This post will explain how to generate an Intune Device Compliance report using Graph API. This document aims to provide insights into the process of developing the code to automate Microsoft Intune Device Compliance report through Microsoft Graph API and PowerShell. This method is limited to devices enrolled in Microsoft Intune.
It is noteworthy that all reports that have been transitioned to the Intune reporting infrastructure can be seamlessly exported via a single top-level export API. To achieve this, it is imperative to utilize the Microsoft Graph API when making the HTTP call.
Microsoft Graph is an API that lets you access data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services through a single endpoint. This includes data from Microsoft 365, Windows, and Enterprise Mobility + Security.
This Microsoft Graph API is designed to perform the same range of Intune operations as those available through the Azure Portal. By using Microsoft Graph, developers can build intelligent applications that leverage the power of Microsoft 365 and other Microsoft services to enhance productivity and collaboration.
Table of Contents
Device Compliance Reports in Intune
Device Compliance Reports provide an overview of compliance settings in the policies. They allow you to view a list of all non-compliant devices, analyze device compliance trends, and review individual device noncompliant settings.
The device compliance report can be customized by applying filters and clicking on the Generate Report button. This button updates the data with the latest state and allows for the viewing of individual records that constitute the aggregated data.
- How to Retrieve PowerShell Scripts from Intune using Microsoft Graph
- Explore Kusto Query Language (KQL) and Intune Device Query
- Best Guide to Restart Intune Devices Remotely using Microsoft Graph API and PowerShell
This report is particularly useful in a business or academic setting where device compliance is critical. The report can help organizations identify areas that require attention and take corrective action where necessary by providing a complete overview of device compliance states.
The report’s flexibility and ability to integrate with other systems make it an efficient and effective tool for managing device compliance in a variety of settings. The report types are explained in the table below.
Report types | Descriptions |
---|---|
Operational | Provides timely, targeted data that helps you focus and take action. |
Organizational | Provides a broader summary of an overall view. |
Historical | Provides patterns and trends over a period of time. |
Specialist | Allows you to use raw data to create your own custom reports |
Video – Intune Automation to create a Device Compliance Report using Graph API
I have recently created a video explaining how to Generate an Intune Device Compliance Report using Microsoft Graph API and uploaded it to the HTMD YouTube Channel.
Generate Intune Device Compliance Report using Microsoft Graph API
Understanding how to automate actions using Microsoft Graph is crucial when introducing new features to Intune. I will use Graph Explorer, a handy browser-based tool for running your Graph calls. However, it does not support commands in batch and is a single-line command executor. API calls will be made by utilizing the Graph Explorer. When you go to Graph Explorer, you will get a webpage like the one below.
NOTE! You may need to log in to Graph Explorer using your credentials if it's your first time.
To export reports in Microsoft Intune, you can use the Microsoft Graph API endpoint provided below
https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs
You must provide a reportName
parameter as part of the request body based on the report that you would like to export using Microsoft Graph API. Use DeviceCompliance
as reportName
in this example. Microsoft has documented the possible values for the reportName
. The table below contains the available properties of DeviceCompliance
report. These property values will have the output of your relevant columns.
Available Properties |
---|
DeviceId |
IntuneDeviceId |
AadDeviceId |
DeviceName |
DeviceType |
OSDescription |
OSVersion |
OwnerType |
LastContact |
InGracePeriodUntil |
IMEI |
SerialNumber |
ManagementAgents |
PrimaryUser |
UserId |
UPN |
UserEmail |
UserName |
DeviceHealthThreatLevel |
RetireAfterDatetime |
PartnerDeviceId |
ComplianceState |
OS |
You should use the POST HTTP method for your request. The following request includes the HTTP method used to generate an Intune Device Compliance report.
- Sign in to the Graph Explorer, paste the Microsoft Graph API endpoint.
NOTE! The tenant must have an active Intune license to use the Microsoft Graph API for Intune. The Microsoft Graph API controls access to resources via permissions. You must specify the permissions you need to access Intune resources.
https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs
You must supply the request body to execute the task. Use the JSON body below and Click on Run query.
