{ "schemaVersion": "1.0", "item": { "slug": "openclaw-intune-skill", "name": "Openclaw Intune Skill", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/MattiaCirillo/openclaw-intune-skill", "canonicalUrl": "https://clawhub.ai/MattiaCirillo/openclaw-intune-skill", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/openclaw-intune-skill", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-intune-skill", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "openclaw-intune-skill", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-06T15:15:18.771Z", "expiresAt": "2026-05-13T15:15:18.771Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-intune-skill", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-intune-skill", "contentDisposition": "attachment; filename=\"openclaw-intune-skill-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "openclaw-intune-skill" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/openclaw-intune-skill" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/openclaw-intune-skill", "agentPageUrl": "https://openagent3.xyz/skills/openclaw-intune-skill/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-intune-skill/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-intune-skill/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Microsoft Intune – Complete Management Skill", "body": "This skill gives the agent full control over Microsoft Intune via the Microsoft Graph API. It covers device management, application deployment, compliance & configuration policies, user & group management, Autopilot, PowerShell scripts, reporting, and all remote device actions." }, { "title": "🔑 Authentication", "body": "Before ANY Intune operation, the agent MUST obtain an OAuth 2.0 access token.\n\nThe following environment variables must be configured:\n\nINTUNE_TENANT_ID – Microsoft 365 Tenant ID\nINTUNE_CLIENT_ID – Entra ID App Registration Client ID\nINTUNE_CLIENT_SECRET – Entra ID App Registration Secret" }, { "title": "Token Request", "body": "POST https://login.microsoftonline.com/{INTUNE_TENANT_ID}/oauth2/v2.0/token\n\nBody (x-www-form-urlencoded):\n\nclient_id={INTUNE_CLIENT_ID}\n&scope=https://graph.microsoft.com/.default\n&client_secret={INTUNE_CLIENT_SECRET}\n&grant_type=client_credentials\n\nExtract access_token from the JSON response. Use it as:\n\nAuthorization: Bearer " }, { "title": "Required API Permissions (App Registration)", "body": "The Entra ID App Registration needs the following Microsoft Graph Application permissions:\n\nDeviceManagementManagedDevices.ReadWrite.All\nDeviceManagementConfiguration.ReadWrite.All\nDeviceManagementApps.ReadWrite.All\nDeviceManagementServiceConfig.ReadWrite.All\nDeviceManagementRBAC.ReadWrite.All\nDirectory.Read.All\nUser.Read.All\nGroup.ReadWrite.All\nGroupMember.ReadWrite.All" }, { "title": "🛡️ Safety Rules (CRITICAL)", "body": "Read operations (GET): Always safe. Execute without confirmation.\nSync/Restart operations: Ask for confirmation: \"Soll ich Gerät X wirklich syncen/neustarten?\"\nDestructive operations (Wipe, Retire, Delete): ALWAYS require explicit confirmation. Say: \"⚠️ Achtung: Das löscht alle Daten auf dem Gerät. Bist du sicher?\"\nPolicy creation/modification: Confirm before applying: \"Soll ich diese Policy wirklich erstellen/ändern?\"\nNever dump raw JSON to the user. Always format output as readable Markdown tables or summaries.\nError handling: If an API call returns an error, explain the error in simple German and suggest a fix." }, { "title": "1.1 List All Managed Devices", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices\n\nUse $select to limit fields: ?$select=deviceName,operatingSystem,complianceState,lastSyncDateTime,userPrincipalName\n\nPresent results as a table: | Gerätename | OS | Compliance | Letzter Sync | Benutzer |" }, { "title": "1.2 Search for a Specific Device", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=deviceName eq '{deviceName}'\n\nAlternative search by user: ?$filter=userPrincipalName eq '{user@domain.com}'" }, { "title": "1.3 Get Device Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}\n\nShow: Device name, Serial number, OS version, Compliance state, Encryption status, Last sync, Enrolled date, Primary user." }, { "title": "1.4 Remote Actions on a Device", "body": "Sync Device\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/syncDevice\n\nReboot Device\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/rebootNow\n\nLock Device (Remote Lock)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/remoteLock\n\nReset Passcode\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/resetPasscode\n\nLocate Device (Lost Mode – iOS/Android)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/locateDevice\n\nRetire Device (Remove Company Data Only)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/retire\n⚠️ SAFETY: Requires explicit user confirmation!\n\nWipe Device (Factory Reset)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/wipe\n⚠️ SAFETY: ALWAYS ask twice! This deletes ALL data!\n\nDelete Device from Intune\n\nDELETE https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}\n⚠️ SAFETY: Requires explicit user confirmation!\n\nRename Device\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/setDeviceName\nBody: {\"deviceName\": \"NEW-NAME\"}\n\nEnable/Disable Lost Mode (iOS supervised)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/enableLostMode\nBody: {\"message\": \"Dieses Gerät wurde als verloren gemeldet.\", \"phoneNumber\": \"+49...\", \"footer\": \"Kaffee & Code IT\"}\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/disableLostMode" }, { "title": "2.1 List All Compliance Policies", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies\n\nPresent as: | Policy Name | Platform | Created | Last Modified |" }, { "title": "2.2 Get Compliance Policy Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}" }, { "title": "2.3 Get Compliance Policy Assignments", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assignments" }, { "title": "2.4 Get Device Compliance Status per Policy", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/deviceStatuses" }, { "title": "2.5 Create a Compliance Policy", "body": "POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies\n⚠️ SAFETY: Confirm before creating." }, { "title": "2.6 Delete a Compliance Policy", "body": "DELETE https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}\n⚠️ SAFETY: Requires explicit user confirmation!" }, { "title": "3.1 List Configuration Policies (Recommended