Intune Graph API – Complete Management

Show SKILL.md content (~7.8k tokens)
---
name: Intune Graph API – Complete Management
description: "A comprehensive skill enabling OpenClaw agents to fully manage Microsoft Intune via the Graph API. Covers devices, apps, policies, compliance, users, groups, reporting, Autopilot, scripts, and remote actions."
version: "1.0.1"
author: "Mattia Cirillo"
homepage: "https://kaffeeundcode.com"
requires:
  env:
    - INTUNE_TENANT_ID
    - INTUNE_CLIENT_ID
    - INTUNE_CLIENT_SECRET
---

# Microsoft Intune – Complete Management Skill

This skill gives the agent **full control over Microsoft Intune** via the Microsoft Graph API. It covers device management, application deployment, compliance & configuration policies, user & group management, Autopilot, PowerShell scripts, reporting, and all remote device actions.

---

## 🔑 Authentication

Before ANY Intune operation, the agent MUST obtain an OAuth 2.0 access token.

The following environment variables must be configured:
- `INTUNE_TENANT_ID` – Microsoft 365 Tenant ID
- `INTUNE_CLIENT_ID` – Entra ID App Registration Client ID
- `INTUNE_CLIENT_SECRET` – Entra ID App Registration Secret

### Token Request
**POST** `https://login.microsoftonline.com/{INTUNE_TENANT_ID}/oauth2/v2.0/token`

**Body (x-www-form-urlencoded):**
```
client_id={INTUNE_CLIENT_ID}
&scope=https://graph.microsoft.com/.default
&client_secret={INTUNE_CLIENT_SECRET}
&grant_type=client_credentials
```

Extract `access_token` from the JSON response. Use it as:
```
Authorization: Bearer <access_token>
```

### Required API Permissions (App Registration)
The Entra ID App Registration needs the following Microsoft Graph **Application** permissions:
- `DeviceManagementManagedDevices.ReadWrite.All`
- `DeviceManagementConfiguration.ReadWrite.All`
- `DeviceManagementApps.ReadWrite.All`
- `DeviceManagementServiceConfig.ReadWrite.All`
- `DeviceManagementRBAC.ReadWrite.All`
- `Directory.Read.All`
- `User.Read.All`
- `Group.ReadWrite.All`
- `GroupMember.ReadWrite.All`

---

## 🛡️ Safety Rules (CRITICAL)

1. **Read operations (GET):** Always safe. Execute without confirmation.
2. **Sync/Restart operations:** Ask for confirmation: *"Soll ich Gerät X wirklich syncen/neustarten?"*
3. **Destructive operations (Wipe, Retire, Delete):** ALWAYS require explicit confirmation. Say: *"⚠️ Achtung: Das löscht alle Daten auf dem Gerät. Bist du sicher?"*
4. **Policy creation/modification:** Confirm before applying: *"Soll ich diese Policy wirklich erstellen/ändern?"*
5. **Never dump raw JSON** to the user. Always format output as readable Markdown tables or summaries.
6. **Error handling:** If an API call returns an error, explain the error in simple German and suggest a fix.

---

## 📱 1. Device Management

### 1.1 List All Managed Devices
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices`

Use `$select` to limit fields: `?$select=deviceName,operatingSystem,complianceState,lastSyncDateTime,userPrincipalName`

Present results as a table: | Gerätename | OS | Compliance | Letzter Sync | Benutzer |

### 1.2 Search for a Specific Device
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=deviceName eq '{deviceName}'`

Alternative search by user: `?$filter=userPrincipalName eq '{user@domain.com}'`

### 1.3 Get Device Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}`

Show: Device name, Serial number, OS version, Compliance state, Encryption status, Last sync, Enrolled date, Primary user.

### 1.4 Remote Actions on a Device

#### Sync Device
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/syncDevice`

#### Reboot Device
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/rebootNow`

#### Lock Device (Remote Lock)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/remoteLock`

#### Reset Passcode
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/resetPasscode`

#### Locate Device (Lost Mode – iOS/Android)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/locateDevice`

#### Retire Device (Remove Company Data Only)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/retire`
⚠️ SAFETY: Requires explicit user confirmation!

#### Wipe Device (Factory Reset)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/wipe`
⚠️ SAFETY: ALWAYS ask twice! This deletes ALL data!

#### Delete Device from Intune
**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}`
⚠️ SAFETY: Requires explicit user confirmation!

