Microsoft Graph Device Management (Microsoft Intune)
Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management This integration was integrated and tested with version xx of Microsoft Graph Device Management
Configure Microsoft Graph Device Management on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for Microsoft Graph Device Management.
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| url | Server URL | True |
| auth_id | ID (received from the admin consent - see Detailed Instructions (?) | True |
| tenant_id | Token (received from the admin consent - see Detailed Instructions (?) section) | True |
| enc_key | Key (received from the admin consent - see Detailed Instructions (?) | True |
| insecure | Trust any certificate (not secure) | False |
| proxy | Use system proxy settings | False |
| self_deployed | Use a self deployed Azure Application | False |
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
msgraph-get-managed-device-by-id
Get managed devices
Base Command
msgraph-get-managed-device-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| MSGraphDeviceManagement.Device.ID | String | The ID of the managed device |
| MSGraphDeviceManagement.Device.UserID | String | Unique Identifier for the user associated with the device |
| MSGraphDeviceManagement.Device.Name | String | Name of the device |
| MSGraphDeviceManagement.Device.ManagedDeviceOwnerType | String | Ownership of the device. Possible values are unknown, company, personal. |
| MSGraphDeviceManagement.Device.ActionResults.actionName | String | Action name |
| MSGraphDeviceManagement.Device.ActionResults.ActionState | String | State of the action. Possible values are none, pending, canceled, active, done, failed, notSupported |
| MSGraphDeviceManagement.Device.ActionResults.StartDateTime | Date | Time the action was initiated |
| MSGraphDeviceManagement.Device.ActionResults.lastUpdatedDateTime | Date | Time the action state was last updated |
| MSGraphDeviceManagement.Device.EnrolledDateTime | Date | Enrollment time of the device |
| MSGraphDeviceManagement.Device.LastSyncDateTime | Date | The date and time that the device last completed a successful sync with Intune. |
| MSGraphDeviceManagement.Device.OperatingSystem | String | Operating system of the device. Windows, iOS, etc. |
| MSGraphDeviceManagement.Device.ComplianceState | String | Compliance state of the device. Possible values are unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager |
| MSGraphDeviceManagement.Device.JailBroken | String | whether the device is jail broken or rooted. |
| MSGraphDeviceManagement.Device.ManagementAgent | String | Management channel of the device. Possible values are eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController. |
| MSGraphDeviceManagement.Device.OSVersion | String | Operating system version of the device. |
| MSGraphDeviceManagement.Device.EASDeviceId | String | Exchange ActiveSync Id of the device. |
| MSGraphDeviceManagement.Device.EASActivationDateTime | Date | Exchange ActivationSync activation time of the device. |
| MSGraphDeviceManagement.Device.ActivationLockBypassCode | String | Code that allows the Activation Lock on a device to be bypassed. |
| MSGraphDeviceManagement.Device.EmailAddress | String | Email(s) for the user associated with the device |
| MSGraphDeviceManagement.Device.AzureADDeviceId | String | The unique identifier for the Azure Active Directory device. Read only. |
| MSGraphDeviceManagement.Device.CategoryDisplayName | String | Device category display name |
| MSGraphDeviceManagement.Device.ExchangeAccessState | String | The Access State of the device in Exchange. Possible values are none, unknown, allowed, blocked, quarantined. |
| MSGraphDeviceManagement.Device.exchangeAccessStateReason | String | The reason for the device's access state in Exchange. Possible values are none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp. |
| MSGraphDeviceManagement.Device.IsSupervised | Boolean | Device supervised status |
| MSGraphDeviceManagement.Device.IsEncrypted | Boolean | Device encryption status |
| MSGraphDeviceManagement.Device.UserPrincipalName | String | Device user principal name |
| MSGraphDeviceManagement.Device.Model | String | Model of the device |
| MSGraphDeviceManagement.Device.Manufacturer | String | Manufacturer of the device |
| MSGraphDeviceManagement.Device.IMEI | String | IMEI of the device |
| MSGraphDeviceManagement.Device.SerialNumber | String | Serial number of the device |
| MSGraphDeviceManagement.Device.PhoneNumber | String | Phone number of the device |
