devices to fetch.Optional

Context Output#

PathTypeDescription
MSGraphDeviceManagement.Device.IDStringThe ID of the managed device
MSGraphDeviceManagement.Device.UserIDStringUnique Identifier for the user associated with the device
MSGraphDeviceManagement.Device.NameStringName of the device
MSGraphDeviceManagement.Device.ManagedDeviceOwnerTypeStringOwnership of the device. Possible values are unknown, company, personal.
MSGraphDeviceManagement.Device.ActionResults.actionNameStringAction name
MSGraphDeviceManagement.Device.ActionResults.ActionStateStringState of the action. Possible values are none, pending, canceled, active, done, failed, notSupported
MSGraphDeviceManagement.Device.ActionResults.StartDateTimeDateTime the action was initiated
MSGraphDeviceManagement.Device.ActionResults.lastUpdatedDateTimeDateTime the action state was last updated
MSGraphDeviceManagement.Device.EnrolledDateTimeDateEnrollment time of the device
MSGraphDeviceManagement.Device.LastSyncDateTimeDateThe date and time that the device last completed a successful sync with Intune.
MSGraphDeviceManagement.Device.OperatingSystemStringOperating system of the device. Windows, iOS, etc.
MSGraphDeviceManagement.Device.ComplianceStateStringCompliance state of the device. Possible values are unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager
MSGraphDeviceManagement.Device.JailBrokenStringwhether the device is jail broken or rooted.
MSGraphDeviceManagement.Device.ManagementAgentStringManagement channel of the device. Possible values are eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController.
MSGraphDeviceManagement.Device.OSVersionStringOperating system version of the device.
MSGraphDeviceManagement.Device.EASDeviceIdStringExchange ActiveSync Id of the device.
MSGraphDeviceManagement.Device.EASActivationDateTimeDateExchange ActivationSync activation time of the device.
MSGraphDeviceManagement.Device.ActivationLockBypassCodeStringCode that allows the Activation Lock on a device to be bypassed.
MSGraphDeviceManagement.Device.EmailAddressStringEmail(s) for the user associated with the device
MSGraphDeviceManagement.Device.AzureADDeviceIdStringThe unique identifier for the Azure Active Directory device. Read only.
MSGraphDeviceManagement.Device.CategoryDisplayNameStringDevice category display name
MSGraphDeviceManagement.Device.ExchangeAccessStateStringThe Access State of the device in Exchange. Possible values are none, unknown, allowed, blocked, quarantined.
MSGraphDeviceManagement.Device.exchangeAccessStateReasonStringThe reason for the device's access state in Exchange. Possible values are none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp.
MSGraphDeviceManagement.Device.IsSupervisedBooleanDevice supervised status
MSGraphDeviceManagement.Device.IsEncryptedBooleanDevice encryption status
MSGraphDeviceManagement.Device.UserPrincipalNameStringDevice user principal name
MSGraphDeviceManagement.Device.ModelStringModel of the device
MSGraphDeviceManagement.Device.ManufacturerStringManufacturer of the device
MSGraphDeviceManagement.Device.IMEIStringIMEI of the device
MSGraphDeviceManagement.Device.SerialNumberStringSerial number of the device
MSGraphDeviceManagement.Device.PhoneNumberStringPhone number of the device
MSGraphDeviceManagement.Device.AndroidSecurityPatchLevelStringAndroid security patch level of the device
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.inventoryBooleanWhether inventory is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.modernAppsBooleanWhether modern application is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.resourceAccessBooleanWhether resource access is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.deviceConfigurationBooleanWhether device configuration is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.compliancePolicyBooleanWhether compliance policy is managed by Intune
MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.windowsUpdateForBusinessBooleanWhether Windows Update for Business is managed by Intune
MSGraphDeviceManagement.Device.WiFiMacAddressStringWi-Fi MAC
MSGraphDeviceManagement.Device.HealthAttestationState.lastUpdateDateTimeStringThe Timestamp of the last update.
MSGraphDeviceManagement.Device.HealthAttestationState.issuedDateTimeDateThe DateTime when device was evaluated or issued to MDM
MSGraphDeviceManagement.Device.HealthAttestationState.resetCountNumberThe number of times a PC device has hibernated or resumed
MSGraphDeviceManagement.Device.HealthAttestationState.restartCountNumberThe number of times a PC device has rebooted
MSGraphDeviceManagement.Device.HealthAttestationState.bitLockerStatusStringOn or Off of BitLocker Drive Encryption
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerVersionStringThe version of the Boot Manager
MSGraphDeviceManagement.Device.HealthAttestationState.secureBootStringWhen Secure Boot is enabled, the core components must have the correct cryptographic signatures
MSGraphDeviceManagement.Device.HealthAttestationState.bootDebuggingStringWhen bootDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemKernelDebuggingStringWhen operatingSystemKernelDebugging is enabled, the device is used in development and testing
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityStringWhen code integrity is enabled, code execution is restricted to integrity verified code
MSGraphDeviceManagement.Device.HealthAttestationState.testSigningStringWhen test signing is allowed, the device does not enforce signature validation during boot
MSGraphDeviceManagement.Device.HealthAttestationState.safeMode,StringSafe mode is a troubleshooting option for Windows that starts your computer in a limited state
MSGraphDeviceManagement.Device.HealthAttestationState.windowsPEStringOperating system running with limited services that is used to prepare a computer for Windows
MSGraphDeviceManagement.Device.HealthAttestationState.earlyLaunchAntiMalwareDriverProtectionStringELAM provides protection for the computers in your network when they start up
MSGraphDeviceManagement.Device.HealthAttestationState.virtualSecureModeStringVSM is a container that protects high value assets from a compromised kernel
MSGraphDeviceManagement.Device.HealthAttestationState.pcrHashAlgorithmStringInformational attribute that identifies the HASH algorithm that was used by TPM
MSGraphDeviceManagement.Device.HealthAttestationState.bootAppSecurityVersionStringThe security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerSecurityVersionStringThe security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.tpmVersionStringThe security version number of the Boot Application
MSGraphDeviceManagement.Device.HealthAttestationState.pcr0StringThe measurement that is captured in PCR[0]
MSGraphDeviceManagement.Device.HealthAttestationState.secureBootConfigurationPolicyFingerPrintStringFingerprint of the Custom Secure Boot Configuration Policy
MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityPolicyStringThe Code Integrity policy that is controlling the security of the boot environment
MSGraphDeviceManagement.Device.HealthAttestationState.bootRevisionListInfoStringThe Boot Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemRevListInfoStringThe Operating System Revision List that was loaded during initial boot on the attested device
MSGraphDeviceManagement.Device.HealthAttestationState.healthStatusMismatchInfoStringThis attribute appears if DHA-Service detects an integrity issue
MSGraphDeviceManagement.Device.HealthAttestationState.healthAttestationSupportedStatusStringThis attribute indicates if DHA is supported for the device
MSGraphDeviceManagement.Device.SubscriberCarrierStringSubscriber Carrier
MSGraphDeviceManagement.Device.MEIDStringMEID
MSGraphDeviceManagement.Device.TotalStorageSpaceInBytesNumberTotal Storage in Bytes
MSGraphDeviceManagement.Device.FreeStorageSpaceInBytesNumberFree Storage in Bytes
MSGraphDeviceManagement.Device.ManagedDeviceNameStringAutomatically generated name to identify a device. Can be overwritten to a user friendly name.
MSGraphDeviceManagement.Device.PartnerReportedThreatStateStringIndicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured.

