Intune Commander provides typed service interfaces for all major Microsoft Graph Intune endpoints. Services are instantiated post-authentication with a GraphServiceClient.
Service Creation Pattern All Graph services follow the same constructor pattern:
var graphClient = await factory . CreateClientAsync ( profile ); // Create services manually (not in DI) var configService = new ConfigurationProfileService ( graphClient ); var complianceService = new CompliancePolicyService ( graphClient ); var appService = new ApplicationService ( graphClient );
Graph services are NOT registered in dependency injection. Create them after successful authentication.
See architecture overview at MainWindowViewModel.ConnectAsync for the complete service initialization pattern.
Configuration Profiles IConfigurationProfileService Manages device configuration profiles (device restrictions, email, Wi-Fi, VPN, etc.).
public interface IConfigurationProfileService { Task < List < DeviceConfiguration >> ListDeviceConfigurationsAsync ( CancellationToken cancellationToken = default ); Task < DeviceConfiguration ?> GetDeviceConfigurationAsync ( string id , CancellationToken cancellationToken = default ); Task < DeviceConfiguration > CreateDeviceConfigurationAsync ( DeviceConfiguration config , CancellationToken cancellationToken = default ); Task < DeviceConfiguration > UpdateDeviceConfigurationAsync ( DeviceConfiguration config , CancellationToken cancellationToken = default ); Task DeleteDeviceConfigurationAsync ( string id , CancellationToken cancellationToken = default ); Task < List < DeviceConfigurationAssignment >> GetAssignmentsAsync ( string configId , CancellationToken cancellationToken = default ); }
ListDeviceConfigurationsAsync return
Task<List<DeviceConfiguration>>
All device configurations in the tenant. Polymorphic types include Windows10GeneralConfiguration, IosGeneralDeviceConfiguration, AndroidGeneralDeviceConfiguration, etc.
Example: var configs = await configService . ListDeviceConfigurationsAsync ( ct ); foreach ( var config in configs ) { Console . WriteLine ( $" { config . DisplayName } ( { config . OdataType } )" ); // Type-specific properties if ( config is Windows10GeneralConfiguration win10 ) { Console . WriteLine ( $" Password required: { win10 . PasswordRequired } " ); } }
GetAssignmentsAsync return
Task<List<DeviceConfigurationAssignment>>
Assignment list with target groups and filter IDs
Example: var assignments = await configService . GetAssignmentsAsync ( configId , ct ); foreach ( var assignment in assignments ) { if ( assignment . Target is GroupAssignmentTarget groupTarget ) { Console . WriteLine ( $"Assigned to group: { groupTarget . GroupId } " ); } }
See IConfigurationProfileService.cs:6 for the complete interface.
Compliance Policies ICompliancePolicyService Manages device compliance policies.
public interface ICompliancePolicyService { Task < List < DeviceCompliancePolicy >> ListCompliancePoliciesAsync ( CancellationToken cancellationToken = default ); Task < DeviceCompliancePolicy ?> GetCompliancePolicyAsync ( string id , CancellationToken cancellationToken = default ); Task < DeviceCompliancePolicy > CreateCompliancePolicyAsync ( DeviceCompliancePolicy policy , CancellationToken cancellationToken = default ); Task < DeviceCompliancePolicy > UpdateCompliancePolicyAsync ( DeviceCompliancePolicy policy , CancellationToken cancellationToken = default ); Task DeleteCompliancePolicyAsync ( string id , CancellationToken cancellationToken = default ); Task < List < DeviceCompliancePolicyAssignment >> GetAssignmentsAsync ( string policyId , CancellationToken cancellationToken = default ); Task AssignPolicyAsync ( string policyId , List < DeviceCompliancePolicyAssignment > assignments , CancellationToken cancellationToken = default ); }
CreateCompliancePolicyAsync policy
DeviceCompliancePolicy
required
Compliance policy to create. Use derived types like Windows10CompliancePolicy, IosCompliancePolicy, etc.
return
Task<DeviceCompliancePolicy>
Created policy with assigned ID
Example: var policy = new Windows10CompliancePolicy { DisplayName = "Windows 10 Baseline" , Description = "Requires BitLocker and minimum OS version" , PasswordRequired = true , PasswordMinimumLength = 8 , OsMinimumVersion = "10.0.19041" , BitLockerEnabled = true }; var created = await complianceService . CreateCompliancePolicyAsync ( policy , ct ); Console . WriteLine ( $"Created policy with ID: { created . Id } " );
AssignPolicyAsync assignments
List<DeviceCompliancePolicyAssignment>
required
Assignment targets (replaces existing assignments)
Example: var assignments = new List < DeviceCompliancePolicyAssignment > { new () { Target = new GroupAssignmentTarget { GroupId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } } }; await complianceService . AssignPolicyAsync ( policyId , assignments , ct );
See ICompliancePolicyService.cs:6 for the complete interface.