| MSGraphDeviceManagement.Device.AndroidSecurityPatchLevel | String | Android security patch level of the device |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.inventory | Boolean | Whether inventory is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.modernApps | Boolean | Whether modern application is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.resourceAccess | Boolean | Whether resource access is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.deviceConfiguration | Boolean | Whether device configuration is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.compliancePolicy | Boolean | Whether compliance policy is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.windowsUpdateForBusiness | Boolean | Whether Windows Update for Business is managed by Intune |
| MSGraphDeviceManagement.Device.WiFiMacAddress | String | Wi-Fi MAC |
| MSGraphDeviceManagement.Device.HealthAttestationState.lastUpdateDateTime | String | The Timestamp of the last update. |
| MSGraphDeviceManagement.Device.HealthAttestationState.issuedDateTime | Date | The DateTime when device was evaluated or issued to MDM |
| MSGraphDeviceManagement.Device.HealthAttestationState.resetCount | Number | The number of times a PC device has hibernated or resumed |
| MSGraphDeviceManagement.Device.HealthAttestationState.restartCount | Number | The number of times a PC device has rebooted |
| MSGraphDeviceManagement.Device.HealthAttestationState.bitLockerStatus | String | On or Off of BitLocker Drive Encryption |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerVersion | String | The version of the Boot Manager |
| MSGraphDeviceManagement.Device.HealthAttestationState.secureBoot | String | When Secure Boot is enabled, the core components must have the correct cryptographic signatures |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootDebugging | String | When bootDebugging is enabled, the device is used in development and testing |
| MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemKernelDebugging | String | When operatingSystemKernelDebugging is enabled, the device is used in development and testing |
| MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrity | String | When code integrity is enabled, code execution is restricted to integrity verified code |
| MSGraphDeviceManagement.Device.HealthAttestationState.testSigning | String | When test signing is allowed, the device does not enforce signature validation during boot |
| MSGraphDeviceManagement.Device.HealthAttestationState.safeMode, | String | Safe mode is a troubleshooting option for Windows that starts your computer in a limited state |
| MSGraphDeviceManagement.Device.HealthAttestationState.windowsPE | String | Operating system running with limited services that is used to prepare a computer for Windows |
| MSGraphDeviceManagement.Device.HealthAttestationState.earlyLaunchAntiMalwareDriverProtection | String | ELAM provides protection for the computers in your network when they start up |
| MSGraphDeviceManagement.Device.HealthAttestationState.virtualSecureMode | String | VSM is a container that protects high value assets from a compromised kernel |
| MSGraphDeviceManagement.Device.HealthAttestationState.pcrHashAlgorithm | String | Informational attribute that identifies the HASH algorithm that was used by TPM |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootAppSecurityVersion | String | The security version number of the Boot Application |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerSecurityVersion | String | The security version number of the Boot Application |
| MSGraphDeviceManagement.Device.HealthAttestationState.tpmVersion | String | The security version number of the Boot Application |
| MSGraphDeviceManagement.Device.HealthAttestationState.pcr0 | String | The measurement that is captured in PCR[0] |
| MSGraphDeviceManagement.Device.HealthAttestationState.secureBootConfigurationPolicyFingerPrint | String | Fingerprint of the Custom Secure Boot Configuration Policy |
| MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityPolicy | String | The Code Integrity policy that is controlling the security of the boot environment |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootRevisionListInfo | String | The Boot Revision List that was loaded during initial boot on the attested device |
| MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemRevListInfo | String | The Operating System Revision List that was loaded during initial boot on the attested device |
| MSGraphDeviceManagement.Device.HealthAttestationState.healthStatusMismatchInfo | String | This attribute appears if DHA-Service detects an integrity issue |
| MSGraphDeviceManagement.Device.HealthAttestationState.healthAttestationSupportedStatus | String | This attribute indicates if DHA is supported for the device |
| MSGraphDeviceManagement.Device.SubscriberCarrier | String | Subscriber Carrier |
| MSGraphDeviceManagement.Device.MEID | String | MEID |
| MSGraphDeviceManagement.Device.TotalStorageSpaceInBytes | Number | Total Storage in Bytes |
| MSGraphDeviceManagement.Device.FreeStorageSpaceInBytes | Number | Free Storage in Bytes |
| MSGraphDeviceManagement.Device.ManagedDeviceName | String | Automatically generated name to identify a device. Can be overwritten to a user friendly name. |
