Not sure I like the (Intune) attribute after Devices and Apps. Would like to see device fields for status and environment. Sample data below:

STATUS:

Disposed
Deployed
Decommissioned
Pending Deployment
In-Inventory
Pending Decommission
Loaded in Error
Archived
Received
In Service
Out of Scope

ENVIRONMENT:
Production
Development
Test
Sandbox
Pre-Build
UAT
Disaster Recovery
Training
Integration Test
Staging
Standby

When $expand=detectedApps is included on the /deviceManagement/managedDevices/{managedDeviceId} endpoint, all apps that have ever been installed on the device are returned. It would be great if only currently installed applications were returned to get an accurate representation of the applications on the device.

Example from a device in our environment, I only want to know the current version of the IME, not every version that's ever been installed:
Microsoft Intune Management Extension 1.15.109.0
Microsoft Intune Management Extension 1.24.114.0
Microsoft Intune Management Extension 1.15.102.0
Microsoft Intune Management Extension 1.23.103.0
Microsoft Intune Management Extension 1.22.107.0

Currently, I see deviceGeoLocation under deviceManagement. However, it would be very useful for security to search for the last GeoLocation of a device.

Any ideas when Microsoft GraphAPI will support differential query on devices? I'm looking of way to detect changes about devices in Azure AD.

I am trying to see how to store additional info into managedDevices that are available inside the Graph API (/deviceManagement/managedDevices/ endpoint). But it seems that it does not work (only a specific set of items including device but not managedDevice ?)

It can be a great way to enhance the existing intune solution and store in a central place mandatory data like warranty information or additional device specification.

Thanks for your work on the graph API by the way !

Most or all of the APIs related to Devices and Apps (Intune) only support Delegated Permissions. I see a lot of use-cases where I want to use Application Permissions instead of delegated to simplify and secure my integrations.

Hi,

Could you please implement the expand functionality for managedDevices on the detectedApps?

So we could fetch the link between devices and apps in one statement, like so:
https://graph.microsoft.com/v1.0/deviceManagement/detectedApps?$expand=managedDevices
or only the id
https://graph.microsoft.com/v1.0/deviceManagement/detectedApps?$expand=managedDevices($select=id).

The other direction is also a possibility ofcourse:
https://graph.microsoft.com/beta/deviceManagement/managedDevices?$expand=detectedApps

Kind regards,

Peter

Currently setDeviceName only sets the device display name. It'd be nice to also set the deviceManagementName value in the same POST request.

Make changes to the Graph API to allow Connect-AutoPilotIntune cmdlet of the WindowsAutoPilotIntune module accept secrets (password and/or certificates) as a parameter to facilitate scripting. At the moment it only accepts <user> as a parameter. When such a script is added to say, Task Scheduler, the user account used will have to be logged into the machine for the task to successfully run the PS script.

Examples

1. Connect-AutoPilotIntune -credential




2. Connect-AutoPilotIntune -TenantID ... -ApplicationID ... -CertifiacateThumbprint

etc.

Currently to retrieve information about all ActiveSync Device Partnerships from Exchange Online, you need to either use ECP or Exchange Online PowerShell. Both of these ways are VERY SLOW. ECP because it's manual, and PowerShell because you either have to grab a) all mailboxes (get-mailbox) or b) all partnerships (get-mobiledevice), and then loop through the list to look at each partnership (get-mobiledevicestatistics).

It'd be so much quicker if this was available via the Graph API.

This endpoint:
https://docs.microsoft.com/en-us/graph/api/intune-mam-targetedmanagedappprotection-list?view=graph-rest-1.0

In regards to Intune App Protection policies, the URL and the documenation say "Protection", however it's returning App Configuration policies and Windows Information Protection policies.

Can this be corrected ?

Hi,

We are building a portal where we need to display devices for security groups. Currently we can only display basic device information using GET /beta/groups/{groupId}/members.

We would like to diplay manageDevice information, a request for this would be very usefull, example:
GET /groups/{groupId}/managedDevices

We need to be able to search a list of devices by name using a contains() filter.

e.g.:
/devices?$filter=contains('DESKTOP',displayName)

Unable to delete Windows Store for Business apps using the code provided in https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/intuneappswindowsstoreapp_delete

Failure - Status Code 400; No OData route exists that match template ~/singleton/navigation/key/navigation with http verb DELETE for request

Currently identityRiskEvent objects can be listed and read, but there are no write actions available, though closing events through "Resolve", "Mark as false positive", "Ignore" and "Dismiss all events" are available through the Azure AD Portal.

Where are the corresponding API methods and scope, so that we may delegate and/or automate these?