Microsoft Graph API Device Management

microsoft graph api device management provides tools for managing and securing devices via the microsoft graph api microsoft graph api device management provides a comprehensive interface for managing intune devices and retrieving bitlocker recovery keys this integration allows swimlane turbine users to seamlessly automate device management tasks, such as listing managed devices and retrieving critical recovery keys, enhancing operational efficiency and security posture by leveraging this connector, users can streamline device management processes and ensure quick access to essential device information, all within the swimlane turbine platform prerequisites before you can use the microsoft graph api device management connector for turbine, you'll need access to the microsoft graph api this requires the following delegated flow authentication using the following parameters url the endpoint for microsoft graph api tenant id the directory tenant identifier username the username for authentication password the password for authentication client id the application client identifier client secret the application client secret oauth2 refresh token authentication using the following parameters url the endpoint for microsoft graph api client id the application client identifier client secret the application client secret oauth2 client credentials authentication using the following parameters url the endpoint for microsoft graph api client id the application client identifier client secret the application client secret and so on capabilities this connector provides the following capabilities list managed devices list managed devices for detected app list managed devices for user detected app get bitlocker recovery key limitations the get bitlocker recovery key endpoint only supports delegated permissions; the application permission flow is not supported by microsoft graph for this resource the key property of the recovery key is only returned when the request explicitly selects it via the $select=key query parameter; auditing is generated each time the key value is read microsoft graph paginates large result sets via @odata nextlink ; iterate the list managed devices action using $top and $skip (or follow @odata nextlink ) to retrieve all devices asset setup create a new asset of type oauth 2 0 delegated flow authentication and provide url – base url for microsoft graph (defaults to https //graph microsoft com ) login url – microsoft identity platform login url (defaults to https //login microsoftonline com ) tenant id – directory (tenant) id of the entra id tenant username / password – credentials of the delegated user account that has the required intune and bitlocker permissions client id / client secret – application (client) id and client secret of the registered entra id application scopes – defaults to https //graph microsoft com/ default , which honors the delegated permissions configured on the application registration if the test connection fails, double check that admin consent has been granted for the devicemanagementmanageddevices read all and bitlockerkey read all delegated permissions and that the user account is licensed for intune tasks setup list managed devices – calls get /devicemanagement/manageddevices no path or query parameters are required; do not supply a request body list managed devices for detected app – calls get /devicemanagement/detectedapps/{detectedappid}/manageddevices requires the detectedappid path parameter; do not supply a request body list managed devices for user detected app – calls get /devicemanagement/detectedapps/{detectedappid}/manageddevices/{manageddeviceid}/users/{userid}/manageddevices requires detectedappid , manageddeviceid , and userid path parameters; do not supply a request body get bitlocker recovery key – requires the bitlockerrecoverykeyid path parameter and a user agent header value supplied by the caller (for example, dsreg/10 0 (windows 10 0 19043 1466) ) the optional ocp client name and ocp client version headers may also be supplied for debugging purposes set the $select query parameter to key to return the actual recovery key value; doing so triggers a microsoft entra audit log entry under the keymanagement category notes microsoft graph list manageddevices reference https //learn microsoft com/en us/graph/api/intune devices manageddevice list?view=graph rest 1 0 https //learn microsoft com/en us/graph/api/intune devices manageddevice list?view=graph rest 1 0 microsoft graph get bitlockerrecoverykey reference https //learn microsoft com/en us/graph/api/bitlockerrecoverykey get?view=graph rest 1 0 https //learn microsoft com/en us/graph/api/bitlockerrecoverykey get?view=graph rest 1 0 configurations password grant (delegated authentication) authenticates on behalf of a user using oauth 2 0 credentials configuration parameters parameter description type required url a url to the target host string required login url string optional tenant id string required oauth un the username for authentication string required oauth pwd the password for authentication string required oauth cl id the client id string required oauth cl secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url must start with https //login microsoftonline com/ https //login microsoftonline com/ and then continue with the tenant id, and then be prepended with /oauth2/v2 0/token string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional ms graph openid connect refresh token grant authenticates using refresh token configuration parameters parameter description type required url a url to the target host string required cl id the client id string required cl secret the client secret string required refresh token refresh token string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get bitlocker recovery key retrieve a bitlocker recovery key using its identifier from microsoft graph api device management requires the bitlockerrecoverykeyid as a path parameter endpoint url v1 0/informationprotection/bitlocker/recoverykeys/{{bitlockerrecoverykeyid}} method get input argument name type required description path parameters bitlockerrecoverykeyid string required unique identifier of the bitlocker recovery key parameters $select string optional set to key to include the recovery key value input example {"path parameters" {"bitlockerrecoverykeyid" "string"},"parameters" {"$select" "string"}} output parameter type description status code number http status code returned by the graph api call reason string http reason phrase associated with the response status headers object http response headers returned by the graph api @odata context string odata metadata reference url for the response value object bitlocker recovery key object returned by microsoft graph value \@odata type string odata type identifier for the bitlocker recovery key value id string unique identifier of the bitlocker recovery key value createddatetime string timestamp when the bitlocker recovery key was created value volumetype string volume type associated with the bitlocker recovery key value deviceid string identifier of the device associated with the key value key string bitlocker recovery key value, returned when select is used output example {"@odata context" "string","value" {"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","volumetype" "string","deviceid" "string","key" "string"}} list managed devices list properties and relationships of intune managed device objects in microsoft graph api device management endpoint url v1 0/devicemanagement/manageddevices method get output parameter type description status code number http status code returned by the graph api call reason string http reason phrase associated with the response status headers object http response headers returned by the graph api @odata context string odata metadata reference url for the response @odata count number total number of items matching the query @odata nextlink string url used to retrieve the next page of results value array collection of managed device objects