API)", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies\n\nThis is the modern, recommended endpoint covering Endpoint Security, Administrative Templates, and Settings Catalog." }, { "title": "3.2 List Legacy Device Configuration Profiles", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations" }, { "title": "3.3 Get Configuration Policy Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}" }, { "title": "3.4 Get Policy Settings", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/settings" }, { "title": "3.5 Get Policy Assignments", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/assignments" }, { "title": "3.6 Get Device Status per Config Profile", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/deviceStatuses" }, { "title": "3.7 Create Configuration Policy", "body": "POST https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies\n⚠️ SAFETY: Confirm before creating." }, { "title": "3.8 Delete Configuration Policy", "body": "DELETE https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}\n⚠️ SAFETY: Requires explicit user confirmation!" }, { "title": "4.1 List All Apps", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps\n\nPresent as: | App Name | Type | Publisher | Created |" }, { "title": "4.2 Get App Details", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}" }, { "title": "4.3 Get App Assignments (Who gets the app?)", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments" }, { "title": "4.4 List App Configuration Policies", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies" }, { "title": "4.5 List App Protection Policies (MAM)", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations" }, { "title": "4.6 Assign App to a Group", "body": "POST https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments\n⚠️ SAFETY: Confirm before assigning." }, { "title": "4.7 List Detected Apps on Devices", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/detectedApps" }, { "title": "4.8 Get Devices with a Specific Detected App", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{detectedAppId}/managedDevices" }, { "title": "5.1 List Security Baselines", "body": "GET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'baseline'" }, { "title": "5.2 List Disk Encryption Policies (BitLocker/FileVault)", "body": "GET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityDiskEncryption'" }, { "title": "5.3 List Firewall Policies", "body": "GET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityFirewall'" }, { "title": "5.4 List Antivirus Policies (Defender)", "body": "GET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityAntivirus'" }, { "title": "5.5 List Attack Surface Reduction Rules", "body": "GET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityAttackSurfaceReduction'" }, { "title": "6.1 List Autopilot Devices", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities\n\nPresent as: | Serial Number | Model | Group Tag | Enrollment State | Last Seen |" }, { "title": "6.2 Get Autopilot Device Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}" }, { "title": "6.3 List Autopilot Deployment Profiles", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeploymentProfiles" }, { "title": "6.4 Assign Autopilot Profile", "body": "POST https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}/assignUserToDevice\nBody: {\"userPrincipalName\": \"user@domain.com\"}" }, { "title": "6.5 Delete Autopilot Device", "body": "DELETE https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}\n⚠️ SAFETY: Requires explicit user confirmation!" }, { "title": "7.1 List Device Management Scripts", "body": "GET https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts" }, { "title": "7.2 Get Script Details", "body": "GET https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{scriptId}" }, { "title": "7.3 Get Script Execution Status per Device", "body": "GET https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{scriptId}/deviceRunStates" }, { "title": "7.4 Create/Upload a PowerShell Script", "body": "POST https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts\nBody must include scriptContent as Base64-encoded string.\n⚠️ SAFETY: Confirm before uploading. Show the script content to the user first." }, { "title": "7.5 List Proactive Remediations (Health Scripts)", "body": "GET https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts" }, { "title": "7.6 Get Remediation Script Execution Results", "body": "GET https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts/{scriptId}/deviceRunStates" }, { "title": "8.1 List Users", "body": "GET https://graph.microsoft.com/v1.0/users?$select=displayName,userPrincipalName,accountEnabled,jobTitle" }, { "title": "8.2 Search User", "body": "GET https://graph.microsoft.com/v1.0/users?$filter=startsWith(displayName,'{name}')" }, { "title": "8.3 Get User Details", "body": "GET https://graph.microsoft.com/v1.0/users/{userId}" }, { "title": "8.4 List Groups", "body": "GET https://graph.microsoft.com/v1.0/groups?$select=displayName,description,groupTypes,membershipRule" }, { "title": "8.5 Get Group Members", "body": "GET https://graph.microsoft.com/v1.0/groups/{groupId}/members" }, { "title": "8.6 Add User to Group", "body": "POST https://graph.microsoft.com/v1.0/groups/{groupId}/members/$ref\nBody: {\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/{userId}\"}\n⚠️ SAFETY: Confirm before adding." }, { "title": "8.7 Remove User from Group", "body": "DELETE https://graph.microsoft.com/v1.0/groups/{groupId}/members/{userId}/$ref\n⚠️ SAFETY: Confirm before removing." }, { "title": "8.8 List Devices for a User", "body": "GET https://graph.microsoft.com/v1.0/users/{userId}/managedDevices" }, { "title": "9.1 Device Compliance Summary", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=complianceState\nAgent should calculate: X compliant, Y non-compliant, Z in-grace-period, and present as summary + table." }, { "title": "9.2 OS Distribution Summary", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=operatingSystem\nAgent should group by OS and present: \"42 Windows, 15 iOS, 8 Android, 3 macOS\"" }, { "title": "9.3 Stale Devices (Not synced recently)", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=lastSyncDateTime lt {30_days_ago}&$select=deviceName,lastSyncDateTime,userPrincipalName\nAgent should calculate the date for 30 days ago automatically." }, { "title": "9.4 Non-Compliant Devices Report", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=complianceState eq 'noncompliant'&$select=deviceName,complianceState,userPrincipalName,operatingSystem" }, { "title": "9.5 