Automate Microsoft Intune Device Compliance Report using Graph API

This post will explain how to generate an Intune Device Compliance report using Graph API. This document aims to provide insights into the process of developing the code to automate Microsoft Intune Device Compliance report through Microsoft Graph API and PowerShell. This method is limited to devices enrolled in Microsoft Intune.

It is noteworthy that all reports that have been transitioned to the Intune reporting infrastructure can be seamlessly exported via a single top-level export API. To achieve this, it is imperative to utilize the Microsoft Graph API when making the HTTP call.

Microsoft Graph is an API that lets you access data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services through a single endpoint. This includes data from Microsoft 365, Windows, and Enterprise Mobility + Security.

This Microsoft Graph API is designed to perform the same range of Intune operations as those available through the Azure Portal. By using Microsoft Graph, developers can build intelligent applications that leverage the power of Microsoft 365 and other Microsoft services to enhance productivity and collaboration.

Patch My PC

Device Compliance Reports in Intune

Device Compliance Reports provide an overview of compliance settings in the policies. They allow you to view a list of all non-compliant devices, analyze device compliance trends, and review individual device noncompliant settings.

Automate Microsoft Intune Device Compliance Report using Graph API 1
Automate Microsoft Intune Device Compliance report using Graph API. Fig.1

The device compliance report can be customized by applying filters and clicking on the Generate Report button. This button updates the data with the latest state and allows for the viewing of individual records that constitute the aggregated data.

This report is particularly useful in a business or academic setting where device compliance is critical. The report can help organizations identify areas that require attention and take corrective action where necessary by providing a complete overview of device compliance states.

The report’s flexibility and ability to integrate with other systems make it an efficient and effective tool for managing device compliance in a variety of settings. The report types are explained in the table below.

Adaptiva
Report typesDescriptions
Operational Provides timely, targeted data that helps you focus and take action.
Organizational Provides a broader summary of an overall view.
Historical Provides patterns and trends over a period of time.
Specialist Allows you to use raw data to create your own custom reports
Automate Microsoft Intune Device Compliance report using Graph API. Table.1

Generate Intune Device Compliance Report using Microsoft Graph API

Understanding how to automate actions using Microsoft Graph is crucial when introducing new features to Intune. I will use Graph Explorer, a handy browser-based tool for running your Graph calls. However, it does not support commands in batch and is a single-line command executor. API calls will be made by utilizing the Graph Explorer. When you go to Graph Explorer, you will get a webpage like the one below.

NOTE! You may need to log in to Graph Explorer using your credentials if it's your first time. 
Automate Microsoft Intune Device Compliance Report using Graph API 2
Automate Microsoft Intune Device Compliance report using Graph API. Fig.2

To export reports in Microsoft Intune, you can use the Microsoft Graph API endpoint provided below

https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs

You must provide a reportName parameter as part of the request body based on the report that you would like to export using Microsoft Graph API. Use DeviceCompliance as reportName in this example. Microsoft has documented the possible values for the reportName. The table below contains the available properties of DeviceCompliance report. These property values will have the output of your relevant columns.

Available Properties
DeviceId
IntuneDeviceId
AadDeviceId
DeviceName
DeviceType
OSDescription
OSVersion
OwnerType
LastContact
InGracePeriodUntil
IMEI
SerialNumber
ManagementAgents
PrimaryUser
UserId
UPN
UserEmail
UserName
DeviceHealthThreatLevel
RetireAfterDatetime
PartnerDeviceId
ComplianceState
OS
Automate Microsoft Intune Device Compliance report using Graph API. Table.2

You should use the POST HTTP method for your request. The following request includes the HTTP method used to generate an Intune Device Compliance report.

  • Sign in to the Graph Explorer, paste the Microsoft Graph API endpoint.
NOTE! The tenant must have an active Intune license to use the Microsoft Graph API for Intune. The Microsoft Graph API controls access to resources via permissions. You must specify the permissions you need to access Intune resources. 

https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs

You must supply the request body to execute the task. Use the JSON body below and Click on Run query.

{
    "reportName": "DeviceCompliance",
    "format": "csv",
    "localizationType": "LocalizedValuesAsAdditionalColumn",
    "select": [
        "DeviceName",
        "OS",
        "UserName",
        "UPN",
        "ComplianceState",
        "PrimaryUser"
    ]
}

As per Microsoft, you can set five main parameters in the request body when making an export request.

