Intune: APIs reference
Here is an exhaustive list of the APIs used by Exodus.
Read-only requests
Get group
GET /groups/{groupId}
- Permission:
GroupMember.Read.All - Used by: Source
This request is used to validate the UEM configuration when creating a Migration or updating the credentials.
List group transitive members
GET /groups/{groupId}/transitiveMembers
- Permissions:
GroupMember.Read.AllandDevice.Read.All - Used by: Source
This request is used to retrieve the list of the devices that are members of the Source Tenant group.
List managedDevices
GET /deviceManagement/managedDevices
- Permission:
DeviceManagementManagedDevices.Read.All - Used by: Source and Target
In the Source Tenant, this request is used to retrieve the information of an enrolled device. In the Target Tenant, it is used to search the device by its serial number or by its user. This request is also used to validate the permissions when creating a Migration.
Get managedDevice
GET /deviceManagement/managedDevices/{managedDeviceId}
- Permission:
DeviceManagementManagedDevices.Read.All - Used by: Source
This request is used to retrieve the status of a device in the Source Tenant.
List mobileApps
GET /deviceAppManagement/mobileApps
- Permission:
DeviceManagementApps.Read.All - Used by: Source
This request is used to find the iOS Companion App in the Source Tenant.
List mobileAppInstallStatuses
GET /deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses
- Permission:
DeviceManagementApps.Read.All - Used by: Source
This request is used to verify that the iOS Companion App is installed on the device in the Source Tenant.
List users
GET /users
- Permission:
User.Read.All - Used by: Target
This request is used to search the user by email to verify that it exists in the Target Tenant.
Get a user
GET /users/{userPrincipalName}
- Permission:
User.Read.All - Used by: Target
This request is used to search the user by UPN to verify that it exists in the Target Tenant.
Write actions
retire action
POST /deviceManagement/managedDevices/{managedDeviceId}/retire
- Permission:
DeviceManagementManagedDevices.PriviligedOperations.All - Used by: Source
This request is used to remove an enrolled device from the Source Tenant.
wipe action
POST /deviceManagement/managedDevices/{managedDeviceId}/wipe
- Permission:
DeviceManagementManagedDevices.ReadWrite.All - Used by: Source
This request is used to wipe an enrolled device that is managed by Apple Device Enrollment Program in the Source Tenant.
bypassActivationLock action
POST /deviceManagement/managedDevices/{managedDeviceId}/bypassActivationLock
- Permission:
DeviceManagementManagedDevices.PriviligedOperation.All - Used by: Source
This request is used to disable the Action Lock feature before wiping an enrolled device that is managed by Apple Device Enrollment Program in the Source Tenant.
importDeviceIdentityList action
POST /deviceManagement/importedDeviceIdentities/importDeviceIdentityList
- Permission:
DeviceManagementServiceConfig.ReadWrite.All - Used by: Target
This request is used to mark Apple Supervised devices as Corporate devices before enrolling them in the Target Tenant.
Permissions
Application Permissions
The API permissions listed below need to be granted to Exodus as Application Permissions.
Exodus (Intune as Source)
Device.Read.AllDeviceManagementApps.Read.AllDeviceManagementManagedDevices.PrivilegedOperations.AllDeviceManagementManagedDevices.ReadWrite.AllDeviceManagementServiceConfig.Read.AllGroupMember.Read.All
Exodus (Intune as Target)
DeviceManagementManagedDevices.Read.AllDeviceManagementServiceConfig.ReadWrite.AllUser.Read.All
Delegated Permissions
When creating a Migration, the user needs to sign in using an Azure Active Directory account so Exodus can verify that they are authorized to use Exodus in the Intune Tenant.
An Azure administrator must first authorize the user to use Exodus by assigning the Exodus Administrator app role to them.
The following Delegated Permissions are used by Exodus in order to sign the user in and verify their App role:
openidprofile