{
"reportName": "DeviceCompliance",
"format": "csv",
"localizationType": "LocalizedValuesAsAdditionalColumn",
"select": [
"DeviceName",
"OS",
"UserName",
"UPN",
"ComplianceState",
"PrimaryUser"
]
}
As per Microsoft, you can set five main parameters in the request body when making an export request.
reportName
: Required. This parameter is the name of the report you want to specify.filter
: This is not required for most reports. Note that the filter parameter is a string.select
: This is not required. Specify which columns from the report you want. Only valid column names relevant to the report you are calling will be accepted.format
: Not required. By default, the data is output incsv
format. Specifyjson
to output the file in JSON format.localizationType
: This parameter controls localization behavior for the report. Possible values areLocalizedValuesAsAdditionalColumn
andReplaceLocalizableValues
.
Well, Once you click on the Run Query button the Graph returns a response message. The requested data or the result of the operation is included in the response message.
- Best way to Deploy Shell Scripts using Intune
- Run Remediation Script on-demand for Windows Devices using Intune
- PowerShell Script to Create a Local Admin Account using Intune
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/reports/exportJobs/$entity",
"id": "DeviceCompliance_44e246cd-0a9d-4a91-92a4-7a08c6c4e1e8",
"reportName": "DeviceCompliance",
"filter": null,
"select": [
"DeviceName",
"OS",
"UserName",
"UPN",
"ComplianceState",
"PrimaryUser"
],
"format": "csv",
"snapshotId": null,
"localizationType": "localizedValuesAsAdditionalColumn",
"search": null,
"status": "notStarted",
"url": null,
"requestDateTime": "2024-04-30T08:15:58.9284125Z",
"expirationDateTime": "0001-01-01T00:00:00Z"
}
To retrieve the status of the export, it is recommended to query the id
field using a GET request.
NOTE! No need to make any changes in Request Body
https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs(‘DeviceCompliance_44e246cd-0a9d-4a91-92a4-7a08c6c4e1e8’)
NOTE! The id must be enclosed within single quetues ('id')
Paste the above Microsoft Graph API endpoint and Click on the Run Query
You will need to call this Microsoft Graph API endpoint repeatedly until you receive a response containing the status: completed
attribute that looks like the example provided:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/reports/exportJobs/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET deviceManagement/reports/exportJobs('<key>')?$select=expirationDateTime,filter",
"id": "DeviceCompliance_44e246cd-0a9d-4a91-92a4-7a08c6c4e1e8",
"reportName": "DeviceCompliance",
"filter": null,
"select": [
"DeviceName",
"OS",
"UserName",
"UPN",
"ComplianceState",
"PrimaryUser"
],
"format": "csv",
"snapshotId": null,
"localizationType": "localizedValuesAsAdditionalColumn",
"search": null,
"status": "completed",
"url": "https://amsuc0201repexpstorage.blob.core.windows.net/389f73fc-ca4e-4406-b620-78f752ed3a9a/DeviceCompliance_44e246cd-0a9d-4a91-92a4-7a08c6c4e1e8.zip?sv=2019-07-07&sr=b&sig=5T3j7uuKXC24AXDoNWturMfG1u1%2FV9vfjrAmjxOaE%2Bw%3D&skoid=c6d6232f-09e2-4da5-975f-c79ae6fa70c2&sktid=975f013f-7f24-47e8-a7d3-abc4752bf346&skt=2024-04-30T08%3A46%3A41Z&ske=2024-04-30T14%3A46%3A29Z&sks=b&skv=2019-07-07&se=2024-04-30T14%3A46%3A29Z&sp=r",
"requestDateTime": "2024-04-30T08:15:58.9284125Z",
"expirationDateTime": "2024-04-30T14:46:29.5321789Z"
}
- Intune Device Compliance Reports | Endpoint Manager
- Easiest Method to Enable MFA for Admins using Azure AD Conditional Access
- Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period
You can then directly download the compressed CSV from the url
field.
I trust that this article will greatly benefit you and your organization. Thank you for your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
About the Author – Sujin Nelladath Microsoft Graph MVP has over 10 years of experience in SCCM device management and Automation solutions. He writes and shares his experiences with Microsoft device management technologies, Azure, and PowerShell automation.
Hi Sujin,
Thank you for the article, it is well documented. Can we schedule an Intune compliance report once a week or so?
Please let me know if we can.
Thanks
Mihir Patel