Assign a group to a Intune Endpoint security policy - microsoft-graph-api

I'd like to find a way using PowerShell to assign a group to a Intune endpoint security policy like disk encryption or a security baseline for Windows 10 (not iOS or Android). I managed to create policies using PS but can't find how to assign a group.
I used the Graph API to create the policy using https://graph.microsoft.com/beta/deviceManagement/templates/$TemplateId/createInstance.
Any help would be appreciated.
Cheers

The endpoint for a security baseline assignment would look like this:
POST https://graph.microsoft.com/beta/deviceManagement/intents/$IDOFYOURNEWSECURITYBASELINE/assign
Example body for one include and one exclude group:
{
"assignments": [
{
"target": {
"#odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "$IDOFYOURAADGROUPTOASSIGN1"
}
},
{
"target": {
"#odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"groupId": "$IDOFYOURAADGROUPTOASSIGN2"
}
}
]
}

Related

How we can call microsoft Search API with POST in React App

I want to call MS Graph Search API in react app, I registered the app with sites.read.all with delegated permissions.
The filter should be from SharePoint list data.
code
https://graph.microsoft.com/v2.0/search/query
{
"requests": [
{
"entityTypes": [
"listItem"
],
"query": {
"queryString": "contoso"
}
}
]
}
AFIAK there is no code or searching option for using Search API in MS graph, you can refer to this similar question:API based search using React
Or raise a feature request for the same in here: https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform
Hope this helps.

Where to find TemplateId while creating custom directory role MS Graph

I want to create custom directory role with specific permissions like:
microsoft.directory/users/create
microsoft.directory/users/delete
microsoft.directory/groups/create
microsoft.directory/groups/delete
microsoft.directory/applications/create
microsoft.directory/applications/delete
microsoft.directory/serviceprincipals/create
microsoft.directory/serviceprincipals/delete
I found how to automate this from MS graph:
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
Body
{
"description": "Can manage basic aspects of application registrations.",
"displayName": "Application Support Administrator",
"isEnabled": true,
"templateId": "<GUID>",
"rolePermissions": [
{
"allowedResourceActions": [
microsoft.directory/users/create
microsoft.directory/users/delete microsoft.directory/groups/create
microsoft.directory/groups/delete
microsoft.directory/applications/create
microsoft.directory/applications/delete
microsoft.directory/serviceprincipals/create
microsoft.directory/serviceprincipals/delete
]
}
]
}
What is template Id and how to get the value of this?
TIA
Note that, "templateId": "<GUID>" is an optional parameter and you can include it while creating multiple custom directory roles with common parameters.
To get the value of "templateId", you can create one GUID using this PowerShell command: (New-Guid).Guid
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I ran the same query as you and created custom directory role from MS Graph like below:
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
{
"description": "Can manage basic aspects of application registrations.",
"displayName": "Application Support Administrator",
"isEnabled": true,
"templateId": "38837bf2-39d8-4c14-89f3-3e9c5e6c9b23", //GUID created from PowerShell
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/users/create",
"microsoft.directory/users/delete",
"microsoft.directory/groups/create",
"microsoft.directory/groups/delete",
"microsoft.directory/applications/create",
"microsoft.directory/applications/delete",
"microsoft.directory/serviceprincipals/create",
"microsoft.directory/serviceprincipals/delete"
]
}
]
}
Response:
When I checked the same in Portal, I am able to find the new custom directory role like below:
To assign this role to user via Graph API, you can make use of below query:
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
{
"principalId":"<GUID OF USER>",
"roleDefinitionId":"<GUID OF ROLE DEFINITION>",
"directoryScopeId":"/<GUID OF APPLICATION REGISTRATION(ObjectID)>"
}
Response:
When I checked the same in Portal, role assigned to user successfully like below:

How to tell the difference between a SP Online drive and a Teams channel-drive?