Export Report Job", "body": "POST https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs\nBody: {\"reportName\": \"Devices\", \"filter\": \"\", \"select\": [\"DeviceName\",\"OS\",\"ComplianceState\"]}" }, { "title": "10.1 List Device Categories", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories" }, { "title": "10.2 Create Device Category", "body": "POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories\nBody: {\"displayName\": \"Kategoriename\", \"description\": \"Beschreibung\"}" }, { "title": "10.3 Set Device Category on a Device", "body": "PUT https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{deviceId}/deviceCategory/$ref" }, { "title": "10.4 List Enrollment Restrictions", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations" }, { "title": "11.1 List Intune Roles", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions" }, { "title": "11.2 List Role Assignments", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/roleAssignments" }, { "title": "11.3 Get Role Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions/{roleId}" }, { "title": "💡 Agent Response Guidelines", "body": "When the user asks a question, follow this logic:\n\n\"Zeig mir alle Geräte\" → Use 1.1, format as table.\n\"Ist Gerät X compliant?\" → Use 1.2 to find it, then check complianceState.\n\"Sync Laptop von Max\" → Use 1.2 to find managedDeviceId, then use 1.4 Sync.\n\"Wie viele Geräte hab ich?\" → Use 9.2, give OS distribution + total count.\n\"Welche Geräte haben sich lange nicht gemeldet?\" → Use 9.3.\n\"Erstell mir eine Compliance Policy für Windows\" → Use 2.5, ask for requirements first.\n\"Welche Apps sind deployed?\" → Use 4.1.\n\"Füg User Max zur Gruppe IT-Geräte hinzu\" → Use 8.2 to find user, 8.4 to find group, then 8.6.\n\"Zeig mir den Status vom PowerShell Script XY\" → Use 7.3.\n\"Gib mir einen Compliance Report\" → Use 9.1 + 9.4.\n\"Zeig mir die Conditional Access Policies\" → Use 12.1.\n\"Welche WLAN-Profile sind deployed?\" → Use 13.1.\n\"Wie sind meine Windows Update Ringe konfiguriert?\" → Use 14.1.\n\"Wer hat letzte Woche was in Intune geändert?\" → Use 17.1.\n\"Kann Intune die Einstellung XY konfigurieren?\" → Use 18.1 Settings Catalog search.\n\"Zeig mir alle Autopilot-Geräte ohne zugewiesenes Profil\" → Use 6.1 + filter." }, { "title": "12.1 List Conditional Access Policies", "body": "GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies\n\nPresent as: | Policy Name | State (enabled/disabled/report) | Conditions | Grant Controls |" }, { "title": "12.2 Get Conditional Access Policy Details", "body": "GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}" }, { "title": "12.3 Create Conditional Access Policy", "body": "POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies\n⚠️ SAFETY: Always confirm before creating. Show the user a summary of what the policy will do first.\n💡 TIP: Recommend creating in \"reportOnly\" state first for testing." }, { "title": "12.4 Update Conditional Access Policy", "body": "PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}\n⚠️ SAFETY: Confirm before modifying. Explain what will change." }, { "title": "12.5 Delete Conditional Access Policy", "body": "DELETE https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}\n⚠️ SAFETY: Requires explicit user confirmation!" }, { "title": "12.6 List Named Locations (Trusted IPs / Countries)", "body": "GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations" }, { "title": "12.7 Create Named Location", "body": "POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations\nExample IP-based:\n\n{\n \"@odata.type\": \"#microsoft.graph.ipNamedLocation\",\n \"displayName\": \"Büro-Netzwerk\",\n \"isTrusted\": true,\n \"ipRanges\": [{\"@odata.type\": \"#microsoft.graph.iPv4CidrRange\", \"cidrAddress\": \"192.168.1.0/24\"}]\n}" }, { "title": "12.8 List Authentication Strengths", "body": "GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/authenticationStrength/policies" }, { "title": "13.1 List WLAN Profiles", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=isof('microsoft.graph.windowsWifiConfiguration') or isof('microsoft.graph.iosWiFiConfiguration') or isof('microsoft.graph.androidWorkProfileWiFiConfiguration')\n\nAlternative (all configs, then filter by odata.type for Wi-Fi):\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations\nAgent should filter results where @odata.type contains WiFi or wifi." }, { "title": "13.2 List VPN Profiles", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations\nAgent should filter results where @odata.type contains Vpn or vpn." }, { "title": "13.3 Get WLAN/VPN Profile Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}" }, { "title": "13.4 Get WLAN/VPN Profile Assignment", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/assignments" }, { "title": "13.5 List SCEP Certificate Profiles", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations\nAgent should filter results where @odata.type contains Scep or Certificate." }, { "title": "13.6 List PKCS Certificate Profiles", "body": "Same endpoint, filter for Pkcs in @odata.type." }, { "title": "13.7 List Trusted Root Certificate Profiles", "body": "Same endpoint, filter for TrustedRootCertificate in @odata.type." }, { "title": "14.1 List Windows Update Rings", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=isof('microsoft.graph.windowsUpdateForBusinessConfiguration')\n\nPresent as: | Ring Name | Deferral (Days) | Quality Updates | Feature Updates | Assigned To |" }, { "title": "14.2 Get Update Ring Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{ringId}" }, { "title": "14.3 List Feature Update Profiles", "body": "GET https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles" }, { "title": "14.4 Get Feature Update Profile Details", "body": "GET https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/{profileId}" }, { "title": "14.5 Get Feature Update Deployment State per Device", "body": "GET https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/{profileId}/deviceUpdateStates" }, { "title": "14.6 List Driver Update Profiles", "body": "GET https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" }, { "title": "14.7 Get Driver Update Profile Details", "body": "GET https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles/{profileId}" }, { "title": "14.8 List Quality Update Profiles (Expedited Updates)", "body": "GET https://graph.microsoft.com/beta/deviceManagement/windowsQualityUpdateProfiles" }, { "title": "14.9 Pause/Resume an Update Ring", "body": "POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{ringId}/windowsUpdateForBusinessConfiguration/pause\nPOST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{ringId}/windowsUpdateForBusinessConfiguration/resume\n⚠️ SAFETY: Confirm before pausing/resuming." }, { "title": "15.1 List Apple DEP/ADE Enrollment Profiles", "body": "GET https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings" }, { "title": "15.2 List Apple DEP Tokens", "body": "GET https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings/{depId}/enrollmentProfiles" }, { "title": "15.3 List Apple Push Notification Certificate Info", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/applePushNotificationCertificate\n\nShows: Expiration date, Subject, Certificate serial number.