graphfix

1. $tenantId = "xxxxxxxxxxxxxxx"
2. $clientId = "xxxxxxxxxxxxxxx"
3. $clientSecret = "xxxxxxxxxxxxxxx"
4.  
5. $UserPrincipalName = "xxxxxxxxxxxxxxx"
6.  
7. $ManagedDeviceID = "xxxxxxxxxxxxxxx"
8.  
9.  
10. Function Connect-ToGraph {
11. <#
12. .SYNOPSIS
13. Authenticates to the Graph API via the Microsoft.Graph.Authentication module.
14.  
15. .DESCRIPTION
16. The Connect-ToGraph cmdlet is a wrapper cmdlet that helps authenticate to the Intune Graph API using the Microsoft.Graph.Authentication module. It leverages an Azure AD app ID and app secret for authentication or user-based auth.
17.  
18. .PARAMETER Tenant
19. Specifies the tenant (e.g. contoso.onmicrosoft.com) to which to authenticate.
20.  
21. .PARAMETER AppId
22. Specifies the Azure AD app ID (GUID) for the application that will be used to authenticate.
23.  
24. .PARAMETER AppSecret
25. Specifies the Azure AD app secret corresponding to the app ID that will be used to authenticate.
26.  
27. .PARAMETER Scopes
28. Specifies the user scopes for interactive authentication.
29.  
30. .EXAMPLE
31. Connect-ToGraph -TenantId $tenantID -AppId $app -AppSecret $secret
32.  
33. -#>
34. [cmdletbinding()]
35. param
36. (
37. [Parameter(Mandatory = $false)] [string]$Tenant,
38. [Parameter(Mandatory = $false)] [string]$AppId,
39. [Parameter(Mandatory = $false)] [string]$AppSecret,
40. [Parameter(Mandatory = $false)] [string]$scopes
41. )
42.  
43. Process {
44. Import-Module Microsoft.Graph.Authentication
45. $version = (get-module microsoft.graph.authentication | Select-Object -expandproperty Version).major
46.  
47. if ($AppId -ne "") {
48. $body = @{
49. grant_type = "client_credentials";
50. client_id = $AppId;
51. client_secret = $AppSecret;
52. scope = "https://graph.microsoft.com/.default";
53. }
54.  
55. $response = Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/$Tenant/oauth2/v2.0/token -Body $body
56. $accessToken = $response.access_token
57.  
58. $accessToken
59. if ($version -eq 2) {
60. write-host "Version 2 module detected"
61. $accesstokenfinal = ConvertTo-SecureString -String $accessToken -AsPlainText -Force
62. }
63. else {
64. write-host "Version 1 Module Detected"
65. Select-MgProfile -Name Beta
66. $accesstokenfinal = $accessToken
67. }
68. $graph = Connect-MgGraph -AccessToken $accesstokenfinal
69. Write-Host "Connected to Intune tenant $TenantId using app-based authentication (Azure AD authentication not supported)"
70. }
71. else {
72. if ($version -eq 2) {
73. write-host "Version 2 module detected"
74. }
75. else {
76. write-host "Version 1 Module Detected"
77. Select-MgProfile -Name Beta
78. }
79. $graph = Connect-MgGraph -scopes $scopes
80. Write-Host "Connected to Intune tenant $($graph.TenantId)"
81. }
82. }
83. }
84.  
85.  
86. function getallpagination () {
87. <#
88. .SYNOPSIS
89. This function is used to grab all items from Graph API that are paginated
90. .DESCRIPTION
91. The function connects to the Graph API Interface and gets all items from the API that are paginated
92. .EXAMPLE
93. getallpagination -url "https://graph.microsoft.com/v1.0/groups"
94. Returns all items
95. .NOTES
96. NAME: getallpagination
97. #>
98. [cmdletbinding()]
99.  
100. param
101. (
102. $url
103. )
104. $response = (Invoke-MgGraphRequest -uri $url -Method Get -OutputType PSObject)
105. $alloutput = $response.value
106.  
107. $alloutputNextLink = $response."@odata.nextLink"
108.  
109. while ($null -ne $alloutputNextLink) {
110. $alloutputResponse = (Invoke-MGGraphRequest -Uri $alloutputNextLink -Method Get -outputType PSObject)
111. $alloutputNextLink = $alloutputResponse."@odata.nextLink"
112. $alloutput += $alloutputResponse.value
113. }
114.  
115. return $alloutput
116. }
117.  
118.  
119.  
120.  
121.  
122. Connect-ToGraph -Tenant $tenantId -AppId $clientId -AppSecret $clientSecret
123.  
124. #Get managed device and check for primary user --> This works
125. $URI = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$ManagedDeviceID/users"
126.  
127. $devicedetails = getallpagination -url $URI
128.  
129. $PrimaryUser = $devicedetails.UserPrincipalName
130. $PrimaryUserId = $devicedetails.id
131.  
132. #Get AAD Id of primary user to assign -> This also works
133. $URI= "https://graph.microsoft.com/beta/users/$UserPrincipalName"
134.  
135. $userdetails = Invoke-MgGraphRequest -Uri $uri -Method GET -OutputType PSObject
136. $UserID = $userdetails.id
137.  
138.  
139. #Update Primary User on Managed Device -> This failes
140. #Create required variables
141. Write-Output "Updating primary user on Intune Device ID $ManagedDeviceID. New Primary User is $UserPrincipalName, ID: $UserID"
142. $json = @"
143. {
144. "@odata.id": "https://graph.microsoft.com/beta/users/$UserID"
145. }
146. "@
147. $URI = "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$ManagedDeviceID')/users/`$ref"
148.  
149.  
150. #Call Invoke-MsGraphCall
151. $MSGraphCall = Invoke-MgGraphRequest -Uri $URI -Method POST -Body $json -OutputType PSObject -ContentType "application/json"