returned by intune value \@odata type string odata type identifier for the managed device resource value id string unique identifier of the managed device record value userid string identifier of the user assigned to the device value devicename string display name configured for the managed device value manageddeviceownertype string ownership type of the device, company or personal value deviceactionresults array results of recent remote actions issued on the device value deviceactionresults \@odata type string odata type identifier for the device action result value deviceactionresults actionname string name of the action issued on the device value deviceactionresults actionstate string current state of the issued device action value deviceactionresults startdatetime string timestamp when the device action was initiated value deviceactionresults lastupdateddatetime string timestamp when the device action status last changed value managementstate string current management state reported by intune value enrolleddatetime string timestamp when the device was enrolled in intune value lastsyncdatetime string timestamp of the last successful intune sync value operatingsystem string operating system installed on the managed device value compliancestate string compliance status of the device against assigned policies value jailbroken string indicates whether the device has been jailbroken value managementagent string management channel currently controlling the device output example {"@odata context" "string","@odata count" 123,"@odata nextlink" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","userid" "string","devicename" "example name","manageddeviceownertype" "string","deviceactionresults" \[],"managementstate" "string","enrolleddatetime" "string","lastsyncdatetime" "string","operatingsystem" "string","compliancestate" "string","jailbroken" "string","managementagent" "string","osversion" "string","easactivated"\ true}]} list managed devices for detected app list managed devices with a specific detected app installed in microsoft graph api device management requires the detectedappid as a path parameter endpoint url v1 0/devicemanagement/detectedapps/{{detectedappid}}/manageddevices method get input argument name type required description path parameters detectedappid string required identifier of the detected application in intune input example {"path parameters" {"detectedappid" "string"}} output parameter type description status code number http status code returned by the graph api call reason string http reason phrase associated with the response status headers object http response headers returned by the graph api @odata context string odata metadata reference url for the response @odata count number total number of items matching the query @odata nextlink string url used to retrieve the next page of results value array collection of managed device objects returned by intune value \@odata type string odata type identifier for the managed device resource value id string unique identifier of the managed device record value userid string identifier of the user assigned to the device value devicename string display name configured for the managed device value manageddeviceownertype string ownership type of the device, company or personal value deviceactionresults array results of recent remote actions issued on the device value deviceactionresults \@odata type string odata type identifier for the device action result value deviceactionresults actionname string name of the action issued on the device value deviceactionresults actionstate string current state of the issued device action value deviceactionresults startdatetime string timestamp when the device action was initiated value deviceactionresults lastupdateddatetime string timestamp when the device action status last changed value managementstate string current management state reported by intune value enrolleddatetime string timestamp when the device was enrolled in intune value lastsyncdatetime string timestamp of the last successful intune sync value operatingsystem string operating system installed on the managed device value compliancestate string compliance status of the device against assigned policies value jailbroken string indicates whether the device has been jailbroken value managementagent string management channel currently controlling the device output example {"@odata context" "string","@odata count" 123,"@odata nextlink" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","userid" "string","devicename" "example name","manageddeviceownertype" "string","deviceactionresults" \[],"managementstate" "string","enrolleddatetime" "string","lastsyncdatetime" "string","operatingsystem" "string","compliancestate" "string","jailbroken" "string","managementagent" "string","osversion" "string","easactivated"\ true}]} list managed devices for user detected app list managed devices for a user related to a detected app in microsoft graph api device management requires path parameters detectedappid, manageddeviceid, and userid endpoint url v1 0/devicemanagement/detectedapps/{{detectedappid}}/manageddevices/{{manageddeviceid}}/users/{{userid}}/manageddevices method get input argument name type required description path parameters detectedappid string required identifier of the detected application in intune path parameters manageddeviceid string required identifier of the managed device used as scope path parameters userid string required identifier of the user related to the device input example {"path parameters" {"detectedappid" "string","manageddeviceid" "string","userid" "string"}} output parameter type description status code number http status code returned by the graph api call reason string http reason phrase associated with the response status headers object http response headers returned by the graph api @odata context string odata metadata reference url for the response @odata count number total number of items matching the query @odata nextlink string url used to retrieve the next page of results value array collection of managed device objects returned by intune value \@odata type string odata type identifier for the managed device resource value id string unique identifier of the managed device record value userid string identifier of the user assigned to the device value devicename string display name configured for the managed device value manageddeviceownertype string ownership type of the device, company or personal value deviceactionresults array results of recent remote actions issued on the device value deviceactionresults \@odata type string odata type identifier for the device action result value deviceactionresults actionname string name of the action issued on the device value deviceactionresults actionstate string current state of the issued device action value deviceactionresults startdatetime string timestamp when the device action was initiated value deviceactionresults lastupdateddatetime string timestamp when the device action status last changed value managementstate string current management state reported by intune value enrolleddatetime string timestamp when the device was enrolled in intune value lastsyncdatetime string timestamp of the last successful intune sync value operatingsystem string operating system installed on the managed device value compliancestate string compliance status of the device against assigned policies value jailbroken string indicates whether the device has been jailbroken value managementagent string management channel currently controlling the device output example {"@odata context" "string","@odata count" 123,"@odata nextlink" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","userid" "string","devicename" "example name","manageddeviceownertype" "string","deviceactionresults" \[],"managementstate" "string","enrolleddatetime" "string","lastsyncdatetime" "string","operatingsystem" "string","compliancestate" "string","jailbroken" "string","managementagent" "string","osversion" "string","easactivated"\ true}]} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt