Skip to content

Intune APIs

Here is an exhaustive list of the APIs used by Exodus.

Read-only requests

Get group

GET /groups/{groupId}

API Documentation

  • Permission: GroupMember.Read.All
  • Used by: Source

This request is used to validate the EMM configuration when creating a Migration or updating the credentials.

List group transitive members

GET /groups/{groupId}/transitiveMembers

API documentation

  • Permissions: GroupMember.Read.All and Device.Read.All
  • Used by: Source

This request is used to retrieve the list of the devices that are members of the Source Tenant group.

List managedDevices

GET /deviceManagement/managedDevices

API documentation

  • Permission: DeviceManagementManagedDevices.Read.All
  • Used by: Source and Target

In the Source Tenant, this request is used to retrieve the information of an enrolled device. In the Target Tenant, it is used to search the device by its serial number or by its user. This request is also used to validate the permissions when creating a Migration.

Get managedDevice

GET /deviceManagement/managedDevices/{managedDeviceId}

API documentation

  • Permission: DeviceManagementManagedDevices.Read.All
  • Used by: Source

This request is used to retrieve the status of a device in the Source Tenant.

List mobileApps

GET /deviceAppManagement/mobileApps

API documentation

  • Permission: DeviceManagementApps.Read.All
  • Used by: Source

This request is used to find the iOS Companion App in the Source Tenant.

List mobileAppInstallStatuses

GET /deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses

API documentation

  • Permission: DeviceManagementApps.Read.All
  • Used by: Source

This request is used to verify that the iOS Companion App is installed on the device in the Source Tenant.

List users

GET /users

API documentation

  • Permission: User.Read.All
  • Used by: Target

This request is used to search the user by email to verify that it exists in the Target Tenant.

Get a user

GET /users/{userPrincipalName}

API documentation

  • Permission: User.Read.All
  • Used by: Target

This request is used to search the user by UPN to verify that it exists in the Target Tenant.

List depOnboardingSettings

GET /deviceManagement/depOnboardingSettings

API documentation

  • Permission: DeviceManagementServiceConfig.Read.All
  • Used by: Source and Target

This request is used to retrieve the Apple Device Enrollment Program onboarding settings in the Intune Tenant.

List importedAppleDeviceIdentities

GET /deviceManagement/depOnboardingSettings/{depOnboardingSettingId}/importedAppleDeviceIdentities

API documentation

  • Permission: DeviceManagementServiceConfig.Read.All
  • Used by: Source and Target

This request is used to retrieve the list of the iOS devices that are managed by Apple Device Enrollment Program in the Intune Tenant.

Write actions

syncWithAppleDeviceEnrollmentProgram action

POST /deviceManagement/depOnboardingSettings/{depOnboardingSettingId}/syncWithAppleDeviceEnrollmentProgram

API documentation

  • Permission: DeviceManagementServiceConfig.ReadWrite.All
  • Used by: Target

This request is used to trigger a synchronization between the Apple Device Enrollment Program and the Target Tenant.

retire action

POST /deviceManagement/managedDevices/{managedDeviceId}/retire

API documentation

  • Permission: DeviceManagementManagedDevices.PriviligedOperations.All
  • Used by: Source

This request is used to remove an enrolled device from the Source Tenant.

wipe action

POST /deviceManagement/managedDevices/{managedDeviceId}/wipe

API documentation

  • Permission: DeviceManagementManagedDevices.ReadWrite.All
  • Used by: Source

This request is used to wipe an enrolled device that is managed by Apple Device Enrollment Program in the Source Tenant.

bypassActivationLock action

POST /deviceManagement/managedDevices/{managedDeviceId}/bypassActivationLock

API documentation

  • Permission: DeviceManagementManagedDevices.PriviligedOperation.All
  • Used by: Source

This request is used to disable the Action Lock feature before wiping an enrolled device that is managed by Apple Device Enrollment Program in the Source Tenant.

Permissions

Application Permissions

The API permissions listed below need to be granted to Exodus as Application Permissions.

Exodus (Intune as Source)
  • Device.Read.All
  • DeviceManagementApps.Read.All
  • DeviceManagementManagedDevices.PrivilegedOperations.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementServiceConfig.Read.All
  • GroupMember.Read.All
Exodus (Intune as Target)
  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • User.Read.All

Delegated Permissions

When creating a Migration, the user needs to sign in using an Azure Active Directory account so Exodus can verify that they are authorized to use Exodus in the Intune Tenant.

An Azure administrator must first authorize the user to use Exodus by assigning the Exodus Administrator app role to them.

The following Delegated Permissions are used by Exodus in order to sign the user in and verify their App role:

  • openid
  • profile