This post will explain how to Restart Intune Devices Remotely using Microsoft Graph API. This document aims to provide insights into the process of developing the code to restart Intune devices through Microsoft Graph API and PowerShell. This method is limited to devices enrolled in Microsoft Intune.
Microsoft Graph is an API (Application programming interface) that provides a single endpoint for accessing data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services. It provides a single endpoint, https://graph.microsoft.com, that enables access to various data and insights in the Microsoft cloud, including Microsoft 365, Windows, and Enterprise Mobility + Security
In view of my enthusiasm towards automation, I have always found it intriguing to explore the Microsoft Graph API and PowerShell. The Graph API for Intune offers a programmatic means of accessing Intune-related information for your tenant. This Microsoft Graph API is designed to perform the same range of Intune operations as those available through the Azure Portal.
By using Microsoft Graph, developers can build intelligent applications that leverage the power of Microsoft 365 and other Microsoft services to enhance productivity and collaboration.
Permissions Required to Call rebootNow Action
The tenant must have an active Intune license to use the Microsoft Graph API for Intune. Before an app can access data in Microsoft Graph, it must be granted the necessary permissions by the user or administrator. To read information about all Microsoft Graph permissions programmatically, sign in to an API client such as Graph Explorer using an account with at least the Application.Read.All permission.
The tables below explain the Permission type and Permissions that you must have before running the API; thanks to Microsoft for the table. If you don’t have enough permission, the Graph Explorer may throw you a 403 forbidden error. If you encounter this error, you can request permission from the Modify Permissions dialogue box.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | DeviceManagementManagedDevices.PrivilegedOperations.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | DeviceManagementManagedDevices.PrivilegedOperations.All |
- Intune Policy Assignment Classification Easy Secrets of using Graph API with PowerShell
- Manage Intune Tasks with PowerShell Part 1
- Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period
Microsoft recommends requesting the least privileged permissions your app needs to access data and function correctly. Requesting permissions with more than the necessary privileges is poor security practice, which may cause users to refrain from consenting and affect your app’s usage.
Restart Intune Devices Remotely using Microsoft Graph API
Understanding how to automate actions using Microsoft Graph is crucial when introducing new features to Intune. I will use Graph Explorer, a handy browser-based tool for running your Graph calls. However, it does not support commands in batch and is a single-line command executor. API calls will be made by utilizing the Graph Explorer. When you go to Graph Explorer, you will get a webpage like the one below.
NOTE! You may need to log in to Graph Explorer using your credentials if it's your first time. 
To reboot your device, you will need its managedDeviceId. There are multiple methods for getting the Request URL and managedDeviceId to call the rebootNow Action.
- Sign in to the Microsoft Intune Admin portal.
- Go to Devices > All devices
- Select the Device that you would like to reboot.
- Press F12 to open developer mode
- Select the Network tab
- Click on Run
- Click on the Stop Recording button
- You will be able to find two resources called Manageddevices
NOTE! You can select any resource that lists managedDeviceId.You will be able to see the Requested URL resource when you click on Manageddevices. Note down the managedDeviceId from the Requested URL.
To obtain the managedDeviceId, the following steps can also be followed. Adhering to the outlined process is recommended for optimal results.
- Sign in to the Graph Explorer with your credentials.
- Click on Run query after typing the Request URL below. You should use the GET API request method
https://graph.microsoft.com/beta/deviceManagement/manageddevices/?select=id,deviceName
- The Response Preview Panel will display the IDs of all device names. From there, select the managedDeviceId that you want to reboot.
Well, we are ready to start now. Please note that you may utilize the HTTP Request URL we provide below to execute a device reboot. You should use the POST API request method. I will use the first URL as an example. Replace managedDeviceId with your own ID.
POST /deviceManagement/managedDevices/{managedDeviceId}/rebootNow
POST /deviceManagement/detectedApps/{detectedAppId}/managedDevices/{managedDeviceId}/rebootNow
POST /deviceManagement/detectedApps/{detectedAppId}/managedDevices/{managedDeviceId}/users/{userId}/managedDevices/{managedDeviceId}/rebootNow
Sign in to the Graph Explorer, paste the below query and Click on Run query.
https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/315760c1-cf19-4ca4-8355-5c64b4d6fcd7/rebootNow
NOTE! Do not supply a request body for this method.
Upon successful completion of the action, a response code No Content - 204 will be returned.
End User Experience After Calling rebootNow Action
The Microsoft Graph API has triggered a reboot on the enduser device. We’ll monitor the user experience after running the query on Graph Explorer.
- Best way to Deploy Shell Scripts using Intune
- Run Remediation Script on-demand for Windows Devices using Intune
- PowerShell Script to Create a Local Admin Account using Intune
Initially the user will get a notification stating You’re about to be signed out as below. The pop-up window can be closed by clicking the Close button.
Later, the user will get another notification stating Windows will shut down in 2 minutes. This window can be closed by clicking the Close button. The user will get two minutes of time to save their work and prepare for a reboot triggered by the administrator.
Trigger Reboot using Microsoft Graph via PowerShell
What if you prefer to use PowerShell codes to accomplish all the abovementioned tasks? Let’s learn how to trigger the Reboot using Microsoft Graph via PowerShell.
NOTE! Use the Connect-MgGraph command to sign in with the required scopes. You'll need to sign in with an admin account to consent to the required scopes.- How to Retrieve PowerShell Scripts from Intune using Microsoft Graph
- Explore Kusto Query Language (KQL) and Intune Device Query
I have a PowerShell script to address this issue. The script has been designed to resolve the problem at hand and print the output effectively. You must have enough access to execute the below script.
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All", "DeviceManagementManagedDevices.PrivilegedOperations.All"
Import-Module Microsoft.Graph.DeviceManagement.Actions
$managedDeviceId = ""
Restart-MgDeviceManagementManagedDeviceNow -ManagedDeviceId $managedDeviceId
I trust that this article will greatly benefit you and your organization. Thank you for your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
About the Author – Sujin Nelladath has over 10 years of experience in SCCM device management and Automation solutions. He writes and shares his experiences with Microsoft device management technologies, Azure, and PowerShell automation.