\n💡 Agent should proactively warn if certificate expires within 30 days!" }, { "title": "15.4 List VPP Tokens (Volume Purchase Program)", "body": "GET https://graph.microsoft.com/beta/deviceManagement/vppTokens" }, { "title": "15.5 List iOS/macOS Managed App Configurations", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies\nFilter for iOS/macOS types." }, { "title": "15.6 Activation Lock Bypass (iOS Supervised)", "body": "POST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/bypassActivationLock\n⚠️ SAFETY: Requires explicit user confirmation!" }, { "title": "16.1 List Android Managed Store Apps", "body": "GET https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings" }, { "title": "16.2 List Android Enrollment Profiles", "body": "GET https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles" }, { "title": "16.3 Get Android Enterprise Binding Status", "body": "GET https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings\n\nShows if Android Enterprise (Work Profile / Fully Managed / Dedicated) is connected." }, { "title": "16.4 List Android App Protection Policies", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections" }, { "title": "17.1 List Intune Audit Events", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/auditEvents\n\nPresent as: | Date | Activity | Actor (who) | Target | Result |" }, { "title": "17.2 Filter Audit Events by Date Range", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$filter=activityDateTime gt {startDate} and activityDateTime lt {endDate}\n\nAgent should calculate the date range based on user request (e.g., \"letzte Woche\" → last 7 days)." }, { "title": "17.3 Filter Audit Events by User", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$filter=actor/userPrincipalName eq '{user@domain.com}'" }, { "title": "17.4 Get Audit Event Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/auditEvents/{auditEventId}" }, { "title": "17.5 List Directory Audit Logs (Entra ID level)", "body": "GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=category eq 'Device'" }, { "title": "17.6 List Sign-In Logs", "body": "GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=appDisplayName eq 'Microsoft Intune'" }, { "title": "18.1 Search Settings Catalog", "body": "GET https://graph.microsoft.com/beta/deviceManagement/configurationSettings?$search=\"{searchTerm}\"\n\nThis is extremely useful when the user asks: \"Can Intune configure setting X?\" or \"Hat Intune eine Einstellung für Bildschirmschoner?\"" }, { "title": "18.2 List Group Policy Migration Reports", "body": "GET https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports\n\nUse this when the user asks about migrating from on-premises GPO to Intune." }, { "title": "18.3 Get Migration Report Details", "body": "GET https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports/{reportId}\n\nShows: Which GPO settings are supported in Intune, which are not, and recommended alternatives." }, { "title": "18.4 List Group Policy Uploaded Definition Files", "body": "GET https://graph.microsoft.com/beta/deviceManagement/groupPolicyUploadedDefinitionFiles" }, { "title": "19.1 List Terms & Conditions", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions" }, { "title": "19.2 Get Terms & Conditions Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions/{termsId}" }, { "title": "19.3 Get Terms Acceptance Status", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions/{termsId}/acceptanceStatuses\n\nShows which users have accepted which version." }, { "title": "19.4 Create Terms & Conditions", "body": "POST https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions\n⚠️ SAFETY: Confirm before creating." }, { "title": "19.5 List Notification Message Templates", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates" }, { "title": "19.6 Create Notification Template (Non-Compliance Email)", "body": "POST https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates\n⚠️ SAFETY: Confirm before creating." }, { "title": "19.7 Send Test Notification", "body": "POST https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates/{templateId}/sendTestMessage" }, { "title": "20.1 List iOS App Protection Policies", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections" }, { "title": "20.2 List Android App Protection Policies", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections" }, { "title": "20.3 List Windows Information Protection Policies", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/windowsInformationProtectionPolicies" }, { "title": "20.4 Get App Protection Policy Details", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections/{policyId}\nor\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections/{policyId}" }, { "title": "20.5 Get App Protection Status per User", "body": "GET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations?$filter=userId eq '{userId}'" }, { "title": "20.6 Create App Protection Policy", "body": "POST https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections\nor\nPOST https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections\n⚠️ SAFETY: Confirm before creating. Show policy summary first." }, { "title": "21.1 List All Enrollment Configurations", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations\n\nIncludes: Device Limit Restrictions, Platform Restrictions, Enrollment Status Page (ESP), Windows Hello for Business." }, { "title": "21.2 Get Enrollment Configuration Details", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations/{configId}" }, { "title": "21.3 Get Enrollment Configuration Assignments", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations/{configId}/assignments" }, { "title": "21.4 List Enrollment Status Page (ESP) Profiles", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations?$filter=isof('microsoft.graph.windows10EnrollmentCompletionPageConfiguration')" }, { "title": "21.5 List Windows Hello for Business Configurations", "body": "GET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations?$filter=isof('microsoft.graph.deviceEnrollmentWindowsHelloForBusinessConfiguration')" }, { "title": "22.1 List Assignment Filters", "body": "GET https://graph.microsoft.com/beta/deviceManagement/assignmentFilters\n\nPresent as: | Filter Name | Platform | Rule | Created |" }, { "title": "22.2 Get Filter Details", "body": "GET https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/{filterId}" }, { "title": "22.3 Create Assignment Filter", "body": "POST https://graph.microsoft.com/beta/deviceManagement/assignmentFilters\n⚠️ SAFETY: Confirm before creating." }, { "title": "22.4 Test/Preview Filter Results", "body": "POST https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/{filterId}/getState" }, { "title": "22.5 List Scope Tags", "body": "GET https://graph.microsoft.com/beta/deviceManagement/roleScopeTags" }, { "title": "22.6 Create Scope Tag", "body": "POST https://graph.microsoft.com/beta/deviceManagement/roleScopeTags\n⚠️ SAFETY: Confirm before creating." } ], "body": "Microsoft Intune – Complete Management Skill\n\nThis skill gives the agent full control over Microsoft Intune via the Microsoft Graph API. It covers device management, application deployment, compliance & configuration policies, user & group management, Autopilot, PowerShell scripts, reporting, and all remote device actions.\n\n🔑 Authentication\n\nBefore ANY Intune operation, the agent MUST obtain an OAuth 2.0 access token.\n\nThe following environment variables must be configured:\n\nINTUNE_TENANT_ID – Microsoft 365 Tenant ID\nINTUNE_CLIENT_ID – Entra ID App Registration Client ID\nINTUNE_CLIENT_SECRET – Entra ID App Registration Secret\nToken Request\n\nPOST https://login.microsoftonline.com/{INTUNE_TENANT_ID}/oauth2/v2.0/token\n\nBody (x-www-form-urlencoded):\n\nclient_id={INTUNE_CLIENT_ID}\n&scope=https://graph.microsoft.com/.default\n&client_secret={INTUNE_CLIENT_SECRET}\n&grant_type=client_credentials\n\n\nExtract access_token from the JSON response. Use it as:\n\nAuthorization: Bearer \n\nRequired API Permissions (App Registration)\n\nThe Entra ID App Registration needs the following Microsoft Graph Application permissions:\n\nDeviceManagementManagedDevices.ReadWrite.All\nDeviceManagementConfiguration.ReadWrite.All\nDeviceManagementApps.ReadWrite.All\nDeviceManagementServiceConfig.ReadWrite.All\nDeviceManagementRBAC.ReadWrite.All\nDirectory.Read.All\nUser.Read.All\nGroup.ReadWrite.All\nGroupMember.ReadWrite.All\n🛡️ Safety Rules (CRITICAL)\nRead operations (GET): Always safe. Execute without confirmation.\nSync/Restart operations: Ask for confirmation: \"Soll ich Gerät X wirklich syncen/neustarten?\"\nDestructive operations (Wipe, Retire, Delete): ALWAYS require explicit confirmation. Say: \"⚠️ Achtung: Das löscht alle Daten auf dem Gerät. Bist du sicher?\"\nPolicy creation/modification: Confirm before applying: \"Soll ich diese Policy wirklich erstellen/ändern?\"\nNever dump raw JSON to the user. Always format output as readable Markdown tables or summaries.\nError handling: If an API call returns an error, explain the error in simple German and suggest a fix.\n📱 1. Device Management\n1.1 List All Managed Devices\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices\n\nUse $select to limit fields: ?$select=deviceName,operatingSystem,complianceState,lastSyncDateTime,userPrincipalName\n\nPresent results as a table: | Gerätename | OS | Compliance | Letzter Sync | Benutzer |\n\n1.2 Search for a Specific Device\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=deviceName eq '{deviceName}'\n\nAlternative search by user: ?$filter=userPrincipalName eq '{user@domain.com}'\n\n1.3 Get Device Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}\n\nShow: Device name, Serial number, OS version, Compliance state, Encryption status, Last sync, Enrolled date, Primary user.\n\n1.4 Remote Actions on a Device\nSync Device\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/syncDevice\n\nReboot Device\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/rebootNow\n\nLock Device (Remote Lock)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/remoteLock\n\nReset Passcode\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/resetPasscode\n\nLocate Device (Lost Mode – iOS/Android)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/locateDevice\n\nRetire Device (Remove Company Data Only)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/retire ⚠️ SAFETY: Requires explicit user confirmation!\n\nWipe Device (Factory Reset)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/wipe ⚠️ SAFETY: ALWAYS ask twice! This deletes ALL data!\n\nDelete Device from Intune\n\nDELETE https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId} ⚠️ SAFETY: Requires explicit user confirmation!\n\nRename Device\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/setDeviceName Body: {\"deviceName\": \"NEW-NAME\"}\n\nEnable/Disable Lost Mode (iOS supervised)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/enableLostMode Body: {\"message\": \"Dieses Gerät wurde als verloren gemeldet.\", \"phoneNumber\": \"+49...\", \"footer\": \"Kaffee & Code IT\"}\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/disableLostMode\n\n📋 2. Compliance Policies\n2.1 List All Compliance Policies\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies\n\nPresent as: | Policy Name | Platform | Created | Last Modified |\n\n2.2 Get Compliance Policy Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}\n\n2.3 Get Compliance Policy Assignments\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assignments\n\n2.4 Get Device Compliance Status per Policy\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/deviceStatuses\n\n2.5 Create a Compliance Policy\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies ⚠️ SAFETY: Confirm before creating.\n\n2.6 Delete a Compliance Policy\n\nDELETE https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId} ⚠️ SAFETY: Requires explicit user confirmation!\n\n⚙️ 3. Configuration Policies & Profiles\n3.1 List Configuration Policies (Recommended API)\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies\n\nThis is the modern, recommended endpoint covering Endpoint Security, Administrative Templates, and Settings Catalog.