| MSGraphDeviceManagement.Device.PartnerReportedThreatState | String | Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured. |
Command Example
!msgraph-get-managed-device-by-id device_id=DEVICE_ID_VALUE
Context Example
{
"MSGraphDeviceManagement": {
"Device": {
"AzureADDeviceID": "AZURE_AD_DEVICE_ID",
"ComplianceState": "compliant",
"EASActivationDateTime": "0001-01-01T00:00:00Z",
"EmailAddress": "EMAIL_ADDRESS",
"EnrolledDateTime": "2020-03-03T11:32:54.6467627Z",
"ExchangeAccessState": "none",
"ExchangeAccessStateReason": "none",
"FreeStorageSpaceInBytes": -1247805440,
"ID": "ID_VALUE",
"IsEncrypted": false,
"IsSupervised": false,
"JailBroken": "Unknown",
"LastSyncDateTime": "2020-05-05T10:34:20.9574056Z",
"ManagedDeviceName": "MANAGED_DEVICE_NAME",
"ManagedDeviceOwnerType": "company",
"ManagementAgent": "MANAGEMENT_AGENT",
"Manufacturer": "MANUFACTURER_VALUE",
"Model": "MODEL_VALUE",
"Name": "NAME_VALUE",
"OSVersion": "10.0.18363.778",
"OperatingSystem": "Windows",
"PartnerReportedThreatState": "highSeverity",
"SerialNumber": "SERIAL_NUMBER_VALUE",
"TotalStorageSpaceInBytes": -2097152,
"UserID": "USER_ID_VALUE",
"UserPrincipalName": "USER_PRINCIPAL_VALUE_NAME"
}
}
}
Human Readable Output
Managed device DESKTOP-S2455R8
ID User ID Device Name Operating System OS Version Email Address Manufacturer Model DEVICE_ID_VALUE 2827c1e7-edb6-4529-b50d-25984e968637 DESKTOP-S2455R8 Windows 10.0.18363.778 dev@demistodev.onmicrosoft.com VMware, Inc. VMware7,1
msgraph-sync-device
Check the device with Intune, immediately receive pending actions and policies
Base Command
msgraph-sync-device
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-sync-device device_id=DEVICE_ID_VALUE
Human Readable Output
Sync device action activated successfully.
msgraph-device-disable-lost-mode
Disable the lost mode of the device
Base Command
msgraph-device-disable-lost-mode
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-windows-device-defender-scan device_id=DEVICE_ID_VALUE
Human Readable Output
Windows device defender scan action activated successfully.
msgraph-locate-device
Gets the GPS location of a device (iOS only)
Base Command
msgraph-locate-device
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-locate-device device_id=DEVICE_ID_VALUE
Human Readable Output
Locate device action activated successfully.
msgraph-device-reboot-now
Immediately reboots the device
Base Command
msgraph-device-reboot-now
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-device-reboot-now device_id=DEVICE_ID_VALUE
Human Readable Output
Device reboot now action activated successfully..
msgraph-device-shutdown
Immideately shuts down the device
Base Command
msgraph-device-shutdown
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-device-shutdown device_id=DEVICE_ID_VALUE
Human Readable Output
Device shutdown action activated successfully.
msgraph-device-bypass-activation-lock
Removes the activation lock (iOS devices only)
Base Command
msgraph-device-bypass-activation-lock
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-device-bypass-activation-lock device_id=DEVICE_ID_VALUE
Human Readable Output
Device bypass activation lock action activated successfully.
msgraph-device-retire
Remove the device from intune management
Base Command
msgraph-device-retire
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-device-retire device_id=DEVICE_ID_VALUE
Human Readable Output
Retire device action activated successfully.
msgraph-device-reset-passcode
Resets the passcode for the device
Base Command
msgraph-device-reset-passcode
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-device-reset-passcode device_id=DEVICE_ID_VALUE
Human Readable Output
Device reset passcode action activated successfully.
msgraph-device-remote-lock
Lock the device, to unlock the user will have to use the passcode
Base Command
msgraph-device-remote-lock
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-device-remote-lock device_id=DEVICE_ID_VALUE
Human Readable Output
Device remote lock action activated successfully.
msgraph-device-request-remote-assistance
Request a remote access via TeamViewer
Base Command
msgraph-device-request-remote-assistance
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-device-request-remote-assistance device_id=DEVICE_ID_VALUE
Human Readable Output
Device request remote assistance action activated successfully.
msgraph-device-recover-passcode
Recovers the passcode from the device
Base Command
msgraph-device-recover-passcode
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-device-recover-passcode device_id=DEVICE_ID_VALUE
Human Readable Output
Device recover passcode action activated successfully.
msgraph-logout-shared-apple-device-active-user
logs out the current user on a shared iPad device
Base Command
msgraph-logout-shared-apple-device-active-user
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-logout-shared-apple-device-active-user device_id=DEVICE_ID_VALUE
Human Readable Output
Logout shard apple device active user action activated successfully.