#### Rename Device
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/setDeviceName`
Body: `{"deviceName": "NEW-NAME"}`

#### Enable/Disable Lost Mode (iOS supervised)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/enableLostMode`
Body: `{"message": "Dieses Gerät wurde als verloren gemeldet.", "phoneNumber": "+49...", "footer": "Kaffee & Code IT"}`

**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/disableLostMode`

---

## 📋 2. Compliance Policies

### 2.1 List All Compliance Policies
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies`

Present as: | Policy Name | Platform | Created | Last Modified |

### 2.2 Get Compliance Policy Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}`

### 2.3 Get Compliance Policy Assignments
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assignments`

### 2.4 Get Device Compliance Status per Policy
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/deviceStatuses`

### 2.5 Create a Compliance Policy
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies`
⚠️ SAFETY: Confirm before creating.

### 2.6 Delete a Compliance Policy
**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}`
⚠️ SAFETY: Requires explicit user confirmation!

---

## ⚙️ 3. Configuration Policies & Profiles

### 3.1 List Configuration Policies (Recommended API)
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies`

This is the modern, recommended endpoint covering Endpoint Security, Administrative Templates, and Settings Catalog.

### 3.2 List Legacy Device Configuration Profiles
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`

### 3.3 Get Configuration Policy Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}`

### 3.4 Get Policy Settings
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/settings`

### 3.5 Get Policy Assignments
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/assignments`

### 3.6 Get Device Status per Config Profile
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/deviceStatuses`

### 3.7 Create Configuration Policy
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies`
⚠️ SAFETY: Confirm before creating.

### 3.8 Delete Configuration Policy
**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}`
⚠️ SAFETY: Requires explicit user confirmation!

---

## 📦 4. App Management

### 4.1 List All Apps
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps`

Present as: | App Name | Type | Publisher | Created |

### 4.2 Get App Details
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}`

### 4.3 Get App Assignments (Who gets the app?)
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments`

### 4.4 List App Configuration Policies
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies`

### 4.5 List App Protection Policies (MAM)
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations`

### 4.6 Assign App to a Group
**POST** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments`
⚠️ SAFETY: Confirm before assigning.

### 4.7 List Detected Apps on Devices
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/detectedApps`

### 4.8 Get Devices with a Specific Detected App
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{detectedAppId}/managedDevices`

---

## 🔒 5. Endpoint Security

### 5.1 List Security Baselines
**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'baseline'`

### 5.2 List Disk Encryption Policies (BitLocker/FileVault)
**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityDiskEncryption'`

### 5.3 List Firewall Policies
**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityFirewall'`

### 5.4 List Antivirus Policies (Defender)
**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityAntivirus'`

### 5.5 List Attack Surface Reduction Rules
**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityAttackSurfaceReduction'`

---

## 🚀 6. Windows Autopilot

### 6.1 List Autopilot Devices
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities`

Present as: | Serial Number | Model | Group Tag | Enrollment State | Last Seen |

### 6.2 Get Autopilot Device Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}`

### 6.3 List Autopilot Deployment Profiles
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeploymentProfiles`

### 6.4 Assign Autopilot Profile
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}/assignUserToDevice`
Body: `{"userPrincipalName": "user@domain.com"}`

### 6.5 Delete Autopilot Device
**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}`
⚠️ SAFETY: Requires explicit user confirmation!

---

## 📜 7. PowerShell Scripts & Remediation

### 7.1 List Device Management Scripts
**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts`

### 7.2 Get Script Details
**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{scriptId}`

### 7.3 Get Script Execution Status per Device
**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{scriptId}/deviceRunStates`

### 7.4 Create/Upload a PowerShell Script
**POST** `https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts`
Body must include `scriptContent` as Base64-encoded string.
⚠️ SAFETY: Confirm before uploading. Show the script content to the user first.

### 7.5 List Proactive Remediations (Health Scripts)
**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts`

### 7.6 Get Remediation Script Execution Results
**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts/{scriptId}/deviceRunStates`

---

## 👥 8. Users & Groups

### 8.1 List Users
**GET** `https://graph.microsoft.com/v1.0/users?$select=displayName,userPrincipalName,accountEnabled,jobTitle`

### 8.2 Search User
**GET** `https://graph.microsoft.com/v1.0/users?$filter=startsWith(displayName,'{name}')`

### 8.3 Get User Details
**GET** `https://graph.microsoft.com/v1.0/users/{userId}`

### 8.4 List Groups
**GET** `https://graph.microsoft.com/v1.0/groups?$select=displayName,description,groupTypes,membershipRule`

### 8.5 Get Group Members
**GET** `https://graph.microsoft.com/v1.0/groups/{groupId}/members`

### 8.6 Add User to Group
**POST** `https://graph.microsoft.com/v1.0/groups/{groupId}/members/$ref`
Body: `{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{userId}"}`
⚠️ SAFETY: Confirm before adding.