  • reportName: Required. This parameter is the name of the report you want to specify.
  • filter: This is not required for most reports. Note that the filter parameter is a string.
  • select: This is not required. Specify which columns from the report you want. Only valid column names relevant to the report you are calling will be accepted.
  • format: Not required. By default, the data is output in csv format. Specify json to output the file in JSON format.
  • localizationType: This parameter controls localization behavior for the report. Possible values are LocalizedValuesAsAdditionalColumn and ReplaceLocalizableValues.
Automate Microsoft Intune Device Compliance Report using Graph API 3
Automate Microsoft Intune Device Compliance report using Graph API. Fig.3

Well, Once you click on the Run Query button the Graph returns a response message. The requested data or the result of the operation is included in the response message.

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/reports/exportJobs/$entity",
    "id": "DeviceCompliance_44e246cd-0a9d-4a91-92a4-7a08c6c4e1e8",
    "reportName": "DeviceCompliance",
    "filter": null,
    "select": [
        "DeviceName",
        "OS",
        "UserName",
        "UPN",
        "ComplianceState",
        "PrimaryUser"
    ],
    "format": "csv",
    "snapshotId": null,
    "localizationType": "localizedValuesAsAdditionalColumn",
    "search": null,
    "status": "notStarted",
    "url": null,
    "requestDateTime": "2024-04-30T08:15:58.9284125Z",
    "expirationDateTime": "0001-01-01T00:00:00Z"
}
Automate Microsoft Intune Device Compliance Report using Graph API 4
Automate Microsoft Intune Device Compliance report using Graph API. Fig.4

To retrieve the status of the export, it is recommended to query the id field using a GET request.

NOTE! No need to make any changes in Request Body

https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs(‘DeviceCompliance_44e246cd-0a9d-4a91-92a4-7a08c6c4e1e8’)

NOTE! The id must be enclosed within single quetues ('id')

Paste the above Microsoft Graph API endpoint and Click on the Run Query

Automate Microsoft Intune Device Compliance Report using Graph API 5
Automate Microsoft Intune Device Compliance report using Graph API. Fig.5

You will need to call this Microsoft Graph API endpoint repeatedly until you receive a response containing the status: completed attribute that looks like the example provided:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/reports/exportJobs/$entity",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET deviceManagement/reports/exportJobs('<key>')?$select=expirationDateTime,filter",
    "id": "DeviceCompliance_44e246cd-0a9d-4a91-92a4-7a08c6c4e1e8",
    "reportName": "DeviceCompliance",
    "filter": null,
    "select": [
        "DeviceName",
        "OS",
        "UserName",
        "UPN",
        "ComplianceState",
        "PrimaryUser"
    ],
    "format": "csv",
    "snapshotId": null,
    "localizationType": "localizedValuesAsAdditionalColumn",
    "search": null,
    "status": "completed",
    "url": "https://amsuc0201repexpstorage.blob.core.windows.net/389f73fc-ca4e-4406-b620-78f752ed3a9a/DeviceCompliance_44e246cd-0a9d-4a91-92a4-7a08c6c4e1e8.zip?sv=2019-07-07&sr=b&sig=5T3j7uuKXC24AXDoNWturMfG1u1%2FV9vfjrAmjxOaE%2Bw%3D&skoid=c6d6232f-09e2-4da5-975f-c79ae6fa70c2&sktid=975f013f-7f24-47e8-a7d3-abc4752bf346&skt=2024-04-30T08%3A46%3A41Z&ske=2024-04-30T14%3A46%3A29Z&sks=b&skv=2019-07-07&se=2024-04-30T14%3A46%3A29Z&sp=r",
    "requestDateTime": "2024-04-30T08:15:58.9284125Z",
    "expirationDateTime": "2024-04-30T14:46:29.5321789Z"
}
Automate Microsoft Intune Device Compliance Report using Graph API 6
Automate Microsoft Intune Device Compliance report using Graph API. Fig.6

You can then directly download the compressed CSV from the url field.

Automate Microsoft Intune Device Compliance Report using Graph API 7
Automate Microsoft Intune Device Compliance report using Graph API. Fig.7

I trust that this article will greatly benefit you and your organization. Thank you for your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

About the Author – Sujin Nelladath has over 10 years of experience in SCCM device management and Automation solutions. He writes and shares his experiences with Microsoft device management technologies, Azure, and PowerShell automation.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.