Intune Graph API Automation

Automate Intune setup-script updates using Microsoft Graph in your own Azure tenant.

Use this guide if your IT team wants to automate Intune script deployment instead of updating scripts manually in the Intune portal.

1. Create Azure app registration

In your Azure tenant:

Go to Microsoft Entra ID → App registrations → New registration.
Create an app dedicated to Intune script automation.
Create a client secret and store it in your CI secret manager.

2. Required Graph permissions

Request application permissions for Microsoft Graph that allow device-management script read/write operations.

At minimum, your app should be able to:

read device management scripts
create/update device management scripts
read assignment state

After adding permissions, grant admin consent in your Azure tenant.

⚠

Tenant IDs are different

In automation commands and CI:

Azure tenant ID authenticates your Graph client.
thoth tenant ID belongs inside endpoint runtime config and governs policy scope.

3. Use `update-intune-script.py`

Your automation tool should support:

--platform macos|linux|windows|all
--dry-run
--create
optional sync trigger

Example:

python deploy/intune/update-intune-script.py \
  --tenant-id "$AZURE_TENANT_ID" \
  --client-id "$INTUNE_CLIENT_ID" \
  --client-secret "$INTUNE_CLIENT_SECRET" \
  --platform all \
  --dry-run

If you update existing scripts instead of creating new ones, also pass script IDs:

python deploy/intune/update-intune-script.py \
  --tenant-id "$AZURE_TENANT_ID" \
  --client-id "$INTUNE_CLIENT_ID" \
  --client-secret "$INTUNE_CLIENT_SECRET" \
  --platform all \
  --setup-script-id-macos "$INTUNE_SCRIPT_ID_MACOS" \
  --setup-script-id-linux "$INTUNE_SCRIPT_ID_LINUX" \
  --setup-script-id-windows "$INTUNE_SCRIPT_ID_WINDOWS"

4. GitHub Actions automation

For teams managing deployment scripts in GitHub:

Create repository secrets:
- INTUNE_TENANT_ID
- INTUNE_CLIENT_ID
- INTUNE_CLIENT_SECRET
- optional platform script IDs
Trigger workflow on changes under deploy/intune/.
Run per-platform deployment in parallel.
Publish job summary with success/failure per platform.

5. Failure handling guidance

Status	Meaning	Action
`401` / `403`	Auth or permission failure	Re-check app registration credentials and Graph permissions/admin consent
`404`	Script ID not found	Verify script IDs or rerun with `--create`
`409`	Update conflict	Retry after fetching latest script revision
`5xx`	Intune/Graph transient issue	Retry with backoff and inspect Graph response body in CI logs

6. Operational safeguards

Run --dry-run first in CI pull requests.
Use test Intune device groups before production assignment.
Keep script IDs and assignment scopes under change control.
Include Graph API error details in CI output for operator debugging.