### 8.7 Remove User from Group
**DELETE** `https://graph.microsoft.com/v1.0/groups/{groupId}/members/{userId}/$ref`
⚠️ SAFETY: Confirm before removing.

### 8.8 List Devices for a User
**GET** `https://graph.microsoft.com/v1.0/users/{userId}/managedDevices`

---

## 📊 9. Reporting & Dashboards

### 9.1 Device Compliance Summary
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=complianceState`
Agent should calculate: X compliant, Y non-compliant, Z in-grace-period, and present as summary + table.

### 9.2 OS Distribution Summary
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=operatingSystem`
Agent should group by OS and present: "42 Windows, 15 iOS, 8 Android, 3 macOS"

### 9.3 Stale Devices (Not synced recently)
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=lastSyncDateTime lt {30_days_ago}&$select=deviceName,lastSyncDateTime,userPrincipalName`
Agent should calculate the date for 30 days ago automatically.

### 9.4 Non-Compliant Devices Report
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=complianceState eq 'noncompliant'&$select=deviceName,complianceState,userPrincipalName,operatingSystem`

### 9.5 Export Report Job
**POST** `https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs`
Body: `{"reportName": "Devices", "filter": "", "select": ["DeviceName","OS","ComplianceState"]}`

---

## 🏷️ 10. Device Categories & Enrollment

### 10.1 List Device Categories
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories`

### 10.2 Create Device Category
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories`
Body: `{"displayName": "Kategoriename", "description": "Beschreibung"}`

### 10.3 Set Device Category on a Device
**PUT** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{deviceId}/deviceCategory/$ref`

### 10.4 List Enrollment Restrictions
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations`

---

## 🔄 11. RBAC (Role-Based Access Control)

### 11.1 List Intune Roles
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions`

### 11.2 List Role Assignments
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/roleAssignments`

### 11.3 Get Role Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions/{roleId}`

---

## 💡 Agent Response Guidelines

When the user asks a question, follow this logic:
1. **"Zeig mir alle Geräte"** → Use 1.1, format as table.
2. **"Ist Gerät X compliant?"** → Use 1.2 to find it, then check `complianceState`.
3. **"Sync Laptop von Max"** → Use 1.2 to find `managedDeviceId`, then use 1.4 Sync.
4. **"Wie viele Geräte hab ich?"** → Use 9.2, give OS distribution + total count.
5. **"Welche Geräte haben sich lange nicht gemeldet?"** → Use 9.3.
6. **"Erstell mir eine Compliance Policy für Windows"** → Use 2.5, ask for requirements first.
7. **"Welche Apps sind deployed?"** → Use 4.1.
8. **"Füg User Max zur Gruppe IT-Geräte hinzu"** → Use 8.2 to find user, 8.4 to find group, then 8.6.
9. **"Zeig mir den Status vom PowerShell Script XY"** → Use 7.3.
10. **"Gib mir einen Compliance Report"** → Use 9.1 + 9.4.
11. **"Zeig mir die Conditional Access Policies"** → Use 12.1.
12. **"Welche WLAN-Profile sind deployed?"** → Use 13.1.
13. **"Wie sind meine Windows Update Ringe konfiguriert?"** → Use 14.1.
14. **"Wer hat letzte Woche was in Intune geändert?"** → Use 17.1.
15. **"Kann Intune die Einstellung XY konfigurieren?"** → Use 18.1 Settings Catalog search.
16. **"Zeig mir alle Autopilot-Geräte ohne zugewiesenes Profil"** → Use 6.1 + filter.

---

## 🛡️ 12. Conditional Access (Bedingter Zugriff)

### 12.1 List Conditional Access Policies
**GET** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies`

Present as: | Policy Name | State (enabled/disabled/report) | Conditions | Grant Controls |

### 12.2 Get Conditional Access Policy Details
**GET** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}`

### 12.3 Create Conditional Access Policy
**POST** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies`
⚠️ SAFETY: Always confirm before creating. Show the user a summary of what the policy will do first.
💡 TIP: Recommend creating in "reportOnly" state first for testing.