\n\n3.2 List Legacy Device Configuration Profiles\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations\n\n3.3 Get Configuration Policy Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}\n\n3.4 Get Policy Settings\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/settings\n\n3.5 Get Policy Assignments\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/assignments\n\n3.6 Get Device Status per Config Profile\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/deviceStatuses\n\n3.7 Create Configuration Policy\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies ⚠️ SAFETY: Confirm before creating.\n\n3.8 Delete Configuration Policy\n\nDELETE https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId} ⚠️ SAFETY: Requires explicit user confirmation!\n\n📦 4. App Management\n4.1 List All Apps\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps\n\nPresent as: | App Name | Type | Publisher | Created |\n\n4.2 Get App Details\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}\n\n4.3 Get App Assignments (Who gets the app?)\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments\n\n4.4 List App Configuration Policies\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies\n\n4.5 List App Protection Policies (MAM)\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations\n\n4.6 Assign App to a Group\n\nPOST https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments ⚠️ SAFETY: Confirm before assigning.\n\n4.7 List Detected Apps on Devices\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/detectedApps\n\n4.8 Get Devices with a Specific Detected App\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{detectedAppId}/managedDevices\n\n🔒 5. Endpoint Security\n5.1 List Security Baselines\n\nGET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'baseline'\n\n5.2 List Disk Encryption Policies (BitLocker/FileVault)\n\nGET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityDiskEncryption'\n\n5.3 List Firewall Policies\n\nGET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityFirewall'\n\n5.4 List Antivirus Policies (Defender)\n\nGET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityAntivirus'\n\n5.5 List Attack Surface Reduction Rules\n\nGET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityAttackSurfaceReduction'\n\n🚀 6. Windows Autopilot\n6.1 List Autopilot Devices\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities\n\nPresent as: | Serial Number | Model | Group Tag | Enrollment State | Last Seen |\n\n6.2 Get Autopilot Device Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}\n\n6.3 List Autopilot Deployment Profiles\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeploymentProfiles\n\n6.4 Assign Autopilot Profile\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}/assignUserToDevice Body: {\"userPrincipalName\": \"user@domain.com\"}\n\n6.5 Delete Autopilot Device\n\nDELETE https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id} ⚠️ SAFETY: Requires explicit user confirmation!\n\n📜 7. PowerShell Scripts & Remediation\n7.1 List Device Management Scripts\n\nGET https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts\n\n7.2 Get Script Details\n\nGET https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{scriptId}\n\n7.3 Get Script Execution Status per Device\n\nGET https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{scriptId}/deviceRunStates\n\n7.4 Create/Upload a PowerShell Script\n\nPOST https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts Body must include scriptContent as Base64-encoded string. ⚠️ SAFETY: Confirm before uploading. Show the script content to the user first.\n\n7.5 List Proactive Remediations (Health Scripts)\n\nGET https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts\n\n7.6 Get Remediation Script Execution Results\n\nGET https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts/{scriptId}/deviceRunStates\n\n👥 8. Users & Groups\n8.1 List Users\n\nGET https://graph.microsoft.com/v1.0/users?$select=displayName,userPrincipalName,accountEnabled,jobTitle\n\n8.2 Search User\n\nGET https://graph.microsoft.com/v1.0/users?$filter=startsWith(displayName,'{name}')\n\n8.3 Get User Details\n\nGET https://graph.microsoft.com/v1.0/users/{userId}\n\n8.4 List Groups\n\nGET https://graph.microsoft.com/v1.0/groups?$select=displayName,description,groupTypes,membershipRule\n\n8.5 Get Group Members\n\nGET https://graph.microsoft.com/v1.0/groups/{groupId}/members\n\n8.6 Add User to Group\n\nPOST https://graph.microsoft.com/v1.0/groups/{groupId}/members/$ref Body: {\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/{userId}\"} ⚠️ SAFETY: Confirm before adding.\n\n8.7 Remove User from Group\n\nDELETE https://graph.microsoft.com/v1.0/groups/{groupId}/members/{userId}/$ref ⚠️ SAFETY: Confirm before removing.\n\n8.8 List Devices for a User\n\nGET https://graph.microsoft.com/v1.0/users/{userId}/managedDevices\n\n📊 9. Reporting & Dashboards\n9.1 Device Compliance Summary\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=complianceState Agent should calculate: X compliant, Y non-compliant, Z in-grace-period, and present as summary + table.\n\n9.2 OS Distribution Summary\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=operatingSystem Agent should group by OS and present: \"42 Windows, 15 iOS, 8 Android, 3 macOS\"\n\n9.3 Stale Devices (Not synced recently)\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=lastSyncDateTime lt {30_days_ago}&$select=deviceName,lastSyncDateTime,userPrincipalName Agent should calculate the date for 30 days ago automatically.\n\n9.4 Non-Compliant Devices Report\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=complianceState eq 'noncompliant'&$select=deviceName,complianceState,userPrincipalName,operatingSystem\n\n9.5 Export Report Job\n\nPOST https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs Body: {\"reportName\": \"Devices\", \"filter\": \"\", \"select\": [\"DeviceName\",\"OS\",\"ComplianceState\"]}\n\n🏷️ 10. Device Categories & Enrollment\n10.1 List Device Categories\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories\n\n10.2 Create Device Category\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories Body: {\"displayName\": \"Kategoriename\", \"description\": \"Beschreibung\"}\n\n10.3 Set Device Category on a Device\n\nPUT https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{deviceId}/deviceCategory/$ref\n\n10.4 List Enrollment Restrictions\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations\n\n🔄 11. RBAC (Role-Based Access Control)\n11.1 List Intune Roles\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions\n\n11.2 List Role Assignments\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/roleAssignments\n\n11.3 Get Role Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions/{roleId}\n\n💡 Agent Response Guidelines\n\nWhen the user asks a question, follow this logic:\n\n\"Zeig mir alle Geräte\" → Use 1.1, format as table.