An Azure Functions API for Microsoft Intune device management and Microsoft Defender for Endpoint security operations, designed for integration with Microsoft Copilot Studio for natural language IT management.
- Device Management: Query, filter, and analyze Intune-managed devices
- Compliance Monitoring: Organization-wide compliance summaries and policy status
- Application Management: Deploy Win32, LOB, WinGet, and Android apps to Intune
- Script Management: Create and assign PowerShell and shell scripts (Windows/macOS/Linux)
- Defender Integration: Access security data, vulnerabilities, and recommendations
- Azure AD Groups: Create, manage, and assign groups for deployments
- Comprehensive Analysis: Get full device security posture in a single call
- 36 AI-optimized tools ready for natural language queries
- OpenAPI/Swagger specification for easy import into Copilot Studio
- Knowledge base documents for enhanced AI responses
- Write operations for app assignments, script deployments, and group management
- Node.js 20.x LTS or later
- Azure Functions Core Tools v4
- Azure CLI (for deployment)
- Azure subscription with:
- Azure AD App Registration with appropriate Microsoft Graph permissions
- Microsoft Intune license
- Microsoft Defender for Endpoint license (optional, for security features)
Your Azure AD App Registration needs the following Microsoft Graph API permissions:
| Permission | Type | Description |
|---|---|---|
DeviceManagementManagedDevices.Read.All |
Application | Read Intune devices |
DeviceManagementManagedDevices.ReadWrite.All |
Application | Manage Intune devices |
DeviceManagementApps.ReadWrite.All |
Application | Manage Intune apps |
DeviceManagementConfiguration.ReadWrite.All |
Application | Manage device configurations |
Group.ReadWrite.All |
Application | Manage Azure AD groups |
User.Read.All |
Application | Read user information |
For Defender for Endpoint features:
| Permission | Type | Description |
|---|---|---|
Machine.Read.All |
Application | Read Defender machines |
Vulnerability.Read.All |
Application | Read vulnerabilities |
SecurityRecommendation.Read.All |
Application | Read security recommendations |
git clone https://github.com/yourusername/intunemanagementapi.git
cd intunemanagementapinpm installCopy the example settings file and add your Azure credentials:
cp local.settings.example.json local.settings.jsonEdit local.settings.json with your Azure AD app credentials:
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "node",
"FUNCTIONS_EXTENSION_VERSION": "~4",
"AZURE_CLIENT_ID": "<your-client-id>",
"AZURE_CLIENT_SECRET": "<your-client-secret>",
"AZURE_TENANT_ID": "<your-tenant-id>"
}
}npm startThe API will be available at http://localhost:7071/api/
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/intune/devices |
List all managed devices with filtering |
| GET | /api/intune/device |
Get device by ID |
| GET | /api/intune/compliance |
Get compliance summary and policies |
| GET | /api/intune/device-apps |
Get apps installed on a device |
| GET | /api/intune/device-analysis |
Full device security analysis (Intune + Defender) |
| POST | /api/intune/device/{deviceId}/action |
Execute remote actions on device |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/intune/apps |
List all managed applications |
| GET | /api/intune/app/{appId} |
Get application details |
| GET | /api/intune/app/{appId}/assignments |
Get app assignments |
| GET | /api/intune/app-assignments |
Get assignments by app name |
| DELETE | /api/intune/app/{appId} |
Delete application |
| POST | /api/intune/winget-apps |
Deploy WinGet app |
| POST | /api/intune/win32-apps |
Deploy Win32 app |
| POST | /api/intune/lob-apps |
Deploy LOB app (MSI/APPX) |
| POST | /api/intune/windows-apps |
Unified Windows app deployment |
| POST | /api/intune/android/lob-apps |
Deploy Android LOB app |
| POST | /api/intune/android/store-apps |
