In this post we will see how to query Intune resource from a Logic App by using an Azure app registration.


Blog series

In the first part we ave seen how to create our first Logic App.

Now we will use it to authenticate to MS Graph through an Azure app.


Creating the Azure Application

1. Go to App registrations

2. Click on New registration


3. Type a name


4. Let other fields by default

5. Click on Register


Adding permissions

Here we want to add some permissions to our Azure Application.

Those permissions will be used by our Logic App to execute some MS Graph request.

This way the Logic App will use the Azure app to execute some actions instead of using some specific credentials.

Here we want to get information about devices in Intune. For this the appropriate resource to use is DeviceManagementManagedDevices.

We want to to get info meaning read info, so the appropriate permission is the following one: DeviceManagementManagedDevices.Read.All


We will proceed as below:

1. Go to API permissions

2. Click on Add a permission

3. Choose Microsoft Graph

4. Choose Application permissions

5. Choose your permission

6. Click on Add permissions

7. Click on Grant admin consent


Creating a secret

Here we want to configure a secret for our Azure Application.

This secret will be used as a password in our Logic App to execute MS Graph request.


We will proceed as below:

1. Go to Certificates & Secrets

2. Go to Clients secrets

3. Click on New client secret

4. In description type a name

5. Choose when it should expire

6. Click on Add


Ok you will say it's not really safe to store the secret like this, that's why in the next posts we see how to secure it by using secret from a key vault or authenticating through a managed identity.


Graph query in Logic App

Now let's create the Logic App first. We will proceed as below:

1. Go to Logic Apps

2. Click on Add

3. Choose a subscription

4. Choose a resource group

5. Type a name

6. Choose a Region

7. Select Consumption

8. Click on Review + Create

9. Go to Logic App Designer


10. Click on recurrence

11. Choose your schedule


We will then query MS Graph through our Azure app. 

For this, we need to add a new step to do a HTTP request. This step is called HTTP.


We will proceed as below:

1. Click on New step

2. Choose HTTP


3. In Method select GET



4. In URI type the MS Graph resource URL

5. In our case it's https://graph.microsoft.com/beta/deviceManagement/managedDevices

6. Clic on Add new parameter

7. Check Authentication


8. Select Active Directory OAuth

9. In TenantID, type your tenant id

10. In Audience, type https://graph.microsoft.com

11. In Client ID, type the client id of the azure app

12. In Credential type, choose Secret

13. In Secret, type the secret of the azure app


14. Save the app


Now we will run the Logic App to check if the query and HTTP step work. We will also need to copy the body provided by the HTTP step.


We will proceed as below:

1. Click on Run trigger Run

2. When it's finished go to the HTTP step

3. Go to the Body part

4. Copy content


We will use the body content in the Parse JSON part (just below).


Now we will add a Parse JSON step, as below:

1. Click on New step

2. Type Parse JSON

It's a component of Data operations

3. Select Parse JSON


4. Click on Content 


5. Go to Dynamic content and type Body


6. Select Body from Dynamic content


7. Click on Use sample payload to generate schema

8. Paste JSON content copied before


What's next ?

In the next post we will how to use an Azure app for our MS Graph queries without providing in plain text the app info (client id and secret). Indeed we will store those info to a Key Vault and use it in our Logic App.