Skip to main content

Intune: APIs reference

Here is an exhaustive list of the APIs used by Exodus.

Read-only requests

Get group

GET /groups/{groupId}

API Documentation

  • Permission: GroupMember.Read.All
  • Used by: Source

This request is used to validate the UEM configuration when creating a Migration or updating the credentials.

List group transitive members

GET /groups/{groupId}/transitiveMembers

API documentation

  • Permissions: GroupMember.Read.All and Device.Read.All
  • Used by: Source

This request is used to retrieve the list of the devices that are members of the Source Tenant group.

List managedDevices

GET /deviceManagement/managedDevices

API documentation

  • Permission: DeviceManagementManagedDevices.Read.All
  • Used by: Source and Target

In the Source Tenant, this request is used to retrieve the information of an enrolled device. In the Target Tenant, it is used to search the device by its serial number or by its user. This request is also used to validate the permissions when creating a Migration.

Get managedDevice

GET /deviceManagement/managedDevices/{managedDeviceId}

API documentation

  • Permission: DeviceManagementManagedDevices.Read.All
  • Used by: Source

This request is used to retrieve the status of a device in the Source Tenant.

List mobileApps

GET /deviceAppManagement/mobileApps

API documentation

  • Permission: DeviceManagementApps.Read.All
  • Used by: Source

This request is used to find the iOS Companion App in the Source Tenant.

List mobileAppInstallStatuses

GET /deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses

API documentation

  • Permission: DeviceManagementApps.Read.All
  • Used by: Source

This request is used to verify that the iOS Companion App is installed on the device in the Source Tenant.

List users

GET /users

API documentation

  • Permission: User.Read.All
  • Used by: Target

This request is used to search the user by email to verify that it exists in the Target Tenant.

Get a user

GET /users/{userPrincipalName}

API documentation

  • Permission: User.Read.All
  • Used by: Target

This request is used to search the user by UPN to verify that it exists in the Target Tenant.

Write actions

retire action

POST /deviceManagement/managedDevices/{managedDeviceId}/retire

API documentation

  • Permission: DeviceManagementManagedDevices.PriviligedOperations.All
  • Used by: Source

This request is used to remove an enrolled device from the Source Tenant.

wipe action

POST /deviceManagement/managedDevices/{managedDeviceId}/wipe

API documentation

  • Permission: DeviceManagementManagedDevices.ReadWrite.All
  • Used by: Source

This request is used to wipe an enrolled device that is managed by Apple Device Enrollment Program in the Source Tenant.

bypassActivationLock action

POST /deviceManagement/managedDevices/{managedDeviceId}/bypassActivationLock

API documentation

  • Permission: DeviceManagementManagedDevices.PriviligedOperation.All
  • Used by: Source

This request is used to disable the Action Lock feature before wiping an enrolled device that is managed by Apple Device Enrollment Program in the Source Tenant.

importDeviceIdentityList action

POST /deviceManagement/importedDeviceIdentities/importDeviceIdentityList

API documentation

  • Permission: DeviceManagementServiceConfig.ReadWrite.All
  • Used by: Target

This request is used to mark Apple Supervised devices as Corporate devices before enrolling them in the Target Tenant.

Permissions

Application Permissions

The API permissions listed below need to be granted to Exodus as Application Permissions.

Exodus (Intune as Source)

  • Device.Read.All
  • DeviceManagementApps.Read.All
  • DeviceManagementManagedDevices.PrivilegedOperations.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementServiceConfig.Read.All
  • GroupMember.Read.All

Exodus (Intune as Target)

  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • User.Read.All

Delegated Permissions

When creating a Migration, the user needs to sign in using an Azure Active Directory account so Exodus can verify that they are authorized to use Exodus in the Intune Tenant.

An Azure administrator must first authorize the user to use Exodus by assigning the Exodus Administrator app role to them.

The following Delegated Permissions are used by Exodus in order to sign the user in and verify their App role:

  • openid
  • profile