Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Graph API Integration: Complete Guide

Learn how to use Microsoft Graph API to automate Intune device management, retrieve reports, manage policies, and integrate Intune with other systems.

By Ali Alame
intunegraph-apiautomationapimicrosoft-graphintegrationdevops

Microsoft Graph API provides programmatic access to Intune device and application management capabilities. Using the Graph API, you can automate Intune operations, retrieve reports, manage devices and policies, and integrate Intune with other systems and workflows.

Understanding Intune Graph API

The Intune API in Microsoft Graph enables you to manage devices, apps, and configure Intune programmatically. You can use the Graph API to automate device management tasks, retrieve compliance and configuration data, and build custom integrations.

Key Capabilities

  • Device Management: Manage devices, compliance, and configuration
  • App Management: Deploy and manage applications
  • Reporting: Export reports and retrieve device data
  • Automation: Automate Intune operations
  • Integration: Integrate with other systems

For an overview, see Intune devices and apps API overview.

Prerequisites

Before using the Graph API:

  1. Microsoft Entra App Registration: Register an application
  2. API Permissions: Grant required permissions
  3. Authentication: Configure authentication method
  4. Graph API Access: Access to Microsoft Graph

Required Permissions

Common permissions include:

  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementScripts.ReadWrite.All (for scripts)

Note: As of July 31, 2025, some API calls require DeviceManagementScripts.ReadWrite.All instead of DeviceManagementConfiguration.ReadWrite.All.

For details, see How to use Microsoft Entra ID to access the Intune APIs in Microsoft Graph.

Authentication

App Registration

  1. Sign in to Microsoft Entra admin center
  2. Navigate to Microsoft Entra ID > App registrations
  3. Select New registration
  4. Configure app details
  5. Grant API permissions

Authentication Methods

Client Credentials Flow (Service Principal):

  • Use for background automation
  • Requires app secret or certificate
  • No user interaction required

Authorization Code Flow (Delegated):

  • Use for user-interactive scenarios
  • Requires user sign-in
  • Accesses resources on behalf of user

Common API Operations

Retrieve Devices

GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

Response: List of managed devices with properties like device name, OS, compliance status, and last check-in.

Retrieve Compliance Reports

POST https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs
Content-Type: application/json

{
  "reportName": "DeviceCompliance",
  "format": "json"
}

Response: Export job ID for retrieving compliance report data.

For available reports, see Intune Reports and Properties Available Using Graph API.

Create Compliance Policy

POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "displayName": "Windows Compliance Policy",
  "description": "Windows 10 compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 8
}

Assign Policy to Group

POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assign
Content-Type: application/json

{
  "assignments": [
    {
      "target": {
        "@odata.type": "#microsoft.graph.groupAssignmentTarget",
        "groupId": "{groupId}"
      }
    }
  ]
}

Exporting Reports

Available Reports

Intune provides many reports available via Graph API:

  • Device compliance reports
  • Device configuration reports
  • App installation reports
  • Enrollment reports
  • And more

Export Process

  1. Create Export Job:

    POST https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs

  2. Check Job Status:

    GET https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs/{jobId}

  3. Download Report:

    • When status is "completed", download from provided URL

For detailed guidance, see Export Intune Reports Using Graph APIs.

Best Practices

1. Use Appropriate Permissions

  • Use least privilege principle
  • Grant only required permissions
  • Review permissions regularly
  • Use application permissions when possible

2. Handle Rate Limiting

  • Implement retry logic
  • Respect rate limit headers
  • Use exponential backoff
  • Monitor API usage

3. Error Handling

  • Implement proper error handling
  • Log API errors
  • Handle authentication failures
  • Retry transient errors

4. Security

  • Store credentials securely
  • Use managed identities when possible
  • Rotate secrets regularly
  • Monitor API access

5. Testing

  • Test in development first
  • Use Graph Explorer for testing
  • Validate API responses
  • Test error scenarios

Additional Resources

Conclusion

Microsoft Graph API provides powerful capabilities for automating and integrating Intune. By following these best practices:

✅ Use appropriate permissions and authentication
✅ Handle rate limiting and errors properly
✅ Implement security best practices
✅ Test thoroughly before production
✅ Monitor API usage

You can build robust automations and integrations that extend Intune's capabilities and integrate with your existing systems and workflows.

Remember: Graph API provides programmatic access to Intune. Always test API calls in development environments first and implement proper error handling and security measures.