Deploy Android Store app |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/intune/scripts |
List PowerShell scripts |
| GET | /api/intune/scripts/{scriptId} |
Get script details with content |
| POST | /api/intune/scripts |
Create PowerShell script |
| PATCH | /api/intune/script-updates/{scriptId} |
Update existing script |
| GET | /api/intune/scripts/{scriptId}/assignments |
Get script assignments |
| GET | /api/intune/script-assignments/{scriptId} |
Assign script to groups |
| GET | /api/intune/shell-scripts |
List shell scripts (macOS/Linux) |
| POST | /api/intune/shell-scripts |
Create shell script |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/defender/machines |
List Defender machines |
| GET | /api/defender/software |
Get machine software inventory |
| GET | /api/defender/vulnerabilities |
Get machine vulnerabilities |
| GET | /api/defender/recommendations |
Get security recommendations |
| GET | /api/defender/vulnerabilities-report |
Get vulnerability report |
| GET | /api/defender/machines-by-software |
Find machines with specific software |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/azuread/groups |
List Azure AD groups |
| POST | /api/azuread/groups |
Create security group |
| GET | /api/azuread/groups/{groupId}/members |
List group members |
| POST | /api/azuread/groups/{groupId}/members |
Add member to group |
| GET | /api/azuread/object |
Resolve object by ID |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/windows/app-search |
Search WinGet repository |
| GET | /api/windows/winget-package/{packageId} |
Get WinGet package details |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/health |
Health check endpoint |
| GET | /api/swagger.json |
OpenAPI specification |
| GET | /api/openapi.json |
OpenAPI specification (alias) |
Invoke-RestMethod -Uri "http://localhost:7071/api/intune/devices?filter=operatingSystem eq 'Windows'&top=25" -Method GETInvoke-RestMethod -Uri "http://localhost:7071/api/intune/device/analysis?identifier=LAPTOP-001&identifierType=deviceName" -Method GET$body = @{
packageIdentifier = "Mozilla.Firefox"
displayName = "Mozilla Firefox"
description = "Web browser"
} | ConvertTo-Json
Invoke-RestMethod -Uri "http://localhost:7071/api/intune/winget-apps" -Method POST -Body $body -ContentType "application/json"# Create resource group
az group create --name rg-intune-api --location eastus
# Create function app
az functionapp create \
--resource-group rg-intune-api \
--consumption-plan-location eastus \
--runtime node \
--runtime-version 20 \
--functions-version 4 \
--name your-function-app-name \
--storage-account yourstorageaccount
# Deploy
func azure functionapp publish your-function-app-nameAfter deployment, configure the following application settings in Azure Portal or via CLI:
az functionapp config appsettings set \
--name your-function-app-name \
--resource-group rg-intune-api \
--settings \
AZURE_CLIENT_ID="<your-client-id>" \
AZURE_CLIENT_SECRET="<your-client-secret>" \
AZURE_TENANT_ID="<your-tenant-id>"Recommended: Use Azure Key Vault references instead of storing secrets directly in app settings.
intune-ai-scout/
├── src/
│ ├── app.js # Main entry point
│ ├── functions/ # Azure Function handlers
│ │ ├── intune/ # Intune endpoints (11 files)
│ │ │ ├── devices.js # Device management & analysis
│ │ │ ├── applications.js # App management & assignments
│ │ │ ├── scripts.js # PowerShell script management
│ │ │ ├── shellScripts.js # Shell script management
│ │ │ ├── scriptAssignment.js # Script assignments
│ │ │ ├── scriptUpdate.js # Script updates
│ │ │ ├── wingetApps.js # WinGet app deployment
│ │ │ ├── win32Apps.js # Win32 app deployment
│ │ │ ├── lobApps.js # LOB app deployment
│ │ │ ├── windowsApps.js # Unified Windows deployment
│ │ │ └── androidApps.js # Android app deployment
│ │ ├── defender/ # Defender endpoints
│ │ │ └── machines.js # Machines, software, vulnerabilities
│ │ ├── azuread/ # Azure AD endpoints
│ │ │ └── groups.js # Group management