### 12.4 Update Conditional Access Policy
**PATCH** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}`
⚠️ SAFETY: Confirm before modifying. Explain what will change.

### 12.5 Delete Conditional Access Policy
**DELETE** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}`
⚠️ SAFETY: Requires explicit user confirmation!

### 12.6 List Named Locations (Trusted IPs / Countries)
**GET** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations`

### 12.7 Create Named Location
**POST** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations`
Example IP-based:
```json
{
  "@odata.type": "#microsoft.graph.ipNamedLocation",
  "displayName": "Büro-Netzwerk",
  "isTrusted": true,
  "ipRanges": [{"@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": "192.168.1.0/24"}]
}
```

### 12.8 List Authentication Strengths
**GET** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/authenticationStrength/policies`

---

## 📶 13. WLAN, VPN & Zertifikate

### 13.1 List WLAN Profiles
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=isof('microsoft.graph.windowsWifiConfiguration') or isof('microsoft.graph.iosWiFiConfiguration') or isof('microsoft.graph.androidWorkProfileWiFiConfiguration')`

Alternative (all configs, then filter by odata.type for Wi-Fi):
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`
Agent should filter results where `@odata.type` contains `WiFi` or `wifi`.

### 13.2 List VPN Profiles
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`
Agent should filter results where `@odata.type` contains `Vpn` or `vpn`.

### 13.3 Get WLAN/VPN Profile Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}`

### 13.4 Get WLAN/VPN Profile Assignment
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/assignments`

### 13.5 List SCEP Certificate Profiles
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`
Agent should filter results where `@odata.type` contains `Scep` or `Certificate`.

### 13.6 List PKCS Certificate Profiles
Same endpoint, filter for `Pkcs` in `@odata.type`.

### 13.7 List Trusted Root Certificate Profiles
Same endpoint, filter for `TrustedRootCertificate` in `@odata.type`.

---

## 🔄 14. Windows Update Management

### 14.1 List Windows Update Rings
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=isof('microsoft.graph.windowsUpdateForBusinessConfiguration')`

Present as: | Ring Name | Deferral (Days) | Quality Updates | Feature Updates | Assigned To |

### 14.2 Get Update Ring Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{ringId}`

### 14.3 List Feature Update Profiles
**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles`

### 14.4 Get Feature Update Profile Details
**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/{profileId}`

### 14.5 Get Feature Update Deployment State per Device
**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/{profileId}/deviceUpdateStates`

### 14.6 List Driver Update Profiles
**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles`

### 14.7 Get Driver Update Profile Details
**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles/{profileId}`

### 14.8 List Quality Update Profiles (Expedited Updates)
**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsQualityUpdateProfiles`

### 14.9 Pause/Resume an Update Ring
**POST** `https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{ringId}/windowsUpdateForBusinessConfiguration/pause`
**POST** `https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{ringId}/windowsUpdateForBusinessConfiguration/resume`
⚠️ SAFETY: Confirm before pausing/resuming.

---

## 🍎 15. Apple Device Management

### 15.1 List Apple DEP/ADE Enrollment Profiles
**GET** `https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings`

### 15.2 List Apple DEP Tokens
**GET** `https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings/{depId}/enrollmentProfiles`

### 15.3 List Apple Push Notification Certificate Info
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/applePushNotificationCertificate`

Shows: Expiration date, Subject, Certificate serial number.
💡 Agent should proactively warn if certificate expires within 30 days!

### 15.4 List VPP Tokens (Volume Purchase Program)
**GET** `https://graph.microsoft.com/beta/deviceManagement/vppTokens`

### 15.5 List iOS/macOS Managed App Configurations
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies`
Filter for iOS/macOS types.

### 15.6 Activation Lock Bypass (iOS Supervised)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/bypassActivationLock`
⚠️ SAFETY: Requires explicit user confirmation!

---

## 🤖 16. Android Enterprise Management

### 16.1 List Android Managed Store Apps
**GET** `https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings`

### 16.2 List Android Enrollment Profiles
**GET** `https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles`

### 16.3 Get Android Enterprise Binding Status
**GET** `https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings`

Shows if Android Enterprise (Work Profile / Fully Managed / Dedicated) is connected.

### 16.4 List Android App Protection Policies
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections`

---

## 📝 17. Audit Logs & Activity

### 17.1 List Intune Audit Events
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents`

Present as: | Date | Activity | Actor (who) | Target | Result |

### 17.2 Filter Audit Events by Date Range
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$filter=activityDateTime gt {startDate} and activityDateTime lt {endDate}`

Agent should calculate the date range based on user request (e.g., "letzte Woche" → last 7 days).