msgraph-delete-user-from-shared-apple-device
deletes a user that you select from the local cache on a shared iPad device
Base Command
msgraph-delete-user-from-shared-apple-device
Input
| Argument Name | Description | Required |
|---|---|---|
| user_principal_name | The principal name of the user to be deleted. | Required |
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-delete-user-from-shared-apple-device device_id=DEVICE_ID_VALUE user_principal_name=USER_PRINCIPAL_NAME_VALUE
Human Readable Output
Delete user from shared apple device action activated successfully.
msgraph-windows-device-defender-update-signatures
Forece update windows defender signatures
Base Command
msgraph-windows-device-defender-update-signatures
Input
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-windows-device-defender-update-signatures device_id=DEVICE_ID_VALUE
Human Readable Output
Windows device defender update signatures action activated successfully.
msgraph-clean-windows-device
removes any apps that are installed on a PC running Windows 10. it helps remove pre-installed (OEM) apps that are typically installed with a new PC
Base Command
msgraph-clean-windows-device
Input
| Argument Name | Description | Required |
|---|---|---|
| keep_user_data | Whether to keep the user's data or not. (Default is set to true) | Optional |
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-clean-windows-device device_id=DEVICE_ID_VALUE keep_user_data=false
Human Readable Output
Clean windows device action activated successfully.
msgraph-windows-device-defender-scan
Scans the device with windows defender (windows devices only)
Base Command
msgraph-windows-device-defender-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| quick_scan | Whether to peformn quick scan or not. (Default is set to true) | Optional |
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-windows-device-defender-scan device_id=DEVICE_ID_VALUE quick_scan=false
Human Readable Output
Windows device defender scan action activated successfully.
msgraph-wipe-device
restores a device to its factory default settings
Base Command
msgraph-wipe-device
Input
| Argument Name | Description | Required |
|---|---|---|
| keep_enrollment_data | Whether to keep enrollment data or not. (Default is set to true) | Optional |
| keep_user_data | Whether to keep the user's data or not. (Default is set to true) | Optional |
| mac_os_unlock_code | The MacOS unlock code. | Optional |
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-wipe-device device_id=DEVICE_ID_VALUE keep_enrollment_data=false keep_user_data=true
Human Readable Output
Wipe device action activated successfully.
msgraph-update-windows-device-account
Updates the windows account of the device
Base Command
msgraph-update-windows-device-account
Input
| Argument Name | Description | Required |
|---|---|---|
| session_initiation_protocal_address | SIP address | Required |
| exchange_server | Exchenge servier adddress | Required |
| calendar_sync_enabled | Whether to enable calendar sync or not. (Default is set to false) | Optional |
| password_rotation_enabled | Whether to enable password rotation or not. (Default is set to false) | Optional |
| device_account_password | The device account password. | Required |
| device_account_email | The device account email. | Required |
| device_id | The ID of the managed device to be fetched (Can be retreived using the msgraph-list-managed-devices command) | Required |
Context Output
There is no context output for this command.
Command Example
!msgraph-update-windows-device-account device_id=DEVICE_ID_VALUE session_initiation_protocal_address=PA_VALUE device_account_password=PW_VALUE device_account_email=MAIL_VALUE
Human Readable Output
Update windows device account action activated successfully.