Command Example#

!msgraph-list-managed-devices

Context Example#

{
"MSGraphDeviceManagement": {
"Device": {
"AzureADDeviceID": "AZURE_AD_DEVICE_ID",
"ComplianceState": "compliant",
"EASActivationDateTime": "0001-01-01T00:00:00Z",
"EmailAddress": "EMAIL_ADDRESS",
"EnrolledDateTime": "2020-03-03T11:32:54.6467627Z",
"ExchangeAccessState": "none",
"ExchangeAccessStateReason": "none",
"FreeStorageSpaceInBytes": -1247805440,
"ID": "ID_VALUE",
"IsEncrypted": false,
"IsSupervised": false,
"JailBroken": "Unknown",
"LastSyncDateTime": "2020-05-05T10:34:20.9574056Z",
"ManagedDeviceName": "MANAGED_DEVICE_NAME",
"ManagedDeviceOwnerType": "company",
"ManagementAgent": "MANAGEMENT_AGENT",
"Manufacturer": "MANUFACTURER_VALUE",
"Model": "MODEL_VALUE",
"Name": "NAME_VALUE",
"OSVersion": "10.0.18363.778",
"OperatingSystem": "Windows",
"PartnerReportedThreatState": "highSeverity",
"SerialNumber": "SERIAL_NUMBER_VALUE",
"TotalStorageSpaceInBytes": -2097152,
"UserID": "USER_ID_VALUE",
"UserPrincipalName": "USER_PRINCIPAL_VALUE_NAME"
}
}
}

Human Readable Output#

Managed device DESKTOP-S2455R8#

IDUser IDDevice NameOperating SystemOS VersionEmail AddressManufacturerModel
DEVICE_ID_VALUE2827c1e7-edb6-4529-b50d-25984e968637DESKTOP-S2455R8Windows10.0.18363.778dev@demistodev.onmicrosoft.comVMware, Inc.VMware7,1