Skip to content

Intune APIs

Here is an exhaustive list of the Intune APIs used by Exodus.

Read-only requests

Get group

GET /groups/{groupId}

API Documentation

  • Permission: Directory.Read.All
  • Used by: Source

This request is used to validate the EMM configuration when creating a Migration or updating the credentials.

List group transitive members

GET /groups/{groupId}/transitiveMembers

API documentation

  • Permission: Directory.Read.All
  • Used by: Source

This request is used to retrieve the list of the devices that are members of the Source Tenant group.

List managedDevices

GET /deviceManagement/managedDevices

API documentation

  • Permission: DeviceManagementManagedDevices.Read.All (already included in DeviceManagementManagedDevices.ReadWrite.All)
  • Used by: Source and Target

In the Source Tenant, this request is used to retrieve the information of an enrolled device. In the Target Tenant, it is used to search the device by its serial number or by its user. This request is also used to verify that the Azure administrator account has sufficient permissions when creating a Migration or updating the credentials.

Get managedDevice

GET /deviceManagement/managedDevices/{managedDeviceId}

API documentation

  • Permission: DeviceManagementManagedDevices.Read.All (already included in DeviceManagementManagedDevices.ReadWrite.All)
  • Used by: Source

This request is used to retrieve the status of a device in the Source Tenant.

List mobileApps

GET /deviceAppManagement/mobileApps

API documentation

  • Permission: DeviceManagementApps.Read.All
  • Used by: Source

This request is used to find the iOS Companion App in the Source Tenant.

List mobileAppInstallStatuses

GET /deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses

API documentation

  • Permission: DeviceManagementApps.Read.All
  • Used by: Source

This request is used to verify that the iOS Companion App is installed on the device in the Source Tenant.

List users

GET /users

API documentation

  • Permission: Directory.Read.All
  • Used by: Target

This request is used to search the user by email to verify that it exists in the Target Tenant.

Get a user

GET /users/{userPrincipalName}

API documentation

  • Permission: Directory.Read.All
  • Used by: Target

This request is used to search the user by UPN to verify that it exists in the Target Tenant.

List depOnboardingSettings

GET /deviceManagement/depOnboardingSettings

API documentation

  • Permission: DeviceManagementServiceConfig.Read.All (already included in DeviceManagementServiceConfig.ReadWrite.All)
  • Used by: Target

This request is used to retrieve the Apple Device Enrollment Program onboarding settings in the Target Tenant.

List importedAppleDeviceIdentities

GET /deviceManagement/depOnboardingSettings/{depOnboardingSettingId}/importedAppleDeviceIdentities

API documentation

  • Permission: DeviceManagementServiceConfig.Read.All (already included in DeviceManagementServiceConfig.ReadWrite.All)
  • Used by: Target

This request is used to retrieve the list of the iOS devices that are managed by Apple Device Enrollment Program in the Target Tenant.

Write actions

syncWithAppleDeviceEnrollmentProgram action

POST /deviceManagement/depOnboardingSettings/{depOnboardingSettingId}/syncWithAppleDeviceEnrollmentProgram

API documentation

  • Permission: DeviceManagementServiceConfig.ReadWrite.All
  • Used by: Target

This request is used to trigger a synchronization between the Apple Device Enrollment Program and the Target Tenant.

retire action

POST /deviceManagement/managedDevices/{managedDeviceId}/retire

API documentation

  • Permission: DeviceManagementManagedDevices.PriviligedOperations.All
  • Used by: Source

This request is used to remove an enrolled device from the Source Tenant.

wipe action

POST /deviceManagement/managedDevices/{managedDeviceId}/wipe

API documentation

  • Permission: DeviceManagementManagedDevices.ReadWrite.All
  • Used by: Source

This request is used to wipe an enrolled device that is managed by Apple Device Enrollment Program in the Source Tenant.

bypassActivationLock action

POST /deviceManagement/managedDevices/{managedDeviceId}/bypassActivationLock

API documentation

  • Permission: DeviceManagementManagedDevices.PriviligedOperation.All
  • Used by: Source

This request is used to disable the Action Lock feature before wiping an enrolled device that is managed by Apple Device Enrollment Program in the Source Tenant.

Permissions

Exodus requests the following permissions:

  • offline_access
  • DeviceManagementApps.Read.All
  • DeviceManagementManagedDevices.PrivilegedOperations.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Directory.Read.All
  • Group.Read.All
  • User.Read.All

Depending on the workflow, some of them may not be needed. However, for simplicity, we don't refine that list and always request the full set of permissions.

The permissions may be granted to the application using 2 methods:

Admin-delegated permissions

This in the recommended method.

The user signs in as a tenant administrator and delegates their permissions to the application.

User-delegated permissions

The user signs in as non-administrator and delegates their permissions to the application.

This method has two caveats:

  • The permissions requested by Exodus require administrator consent before they can be delegated to the application. Granting administrator consent may be done either by signing in as an administrator and checking the Consent on behalf of your organisation checkbox while creating a migration in Exodus, or by using the adminconsent endpoint. Currently, the Exodus console does not assist the user in obtaining administrator consent.

  • Despite administrator consent, as the application acts on behalf of the signed-in user, the effective permissions may be insufficient. The signed-in user should have the Intune Administrator role. Otherwise some operations may fail during the migration.