Lock and wipe devices using Microsoft Graph in Power Automate

On a recent project I needed to be able to lock and wipe devices. I used Microsoft Graph, Power Automate and HTTP requests to get this done. In this post the details.

Big Warning

This post should have a big “Don’t try this at home (or work)” warning as you wouldn’t want to wipe a device that someone is actually using for the wrong reasons.

In my case we are managing 1000s of laptops for an organization who should get laptops back and as a last resort the devices that aren’t returned will be wiped.

The Graph API

If you are new to the Graph API then please have a look at my series about the Graph API and the Power Platform.

I’m going to make use of the Managed Devices endpoints in this post. These endpoints can be used to do things to devices that are managed within Intune.

There are many operations possible

https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

On Microsoft Learn you can find the following overview of the operations.

So how do we use this in Power Automate.

List managed devices

In my examples, I will skip the authentication part. But please do remember to setup the App Registration in Azure. This App registration will require the DeviceManagementManagedDevices.PrivilegedOperations.All permission.

Now we can look at listing all devices using the GET method with following end point

https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

However if you are using more than 1000 devices you will need to enable paging on this HTTP action as you can only collect 1000 items at a time.

In my case I’m after just one device that I want to lock and I have the serialNumber of the device in question available to me. As shown below I can query the devices using a simple filter query,

Now that I’ve got the device I can collect the id of the device.

Get Device

Although the above will give me the device details, I could also query the device using the id of the device.

Once again it is all quite easy to configure.

Wipe and Lock devices

Now depending on if you want to wipe a device or if you want to lock a device I’ve created a switch. You will find that for the remote lock, there is no need to supply any parameters in the body, but for a wipe you can control what is removed from the device and what isn’t.

Notice that if you call the wipe method without any body all parameters are assumed false. So once again be very careful as you might want to keep you autopilot image to re-utilize your laptop at some point.

Errors

I’ve noticed that the remote lock often return the following error. However the wipe is very effective.

{

  “error”: {

    “code”: “BadRequest”,

    “message”: “{\r\n  \”_version\”: 3,\r\n  \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 6010c011-c21e-4724-b937-c87626fc1215 – Url: https://fef.amsub0202.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices(‘e83b9c69-f34c-404c-bc34-2af1dc84f645’)/microsoft.management.services.api.remoteLock?api-version=5023-03-10\”,\r\n  \”CustomApiErrorPhrase\”: \”\”,\r\n  \”RetryAfter\”: null,\r\n  \”ErrorSourceService\”: \”\”,\r\n  \”HttpHeaders\”: \”{}\”\r\n}”,

    “innerError”: {

      “date”: “2023-04-25T13:23:04”,

      “request-id”: ” 6010c011-c21e-4724-b937-c87626fc1215″,

      “client-request-id”: ” 6010c011-c21e-4724-b937-c87626fc1215″

    }

  }

}

The above error is quite annoying as it isn’t locking the device. If you come across this error and do find the cause of it then please let me know. The wipe operration however is very effective!

Continue Reading Pieter Veenstra’s Article on their blog

Lock and wipe devices using Microsoft Graph in Power Automate

On a recent project I needed to be able to lock and wipe devices. I used Microsoft Graph, Power Automate and HTTP requests to get this done. In this post the

Blog Syndicated with Pieter Veenstra’s Permission