msgraph-list-managed-devices
List of managed devices
Base Command
msgraph-list-managed-devices
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The number of managed devices to fetch. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| MSGraphDeviceManagement.Device.ID | String | The ID of the managed device |
| MSGraphDeviceManagement.Device.UserID | String | Unique Identifier for the user associated with the device |
| MSGraphDeviceManagement.Device.Name | String | Name of the device |
| MSGraphDeviceManagement.Device.ManagedDeviceOwnerType | String | Ownership of the device. Possible values are unknown, company, personal. |
| MSGraphDeviceManagement.Device.ActionResults.actionName | String | Action name |
| MSGraphDeviceManagement.Device.ActionResults.ActionState | String | State of the action. Possible values are none, pending, canceled, active, done, failed, notSupported |
| MSGraphDeviceManagement.Device.ActionResults.StartDateTime | Date | Time the action was initiated |
| MSGraphDeviceManagement.Device.ActionResults.lastUpdatedDateTime | Date | Time the action state was last updated |
| MSGraphDeviceManagement.Device.EnrolledDateTime | Date | Enrollment time of the device |
| MSGraphDeviceManagement.Device.LastSyncDateTime | Date | The date and time that the device last completed a successful sync with Intune. |
| MSGraphDeviceManagement.Device.OperatingSystem | String | Operating system of the device. Windows, iOS, etc. |
| MSGraphDeviceManagement.Device.ComplianceState | String | Compliance state of the device. Possible values are unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager |
| MSGraphDeviceManagement.Device.JailBroken | String | whether the device is jail broken or rooted. |
| MSGraphDeviceManagement.Device.ManagementAgent | String | Management channel of the device. Possible values are eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController. |
| MSGraphDeviceManagement.Device.OSVersion | String | Operating system version of the device. |
| MSGraphDeviceManagement.Device.EASDeviceId | String | Exchange ActiveSync Id of the device. |
| MSGraphDeviceManagement.Device.EASActivationDateTime | Date | Exchange ActivationSync activation time of the device. |
| MSGraphDeviceManagement.Device.ActivationLockBypassCode | String | Code that allows the Activation Lock on a device to be bypassed. |
| MSGraphDeviceManagement.Device.EmailAddress | String | Email(s) for the user associated with the device |
| MSGraphDeviceManagement.Device.AzureADDeviceId | String | The unique identifier for the Azure Active Directory device. Read only. |
| MSGraphDeviceManagement.Device.CategoryDisplayName | String | Device category display name |
| MSGraphDeviceManagement.Device.ExchangeAccessState | String | The Access State of the device in Exchange. Possible values are none, unknown, allowed, blocked, quarantined. |
| MSGraphDeviceManagement.Device.exchangeAccessStateReason | String | The reason for the device's access state in Exchange. Possible values are none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp. |
| MSGraphDeviceManagement.Device.IsSupervised | Boolean | Device supervised status |
| MSGraphDeviceManagement.Device.IsEncrypted | Boolean | Device encryption status |
| MSGraphDeviceManagement.Device.UserPrincipalName | String | Device user principal name |
| MSGraphDeviceManagement.Device.Model | String | Model of the device |
| MSGraphDeviceManagement.Device.Manufacturer | String | Manufacturer of the device |
| MSGraphDeviceManagement.Device.IMEI | String | IMEI of the device |
| MSGraphDeviceManagement.Device.SerialNumber | String | Serial number of the device |
| MSGraphDeviceManagement.Device.PhoneNumber | String | Phone number of the device |
| MSGraphDeviceManagement.Device.AndroidSecurityPatchLevel | String | Android security patch level of the device |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.inventory | Boolean | Whether inventory is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.modernApps | Boolean | Whether modern application is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.resourceAccess | Boolean | Whether resource access is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.deviceConfiguration | Boolean | Whether device configuration is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.compliancePolicy | Boolean | Whether compliance policy is managed by Intune |
| MSGraphDeviceManagement.Device.ConfigurationManagerClientEnabledFeatures.windowsUpdateForBusiness | Boolean | Whether Windows Update for Business is managed by Intune |
| MSGraphDeviceManagement.Device.WiFiMacAddress | String | Wi-Fi MAC |
| MSGraphDeviceManagement.Device.HealthAttestationState.lastUpdateDateTime | String | The Timestamp of the last update. |
| MSGraphDeviceManagement.Device.HealthAttestationState.issuedDateTime | Date | The DateTime when device was evaluated or issued to MDM |
| MSGraphDeviceManagement.Device.HealthAttestationState.resetCount | Number | The number of times a PC device has hibernated or resumed |
| MSGraphDeviceManagement.Device.HealthAttestationState.restartCount | Number | The number of times a PC device has rebooted |
| MSGraphDeviceManagement.Device.HealthAttestationState.bitLockerStatus | String | On or Off of BitLocker Drive Encryption |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerVersion | String | The version of the Boot Manager |