\n\"Ist Gerät X compliant?\" → Use 1.2 to find it, then check complianceState.\n\"Sync Laptop von Max\" → Use 1.2 to find managedDeviceId, then use 1.4 Sync.\n\"Wie viele Geräte hab ich?\" → Use 9.2, give OS distribution + total count.\n\"Welche Geräte haben sich lange nicht gemeldet?\" → Use 9.3.\n\"Erstell mir eine Compliance Policy für Windows\" → Use 2.5, ask for requirements first.\n\"Welche Apps sind deployed?\" → Use 4.1.\n\"Füg User Max zur Gruppe IT-Geräte hinzu\" → Use 8.2 to find user, 8.4 to find group, then 8.6.\n\"Zeig mir den Status vom PowerShell Script XY\" → Use 7.3.\n\"Gib mir einen Compliance Report\" → Use 9.1 + 9.4.\n\"Zeig mir die Conditional Access Policies\" → Use 12.1.\n\"Welche WLAN-Profile sind deployed?\" → Use 13.1.\n\"Wie sind meine Windows Update Ringe konfiguriert?\" → Use 14.1.\n\"Wer hat letzte Woche was in Intune geändert?\" → Use 17.1.\n\"Kann Intune die Einstellung XY konfigurieren?\" → Use 18.1 Settings Catalog search.\n\"Zeig mir alle Autopilot-Geräte ohne zugewiesenes Profil\" → Use 6.1 + filter.\n🛡️ 12. Conditional Access (Bedingter Zugriff)\n12.1 List Conditional Access Policies\n\nGET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies\n\nPresent as: | Policy Name | State (enabled/disabled/report) | Conditions | Grant Controls |\n\n12.2 Get Conditional Access Policy Details\n\nGET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}\n\n12.3 Create Conditional Access Policy\n\nPOST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies ⚠️ SAFETY: Always confirm before creating. Show the user a summary of what the policy will do first. 💡 TIP: Recommend creating in \"reportOnly\" state first for testing.\n\n12.4 Update Conditional Access Policy\n\nPATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId} ⚠️ SAFETY: Confirm before modifying. Explain what will change.\n\n12.5 Delete Conditional Access Policy\n\nDELETE https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId} ⚠️ SAFETY: Requires explicit user confirmation!\n\n12.6 List Named Locations (Trusted IPs / Countries)\n\nGET https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations\n\n12.7 Create Named Location\n\nPOST https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations Example IP-based:\n\n{\n \"@odata.type\": \"#microsoft.graph.ipNamedLocation\",\n \"displayName\": \"Büro-Netzwerk\",\n \"isTrusted\": true,\n \"ipRanges\": [{\"@odata.type\": \"#microsoft.graph.iPv4CidrRange\", \"cidrAddress\": \"192.168.1.0/24\"}]\n}\n\n12.8 List Authentication Strengths\n\nGET https://graph.microsoft.com/v1.0/identity/conditionalAccess/authenticationStrength/policies\n\n📶 13. WLAN, VPN & Zertifikate\n13.1 List WLAN Profiles\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=isof('microsoft.graph.windowsWifiConfiguration') or isof('microsoft.graph.iosWiFiConfiguration') or isof('microsoft.graph.androidWorkProfileWiFiConfiguration')\n\nAlternative (all configs, then filter by odata.type for Wi-Fi): GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations Agent should filter results where @odata.type contains WiFi or wifi.\n\n13.2 List VPN Profiles\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations Agent should filter results where @odata.type contains Vpn or vpn.\n\n13.3 Get WLAN/VPN Profile Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}\n\n13.4 Get WLAN/VPN Profile Assignment\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/assignments\n\n13.5 List SCEP Certificate Profiles\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations Agent should filter results where @odata.type contains Scep or Certificate.\n\n13.6 List PKCS Certificate Profiles\n\nSame endpoint, filter for Pkcs in @odata.type.\n\n13.7 List Trusted Root Certificate Profiles\n\nSame endpoint, filter for TrustedRootCertificate in @odata.type.\n\n🔄 14. Windows Update Management\n14.1 List Windows Update Rings\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=isof('microsoft.graph.windowsUpdateForBusinessConfiguration')\n\nPresent as: | Ring Name | Deferral (Days) | Quality Updates | Feature Updates | Assigned To |\n\n14.2 Get Update Ring Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{ringId}\n\n14.3 List Feature Update Profiles\n\nGET https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles\n\n14.4 Get Feature Update Profile Details\n\nGET https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/{profileId}\n\n14.5 Get Feature Update Deployment State per Device\n\nGET https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/{profileId}/deviceUpdateStates\n\n14.6 List Driver Update Profiles\n\nGET https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles\n\n14.7 Get Driver Update Profile Details\n\nGET https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles/{profileId}\n\n14.8 List Quality Update Profiles (Expedited Updates)\n\nGET https://graph.microsoft.com/beta/deviceManagement/windowsQualityUpdateProfiles\n\n14.9 Pause/Resume an Update Ring\n\nPOST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{ringId}/windowsUpdateForBusinessConfiguration/pause POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{ringId}/windowsUpdateForBusinessConfiguration/resume ⚠️ SAFETY: Confirm before pausing/resuming.\n\n🍎 15. Apple Device Management\n15.1 List Apple DEP/ADE Enrollment Profiles\n\nGET https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings\n\n15.2 List Apple DEP Tokens\n\nGET https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings/{depId}/enrollmentProfiles\n\n15.3 List Apple Push Notification Certificate Info\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/applePushNotificationCertificate\n\nShows: Expiration date, Subject, Certificate serial number. 💡 Agent should proactively warn if certificate expires within 30 days!\n\n15.4 List VPP Tokens (Volume Purchase Program)\n\nGET https://graph.microsoft.com/beta/deviceManagement/vppTokens\n\n15.5 List iOS/macOS Managed App Configurations\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies Filter for iOS/macOS types.\n\n15.6 Activation Lock Bypass (iOS Supervised)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/bypassActivationLock ⚠️ SAFETY: Requires explicit user confirmation!