Managing devices through Microsoft Intune requires efficient tracking of device compliance, and one key task for administrators is to keep users informed about the status of their devices. In some cases, users may have devices that are not compliant with your organization’s policies. To automate the process of notifying these users, you can use the Microsoft Graph API in combination with PowerShell to send an email to users whose devices are non-compliant.
In this blog post, we'll walk through a PowerShell script
that pulls non-compliant device data from Intune via the Microsoft
Graph API and sends a notification email to the user informing them about
the non-compliant status.
Prerequisites:
Before running the script, ensure the following
prerequisites are met:
- Microsoft
Graph PowerShell SDK is installed. You can install it with the
following command:
Install-Module
Microsoft.Graph -Scope CurrentUser
- Permissions:
Make sure your account has the necessary Microsoft Graph API
permissions to read device data and send emails. The required
permissions are:
- DeviceManagementManagedDevices.ReadWrite.All
to manage devices.
- User.Read
to read user information.
- SMTP
Server Setup: You need access to an SMTP server (in this case,
Office 365) to send emails.
- PowerShell
Version: Ensure you are using PowerShell 7.x or a version that
supports the required modules.
PowerShell Script to Send Emails to Non-Compliant Users
Here is a simple PowerShell script to get the non-compliant
devices and send an email to the respective users:
# Connect to Microsoft Graph
# Connect to Microsoft Graph
Connect-MgGraph -Scopes
"DeviceManagementManagedDevices.ReadWrite.All", "User.Read"
# Get the list of non-compliant devices
$nonCompliantDevices = Get-MgDeviceManagementManagedDevice
-Filter "complianceState eq 'noncompliant'"
# Check if we found any non-compliant devices
if ($nonCompliantDevices -eq $null -or
$nonCompliantDevices.Count -eq 0) {
Write-Host
"No non-compliant devices found."
exit
}
# Loop through each non-compliant device and send an email
foreach ($device in $nonCompliantDevices) {
# Display device
details in console (for debugging)
Write-Host
"User: $($device.userPrincipalName)"
Write-Host
"Device Name: $($device.deviceName)"
Write-Host
"Compliance State: $($device.complianceState)"
Write-Host
"----------------------------------------------------------"
# Prepare email
subject and body
$subject =
"Non-Compliant Device"
$body =
"Device $($device.deviceName) assigned to $($device.userPrincipalName) is
not currently compliant."
# Email settings
$smtpServer =
"smtp.office365.com"
$from =
"IntuneAdmin@domain.com"
$to =
$device.userPrincipalName
$port = 587
# Ensure email
address is valid
if ($to -match
"^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$") {
try {
# Send
email using SMTP
Send-MailMessage -To $to -Subject $subject -Body $body -SmtpServer
$smtpServer -From $from -UseSsl -Port $port
Write-Host
"Email sent to: $to"
} catch {
Write-Error "Failed to send email to $to. Error: $_"
}
} else {
Write-Host
"Invalid email address for user: $($device.userPrincipalName)"
}
}
# Optional: Disconnect from the Graph API after the
operation
Disconnect-MgGraph
Useful References:
- Microsoft
Graph PowerShell SDK documentation: https://learn.microsoft.com/en-us/powershell/microsoftgraph/intune/introduction
Conclusion:
By using the Microsoft Graph API and PowerShell,
you can easily automate the process of identifying non-compliant devices in Microsoft
Intune and sending out notifications to users. This script helps improve
compliance management and ensures that users are promptly informed of any
issues with their devices.
No comments:
Post a Comment