| MSGraphDeviceManagement.Device.HealthAttestationState.secureBoot | String | When Secure Boot is enabled, the core components must have the correct cryptographic signatures |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootDebugging | String | When bootDebugging is enabled, the device is used in development and testing |
| MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemKernelDebugging | String | When operatingSystemKernelDebugging is enabled, the device is used in development and testing |
| MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrity | String | When code integrity is enabled, code execution is restricted to integrity verified code |
| MSGraphDeviceManagement.Device.HealthAttestationState.testSigning | String | When test signing is allowed, the device does not enforce signature validation during boot |
| MSGraphDeviceManagement.Device.HealthAttestationState.safeMode, | String | Safe mode is a troubleshooting option for Windows that starts your computer in a limited state |
| MSGraphDeviceManagement.Device.HealthAttestationState.windowsPE | String | Operating system running with limited services that is used to prepare a computer for Windows |
| MSGraphDeviceManagement.Device.HealthAttestationState.earlyLaunchAntiMalwareDriverProtection | String | ELAM provides protection for the computers in your network when they start up |
| MSGraphDeviceManagement.Device.HealthAttestationState.virtualSecureMode | String | VSM is a container that protects high value assets from a compromised kernel |
| MSGraphDeviceManagement.Device.HealthAttestationState.pcrHashAlgorithm | String | Informational attribute that identifies the HASH algorithm that was used by TPM |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootAppSecurityVersion | String | The security version number of the Boot Application |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootManagerSecurityVersion | String | The security version number of the Boot Application |
| MSGraphDeviceManagement.Device.HealthAttestationState.tpmVersion | String | The security version number of the Boot Application |
| MSGraphDeviceManagement.Device.HealthAttestationState.pcr0 | String | The measurement that is captured in PCR[0] |
| MSGraphDeviceManagement.Device.HealthAttestationState.secureBootConfigurationPolicyFingerPrint | String | Fingerprint of the Custom Secure Boot Configuration Policy |
| MSGraphDeviceManagement.Device.HealthAttestationState.codeIntegrityPolicy | String | The Code Integrity policy that is controlling the security of the boot environment |
| MSGraphDeviceManagement.Device.HealthAttestationState.bootRevisionListInfo | String | The Boot Revision List that was loaded during initial boot on the attested device |
| MSGraphDeviceManagement.Device.HealthAttestationState.operatingSystemRevListInfo | String | The Operating System Revision List that was loaded during initial boot on the attested device |
| MSGraphDeviceManagement.Device.HealthAttestationState.healthStatusMismatchInfo | String | This attribute appears if DHA-Service detects an integrity issue |
| MSGraphDeviceManagement.Device.HealthAttestationState.healthAttestationSupportedStatus | String | This attribute indicates if DHA is supported for the device |
| MSGraphDeviceManagement.Device.SubscriberCarrier | String | Subscriber Carrier |
| MSGraphDeviceManagement.Device.MEID | String | MEID |
| MSGraphDeviceManagement.Device.TotalStorageSpaceInBytes | Number | Total Storage in Bytes |
| MSGraphDeviceManagement.Device.FreeStorageSpaceInBytes | Number | Free Storage in Bytes |
| MSGraphDeviceManagement.Device.ManagedDeviceName | String | Automatically generated name to identify a device. Can be overwritten to a user friendly name. |
| MSGraphDeviceManagement.Device.PartnerReportedThreatState | String | Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured. |
Command Example
!msgraph-list-managed-devices
Context Example
{
"MSGraphDeviceManagement": {
"Device": {
"AzureADDeviceID": "AZURE_AD_DEVICE_ID",
"ComplianceState": "compliant",
"EASActivationDateTime": "0001-01-01T00:00:00Z",
"EmailAddress": "EMAIL_ADDRESS",
"EnrolledDateTime": "2020-03-03T11:32:54.6467627Z",
"ExchangeAccessState": "none",
"ExchangeAccessStateReason": "none",
"FreeStorageSpaceInBytes": -1247805440,
"ID": "ID_VALUE",
"IsEncrypted": false,
"IsSupervised": false,
"JailBroken": "Unknown",
"LastSyncDateTime": "2020-05-05T10:34:20.9574056Z",
"ManagedDeviceName": "MANAGED_DEVICE_NAME",
"ManagedDeviceOwnerType": "company",
"ManagementAgent": "MANAGEMENT_AGENT",
"Manufacturer": "MANUFACTURER_VALUE",
"Model": "MODEL_VALUE",
"Name": "NAME_VALUE",
"OSVersion": "10.0.18363.778",
"OperatingSystem": "Windows",
"PartnerReportedThreatState": "highSeverity",
"SerialNumber": "SERIAL_NUMBER_VALUE",
"TotalStorageSpaceInBytes": -2097152,
"UserID": "USER_ID_VALUE",
"UserPrincipalName": "USER_PRINCIPAL_VALUE_NAME"
}
}
}
Human Readable Output
Managed device DESKTOP-S2455R8
ID User ID Device Name Operating System OS Version Email Address Manufacturer Model DEVICE_ID_VALUE 2827c1e7-edb6-4529-b50d-25984e968637 DESKTOP-S2455R8 Windows 10.0.18363.778 dev@demistodev.onmicrosoft.com VMware, Inc. VMware7,1