Intune Automation – Set a device action using a webhook

Scenario:

You work as Intune administrator and you receive a legit call saying that a user lost his laptop. You need to wipe the device as soon as possible.

In this post you create a runbook that can be invoked using a webhook with a parameter. The webhook call can be integrated in any application

You will do the following:

  • Create Automation account and a PowerShell runbook

  • Create Webhook

  • Create Demo PowerShell script to invoke the webhook

  • Test the automation

Note: the PS scripts used in this post are based on Microsoft Graph API Intune Templates that can be found at this location https://github.com/microsoftgraph/powershell-intune-samples

Create Automation Account and Runbook

Create Automation Account

This is similar with other automation you can find on my blog. If you already have an automation account you can skip this step

  • Sign in to the Azure portal using your account credentials
  • Click Create a resource
  • Search for Automation
  • Select automation account and click Create in the next blade

  • Add an account name
  • Assign a resource group or create a new one
  • Assign a location. Note that not all locations are available for this kind of resource
  • Leave Create Azure Run As account checked to Yes
  • Click Create

  • Wait for deployment to complete
  • Open the resource group that has the automation account
  • Open the automation account
  • Click Credentials
  • Click Add a credential

  • For this scenario purpose use an existing account that has permissions
  • Fill in a name and credentials of a user that has access to create users. Click create

  • Now we need to add the MSOnline Module
  • Click Modules->Browse gallery

  • Search and import the MSOnline module

Create Automation Runbook

  • In the automation account that you just created click runbooks ->add runbook
  • In the new blade click Create a new Runbook
  • Fill in the name a description and select PowerShell type

  • Click Create
  • Once created the portal will open the runbook in edit mode
  • Note that the below script has the actual actions commented put. If you really want to wipe/delete etc. your device you can uncomment the actions
  • Add the following PowerShell script

<#
.SYNOPSIS
This script is used to invoke action on a device
Script receives a managed device ID. This is converted in a nanaged device ID and an action is then invoked on the device
Parameters: deviceid and action
Actions supported : wipe retire delete sync
#>
cmdletbinding()]
param
(
[Parameter (Mandatory = $false)]
[object] $WebhookData
)

Function Get-AuthToken-Pass {
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)][string]$tenantName,
[Parameter(Mandatory=$true)][System.Management.Automation.PSCredential]$cred
)
try{
return (Get-MSIntuneAuthToken -TenantName $tenantName -credential $cred)
}
catch {
write-output “Error Getting token”
}
}

Function Get-ManagedDevice(){
<#
.SYNOPSIS
This function is used to get Intune Managed Device with DeviceID from the Graph API REST interface
.DESCRIPTION
#>
[cmdletbinding()]
param
(
$DeviceID
)

# Defining Variables
$graphApiVersion = “beta”
$Resource = “deviceManagement/managedDevices”
$uri = “https://graph.microsoft.com/$graphApiVersion/$Resource”

try {
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object -FilterScript {$_.id -eq $DeviceID}
}
catch {
Write-Output “Error Invoking Get-Managed Device”
}
}

Function Set-DeviceAction (){
<#
.SYNOPSIS
This function is used to invoke an action on an AAD device.
Parameters: DeviceID and action
Actions supported : wipe retire delete sync
.EXAMPLE
Set-DeviceAction -action wipe -DeviceID $DeviceID
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)] $action,
[Parameter(Mandatory=$true)] $DeviceID
)

$graphApiVersion = “Beta”
$dev = Get-ManagedDevice -DeviceID $DeviceID
if ($dev)
{
try
{
if($action -eq “wipe”){
Write-output “Device ” $dev.deviceName ” will be wiped”
$Resource = “deviceManagement/managedDevices/$DeviceID/wipe”
$uri = “https://graph.microsoft.com/$graphApiVersion/$($resource)”
write-output ” Wiping the device”
# Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post
}

if($action -eq “retire'”){
Write-output “Device ” $dev.deviceName ” will be retired”
$Resource = “deviceManagement/managedDevices/$DeviceID/retire”
$uri = “https://graph.microsoft.com/$graphApiVersion/$($resource)”
write-output “Retiring the device”
# Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post
}

if($action -eq “delete”){
Write-output “Device ” $Dev.deviceName ” will be deleted”
$Resource = “deviceManagement/managedDevices(‘$DeviceID’)”
$uri = “https://graph.microsoft.com/$graphApiVersion/$($resource)”
write-output “Deleting the device”
# Invoke-RestMethod -Uri $uri -Headers $authToken -Method Delete

}

if($action -eq “sync”){
Write-output “Device ” $dev.deviceName ” will be synced”
$Resource = “deviceManagement/managedDevices(‘$DeviceID’)/syncDevice”
$uri = “https://graph.microsoft.com/$graphApiVersion/$($resource)”
write-output “Syncing the device”
# Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post
}
}

catch
{
Write-Output “Error invoking the set device action method”
}
}

else {
write-output “Invalid Device”
}
}

######### END Set-DeviceAction

################### Start Main ####################
###################################################

# Import required modules
try {
Import-Module -Name AzureAD -ErrorAction Stop
Import-Module -Name PSIntuneAuth -ErrorAction Stop
}

catch {
Write-Warning -Message “Failed to import modules”
}
$tenant=”yourtenant.com”
#$cred = Get-AutomationPSCredential -Name ‘IntuneAutomationCredentials’
$authtoken = Get-AuthToken-Pass -tenantName $tenant -cred $cred
$params = (ConvertFrom-Json -InputObject $WebhookData.RequestBody)
Set-DeviceAction -action $params.action -DeviceID $params.deviceID

  • Put your pointer below $tenant=”yourtenant.com”
  • In the left pane of your Edit Runbook, expand ASSETS, expand Credential.
  • Right-Click the three dots at the right of the credential you created before

  • Add code until you have something like this

$tenant=”yourtenant.com”

$cred = Get-AutomationPSCredential -Name ‘IntuneAutomationCredentials’

What the script does:

The script receives a json object in $WebhookData.RequestBody that contains action and deviceID. Device is then validated, and action is invoked on the device

Create the Webhook

  • In the runbook blade click Webhook

  • Enter webhook name
  • Copy the Webhook USR – This is extremely important. URL will no longer be visible once you created the webhook

  • Click OK
  • If you click Parameters you see that object WEBHOOKData is expected

  • Click Create

Create Demo PowerShell script to invoke the webhook

  • Open Powershell ISE as admin
  • Paste the following script

$uri =”your webhook URL that you copied when creating the webhook”

$param_Data = @{

action=”wipe”

deviceID=”a device id”

}

$body = ConvertTo-Json -InputObject $param_Data

$response = Invoke-RestMethod -Method Post -Uri $uri -Body $body

 

Test the automation

  • Execute the script in the powershell ISE window
  • Upon successful execution the $response should have a jobid

  • Back to Azure portal, in the webhook overview pane, you should see a recently completed job

  • Click the completed job
  • In the new window click output
  • You should see a message saying the device will be wiped.
  • As you remember when creating the script, the actual command are commented out considering wipe, delete, retire are potentially destructive commands. If you validate the automation is working and want the script to perform the actions, you will need to uncomment the actions