\n\n🤖 16. Android Enterprise Management\n16.1 List Android Managed Store Apps\n\nGET https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings\n\n16.2 List Android Enrollment Profiles\n\nGET https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles\n\n16.3 Get Android Enterprise Binding Status\n\nGET https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings\n\nShows if Android Enterprise (Work Profile / Fully Managed / Dedicated) is connected.\n\n16.4 List Android App Protection Policies\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections\n\n📝 17. Audit Logs & Activity\n17.1 List Intune Audit Events\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/auditEvents\n\nPresent as: | Date | Activity | Actor (who) | Target | Result |\n\n17.2 Filter Audit Events by Date Range\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$filter=activityDateTime gt {startDate} and activityDateTime lt {endDate}\n\nAgent should calculate the date range based on user request (e.g., \"letzte Woche\" → last 7 days).\n\n17.3 Filter Audit Events by User\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$filter=actor/userPrincipalName eq '{user@domain.com}'\n\n17.4 Get Audit Event Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/auditEvents/{auditEventId}\n\n17.5 List Directory Audit Logs (Entra ID level)\n\nGET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=category eq 'Device'\n\n17.6 List Sign-In Logs\n\nGET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=appDisplayName eq 'Microsoft Intune'\n\n🏗️ 18. Settings Catalog & GPO Analytics\n18.1 Search Settings Catalog\n\nGET https://graph.microsoft.com/beta/deviceManagement/configurationSettings?$search=\"{searchTerm}\"\n\nThis is extremely useful when the user asks: \"Can Intune configure setting X?\" or \"Hat Intune eine Einstellung für Bildschirmschoner?\"\n\n18.2 List Group Policy Migration Reports\n\nGET https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports\n\nUse this when the user asks about migrating from on-premises GPO to Intune.\n\n18.3 Get Migration Report Details\n\nGET https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports/{reportId}\n\nShows: Which GPO settings are supported in Intune, which are not, and recommended alternatives.\n\n18.4 List Group Policy Uploaded Definition Files\n\nGET https://graph.microsoft.com/beta/deviceManagement/groupPolicyUploadedDefinitionFiles\n\n📄 19. Terms & Conditions and Notifications\n19.1 List Terms & Conditions\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions\n\n19.2 Get Terms & Conditions Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions/{termsId}\n\n19.3 Get Terms Acceptance Status\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions/{termsId}/acceptanceStatuses\n\nShows which users have accepted which version.\n\n19.4 Create Terms & Conditions\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions ⚠️ SAFETY: Confirm before creating.\n\n19.5 List Notification Message Templates\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates\n\n19.6 Create Notification Template (Non-Compliance Email)\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates ⚠️ SAFETY: Confirm before creating.\n\n19.7 Send Test Notification\n\nPOST https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates/{templateId}/sendTestMessage\n\n🔐 20. App Protection Policies (MAM)\n20.1 List iOS App Protection Policies\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections\n\n20.2 List Android App Protection Policies\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections\n\n20.3 List Windows Information Protection Policies\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/windowsInformationProtectionPolicies\n\n20.4 Get App Protection Policy Details\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections/{policyId} or GET https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections/{policyId}\n\n20.5 Get App Protection Status per User\n\nGET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations?$filter=userId eq '{userId}'\n\n20.6 Create App Protection Policy\n\nPOST https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections or POST https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections ⚠️ SAFETY: Confirm before creating. Show policy summary first.\n\n📱 21. Enrollment Configuration\n21.1 List All Enrollment Configurations\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations\n\nIncludes: Device Limit Restrictions, Platform Restrictions, Enrollment Status Page (ESP), Windows Hello for Business.\n\n21.2 Get Enrollment Configuration Details\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations/{configId}\n\n21.3 Get Enrollment Configuration Assignments\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations/{configId}/assignments\n\n21.4 List Enrollment Status Page (ESP) Profiles\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations?$filter=isof('microsoft.graph.windows10EnrollmentCompletionPageConfiguration')\n\n21.5 List Windows Hello for Business Configurations\n\nGET https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations?$filter=isof('microsoft.graph.deviceEnrollmentWindowsHelloForBusinessConfiguration')\n\n🧮 22. Filters & Scope Tags\n22.1 List Assignment Filters\n\nGET https://graph.microsoft.com/beta/deviceManagement/assignmentFilters\n\nPresent as: | Filter Name | Platform | Rule | Created |\n\n22.2 Get Filter Details\n\nGET https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/{filterId}\n\n22.3 Create Assignment Filter\n\nPOST https://graph.microsoft.com/beta/deviceManagement/assignmentFilters ⚠️ SAFETY: Confirm before creating.\n\n22.4 Test/Preview Filter Results\n\nPOST https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/{filterId}/getState\n\n22.5 List Scope Tags\n\nGET https://graph.microsoft.com/beta/deviceManagement/roleScopeTags\n\n22.6 Create Scope Tag\n\nPOST https://graph.microsoft.com/beta/deviceManagement/roleScopeTags ⚠️ SAFETY: Confirm before creating." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/MattiaCirillo/openclaw-intune-skill", "publisherUrl": "https://clawhub.ai/MattiaCirillo/openclaw-intune-skill", "owner": "MattiaCirillo", "version": "1.0.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/openclaw-intune-skill", "downloadUrl": "https://openagent3.xyz/downloads/openclaw-intune-skill", "agentUrl": "https://openagent3.xyz/skills/openclaw-intune-skill/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-intune-skill/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-intune-skill/agent.md" } }