│ │ ├── windows/ # Windows utilities
│ │ │ └── appSearch.js # WinGet search
│ │ └── system/ # System endpoints
│ │ └── swagger.js # OpenAPI specification
│ ├── services/ # Business logic
│ │ ├── graphService.js # Microsoft Graph client
│ │ ├── defenderService.js # Defender API client
│ │ ├── deploymentService.js # App deployment logic
│ │ └── serviceHelpers.js # Shared helpers
│ └── utils/ # Utilities
│ ├── errorResponseBuilder.js # Standardized errors
│ ├── logger.js # Structured logging
│ ├── queryParamExtractor.js # Parameter handling
│ └── requestContext.js # Request context
├── Copilot/ # Copilot Studio configuration
│ ├── AGENT-DESCRIPTION.md # Agent instructions & tool guide
│ ├── README.md # Copilot setup guide
│ └── knowledge/ # AI knowledge base
│ ├── APP-ASSIGNMENT-GUIDE.md
│ ├── AZURE-AD-GROUP-PATTERNS.md
│ ├── COMMON-VULNERABILITIES-GUIDE.md
│ ├── DEVICE-TROUBLESHOOTING-GUIDE.md
│ ├── INTUNE-SCRIPT-TEMPLATES.md
│ ├── SOFTWARE-VENDOR-MAPPINGS.md
│ └── WINDOWS-APP-DEPLOYMENT-GUIDE.md
├── intune-api.swagger.json # OpenAPI specification
├── host.json # Function host config
├── package.json # Dependencies
├── local.settings.example.json # Settings template
└── SAFE-LOCAL-SETUP.md # Local setup guide
This API is designed to work with Microsoft Copilot Studio as an AI-powered IT management assistant.
- Navigate to your Copilot Studio agent
- Go to Connectors → Add Connector → Import from OpenAPI
- Upload the
intune-api.swagger.jsonfile or point to/api/swagger.json - Upload knowledge documents from
Copilot/knowledge/folder
The Copilot/AGENT-DESCRIPTION.md file contains:
- Agent description (909 chars) - Agent overview for Copilot Studio
- Response formatting (492 chars) - Output formatting rules
- Instructions (5,941 chars) - Tool selection and execution rules
- Tool orchestration guide - When to use each of the 36 tools
The Copilot/knowledge/ folder contains curated documents to enhance AI responses:
- App assignment best practices
- Azure AD group patterns and naming conventions
- Vulnerability severity guides
- Device troubleshooting workflows
- PowerShell script templates
- Software vendor mappings
- Never commit
local.settings.json- it contains secrets - Use Managed Identity in production when possible
- Store secrets in Azure Key Vault with Key Vault references
- Enable Function-level authentication (
authLevel: 'function') - Review and limit API permissions to minimum required
- Write operations (app assignments, script deployments) require careful review
| Category | Tools |
|---|---|
| Device Management (4) | GetIntuneDevices, GetIntuneDeviceById, GetDeviceAnalysis, IntuneRemoteAction |
| Compliance (1) | GetIntuneCompliance |
| Applications (10) | GetIntuneManagedApps, GetIntuneAppById, GetIntuneDeviceApps, GetIntuneAppAssignments, AssignIntuneApp, DeleteIntuneApp, DeployWindowsApp, AddWingetAppToIntune, CreateAndroidLOBApp, AddAndroidStoreApp |
| Scripts (7) | GetIntuneScripts, GetIntuneScriptById, CreateIntuneScript, UpdateScript, GetIntuneScriptAssignments, AssignScript, CreateIntuneShellScript |
| Windows (2) | SearchWindowsApps, GetWingetPackageDetails |
| Defender (6) | GetDefenderMachines, GetDefenderMachineSoftware, GetDefenderMachineVulnerabilities, GetDefenderRecommendations, GetDefenderMachineVulnerabilitiesReport, GetDefenderMachinesBySoftware |
| Azure AD (5) | GetAzureADGroups, GetAzureADGroupMembers, CreateAzureADGroup, AddAzureADGroupMember, GetAzureADObject |
| System (1) | HealthCheck |
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Microsoft Graph API
- Microsoft Intune
- Microsoft Defender for Endpoint
- Azure Functions
- Microsoft Copilot Studio
Version: 1.0.0
Last Updated: January 2026
API Version: 3.0
Intune AI Scout is an independent, community-driven project. It is not affiliated with, endorsed by, or supported by Microsoft Corporation.
This project uses the Microsoft Graph API in accordance with Microsoft's API terms of service.