### 17.3 Filter Audit Events by User
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$filter=actor/userPrincipalName eq '{user@domain.com}'`

### 17.4 Get Audit Event Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents/{auditEventId}`

### 17.5 List Directory Audit Logs (Entra ID level)
**GET** `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=category eq 'Device'`

### 17.6 List Sign-In Logs
**GET** `https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=appDisplayName eq 'Microsoft Intune'`

---

## 🏗️ 18. Settings Catalog & GPO Analytics

### 18.1 Search Settings Catalog
**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationSettings?$search="{searchTerm}"`

This is extremely useful when the user asks: "Can Intune configure setting X?" or "Hat Intune eine Einstellung für Bildschirmschoner?"

### 18.2 List Group Policy Migration Reports
**GET** `https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports`

Use this when the user asks about migrating from on-premises GPO to Intune.

### 18.3 Get Migration Report Details
**GET** `https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports/{reportId}`

Shows: Which GPO settings are supported in Intune, which are not, and recommended alternatives.

### 18.4 List Group Policy Uploaded Definition Files
**GET** `https://graph.microsoft.com/beta/deviceManagement/groupPolicyUploadedDefinitionFiles`

---

## 📄 19. Terms & Conditions and Notifications

### 19.1 List Terms & Conditions
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions`

### 19.2 Get Terms & Conditions Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions/{termsId}`

### 19.3 Get Terms Acceptance Status
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions/{termsId}/acceptanceStatuses`

Shows which users have accepted which version.

### 19.4 Create Terms & Conditions
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions`
⚠️ SAFETY: Confirm before creating.

### 19.5 List Notification Message Templates
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates`

### 19.6 Create Notification Template (Non-Compliance Email)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates`
⚠️ SAFETY: Confirm before creating.

### 19.7 Send Test Notification
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates/{templateId}/sendTestMessage`

---

## 🔐 20. App Protection Policies (MAM)

### 20.1 List iOS App Protection Policies
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections`

### 20.2 List Android App Protection Policies
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections`

### 20.3 List Windows Information Protection Policies
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/windowsInformationProtectionPolicies`

### 20.4 Get App Protection Policy Details
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections/{policyId}`
or
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections/{policyId}`

### 20.5 Get App Protection Status per User
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations?$filter=userId eq '{userId}'`

### 20.6 Create App Protection Policy
**POST** `https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections`
or
**POST** `https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections`
⚠️ SAFETY: Confirm before creating. Show policy summary first.

---

## 📱 21. Enrollment Configuration

### 21.1 List All Enrollment Configurations
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations`

Includes: Device Limit Restrictions, Platform Restrictions, Enrollment Status Page (ESP), Windows Hello for Business.

### 21.2 Get Enrollment Configuration Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations/{configId}`

### 21.3 Get Enrollment Configuration Assignments
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations/{configId}/assignments`

### 21.4 List Enrollment Status Page (ESP) Profiles
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations?$filter=isof('microsoft.graph.windows10EnrollmentCompletionPageConfiguration')`

### 21.5 List Windows Hello for Business Configurations
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations?$filter=isof('microsoft.graph.deviceEnrollmentWindowsHelloForBusinessConfiguration')`

---

## 🧮 22. Filters & Scope Tags

### 22.1 List Assignment Filters
**GET** `https://graph.microsoft.com/beta/deviceManagement/assignmentFilters`

Present as: | Filter Name | Platform | Rule | Created |

### 22.2 Get Filter Details
**GET** `https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/{filterId}`

### 22.3 Create Assignment Filter
**POST** `https://graph.microsoft.com/beta/deviceManagement/assignmentFilters`
⚠️ SAFETY: Confirm before creating.

### 22.4 Test/Preview Filter Results
**POST** `https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/{filterId}/getState`

### 22.5 List Scope Tags
**GET** `https://graph.microsoft.com/beta/deviceManagement/roleScopeTags`

### 22.6 Create Scope Tag
**POST** `https://graph.microsoft.com/beta/deviceManagement/roleScopeTags`
⚠️ SAFETY: Confirm before creating.
Intune Graph API – Complete Management

Get Intune Graph API – Complete Management.

vz-scrape-runner

vz-bench-debug

Think you can beat it?