Using the MSFT Graph API, is there a way to differentiate Drives (which are documentLibraries) that are used for Team-Channels versus those that are "simply" documentLibraries created WRT a more generic, SharePoint Online Site?
Retrieving a user's /v1.0/sites?search=* returns a union of SPO Sites the user is a member of and Teams the user is a member of. (Yes, Teams are SPO sites or libraries within a site natively.)
I need to differentiate either the Sites by whether or not they're a Team-Site (because I can then filter Drives returned), or specifically all the Drives returned to differentiate whether the Drive is a Channel-Drive or simply a plain-old documentLibrary that is part of a Site.
Retrieving Sites from Graph shows no apparent properties that indicate what "type" of Site it is, and neither do the Drives queried from each Site (/v1.0/sites/SITE-ID/drives).
Thanks.
One of the way can be check the owner of the drive associated with the site
GET https://graph.microsoft.com/v1.0/sites/{siteId}?$expand=drive
That endpoint will return site info including drive info
{
"description": "...",
"id": "xxx",
...
"drive": {
"description": "",
"id": "xxx",
"driveType": "documentLibrary",
...
"owner": {
"group": {
"email": "xxx",
"id": "42857780-3ab6-412d-a9b8-5e6adc73aabb",
"displayName": "xxx"
}
},
"quota": {}
}
If the owner has property group then you can use group id in the following endpoint
GET https://graph.microsoft.com/v1.0/groups/{groupId}?$select=id,resourceProvisioningOptions
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(id,resourceProvisioningOptions)/$entity",
"id": "xxx",
"resourceProvisioningOptions": [
"Team"
]
}
select resourceProvisioningOptions which specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. If one of the value is Team then the drive is used for teams.
Resources:
group

Microsoft Graph API Teams Chat Group

In Microsoft Teams When I add new users to a chat it creates a new "group" chat (not sure what it's called).
Add Users
Group Chat example
Is it possible to create groups like these with the Microsoft Graph API?
Maybe by the time this question was asked this was not possible, but right now MS Graph API allows this.
Here is an official link to documentation
From documentation if you would like to use REST API here is an example
POST https://graph.microsoft.com/v1.0/chats
Content-Type: application/json
{
"chatType": "group",
"topic": "Group chat title",
"members": [
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": ["owner"],
"user#odata.bind": "https://graph.microsoft.com/v1.0/users('8c0a1a67-50ce-4114-bb6c-da9c5dbcf6ca')"
},
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": ["owner"],
"user#odata.bind": "https://graph.microsoft.com/v1.0/users('82fe7758-5bb3-4f0d-a43f-e555fd399c6f')"
},
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": ["owner"],
"user#odata.bind": "https://graph.microsoft.com/v1.0/users('3626a173-f2bc-4883-bcf7-01514c3bfb82')"
}
]
}
Please make sure to take care of the Authentication Microsoft Graph auth overview
There are also Microsoft Graph SDKs availalbe
Unfortunately, there is no such API to create a new chat group yet. There is already a feature request for the same here. You can watch the space for more updates

How to send a device management request using NodeRed or any REST client

I am trying to sent a DM firmware update command from a NodeRed Flow.
Function node:
msg.payload = {"MgmtInitiationRequest": {
"action":"firmware/update",
"devices": [{
"typeId": "myType",
"deviceId": "myDevice"
}]
}}
msg.headers={"Content-Type":"application/json"}
return msg;
I send it to a http request node with a POST to
https://orgid.internetofthings.ibmcloud.com/api/v0002/mgmt/requests
Basic Authentication with api keys. I based it of Initiate a device management request
I get back a 403 which the docs have as:
One or more of the devices does not support the requested action
Anyone see what I'm missing? It works fine from the IoT Platform UI to the same devicetype/deviceid.
EDIT: Same 403 if I use a Rest client like Postman.
The swagger API documentation is a little bit misleading in that the 'body' parameter is given a name.
But, like the other POST APIs, that name isn't actually included anywhere as part of the payload.
The payload should just look like this:
{
"action": "firmware/update",
"devices": [
{
"typeId": "string",
"deviceId": "string"
}
]
}
This page in the documentation provides more detail:
https://console.ng.bluemix.net/docs/services/IoT/devices/device_mgmt/requests.html#firmware-actions-update
Has your appliance published the set of supported commands it supports when it announced itself as a managed device?
A device connects to the Watson IoT Platform and uses the managed devices operation to become a managed device.
Which looks something like this
Topic: iotdevice-1/mgmt/manage
{
...
"supports": {
"deviceActions": true,
"firmwareActions": boolean
},
...
},
...
}
https://console.ng.bluemix.net/docs/services/IoT/devices/device_mgmt/index.html

Resources