Applications IApplicationService Manages mobile applications (Win32, iOS, Android apps).
public interface IApplicationService { Task < List < MobileApp >> ListApplicationsAsync ( CancellationToken cancellationToken = default ); Task < MobileApp ?> GetApplicationAsync ( string id , CancellationToken cancellationToken = default ); Task < List < MobileAppAssignment >> GetAssignmentsAsync ( string appId , CancellationToken cancellationToken = default ); }
Application creation is not exposed via this service due to complexity of app upload workflows (content versioning, encryption, chunked upload to Azure Storage).
Example: var apps = await appService . ListApplicationsAsync ( ct ); foreach ( var app in apps ) { Console . WriteLine ( $" { app . DisplayName } ( { app . OdataType } )" ); if ( app is Win32LobApp win32 ) { Console . WriteLine ( $" Install command: { win32 . InstallCommandLine } " ); } }
See IApplicationService.cs:6 for the complete interface.
Settings Catalog ISettingsCatalogService Manages Settings Catalog policies (modern replacement for administrative templates).
public interface ISettingsCatalogService { Task < List < DeviceManagementConfigurationPolicy >> ListSettingsCatalogPoliciesAsync ( CancellationToken cancellationToken = default ); Task < DeviceManagementConfigurationPolicy ?> GetSettingsCatalogPolicyAsync ( string id , CancellationToken cancellationToken = default ); Task < List < DeviceManagementConfigurationPolicyAssignment >> GetAssignmentsAsync ( string policyId , CancellationToken cancellationToken = default ); Task < List < DeviceManagementConfigurationSetting >> GetPolicySettingsAsync ( string policyId , CancellationToken cancellationToken = default ); Task < DeviceManagementConfigurationPolicy > CreateSettingsCatalogPolicyAsync ( DeviceManagementConfigurationPolicy policy , CancellationToken cancellationToken = default ); Task AssignSettingsCatalogPolicyAsync ( string policyId , List < DeviceManagementConfigurationPolicyAssignment > assignments , CancellationToken cancellationToken = default ); }
GetPolicySettingsAsync Retrieve expanded settings for a catalog policy.
Settings catalog policy ID
return
Task<List<DeviceManagementConfigurationSetting>>
Full settings tree with definitions and values
Example: var policy = await catalogService . GetSettingsCatalogPolicyAsync ( policyId , ct ); var settings = await catalogService . GetPolicySettingsAsync ( policyId , ct ); Console . WriteLine ( $"Policy: { policy . Name } " ); Console . WriteLine ( $"Settings count: { settings . Count } " ); foreach ( var setting in settings ) { Console . WriteLine ( $" { setting . SettingDefinitionId } " ); }
See ISettingsCatalogService.cs:6 for the complete interface.
Endpoint Security IEndpointSecurityService Manages endpoint security intents (antivirus, firewall, disk encryption, etc.).
public interface IEndpointSecurityService { Task < List < DeviceManagementIntent >> ListEndpointSecurityIntentsAsync ( CancellationToken cancellationToken = default ); Task < DeviceManagementIntent ?> GetEndpointSecurityIntentAsync ( string id , CancellationToken cancellationToken = default ); Task < DeviceManagementIntent > CreateEndpointSecurityIntentAsync ( DeviceManagementIntent intent , CancellationToken cancellationToken = default ); Task < DeviceManagementIntent > UpdateEndpointSecurityIntentAsync ( DeviceManagementIntent intent , CancellationToken cancellationToken = default ); Task DeleteEndpointSecurityIntentAsync ( string id , CancellationToken cancellationToken = default ); Task < List < DeviceManagementIntentAssignment >> GetAssignmentsAsync ( string intentId , CancellationToken cancellationToken = default ); Task AssignIntentAsync ( string intentId , List < DeviceManagementIntentAssignment > assignments , CancellationToken cancellationToken = default ); }
Example: var intents = await endpointSecurityService . ListEndpointSecurityIntentsAsync ( ct ); var antivirusIntents = intents . Where ( i => i . TemplateId ? . Contains ( "antivirus" , StringComparison . OrdinalIgnoreCase ) == true ); foreach ( var intent in antivirusIntents ) { Console . WriteLine ( $"Antivirus policy: { intent . DisplayName } " ); }
See IEndpointSecurityService.cs:6 for the complete interface.
Scripts IDeviceManagementScriptService Manages PowerShell scripts for Windows devices.
public interface IDeviceManagementScriptService { Task < List < DeviceManagementScript >> ListDeviceManagementScriptsAsync ( CancellationToken cancellationToken = default ); Task < DeviceManagementScript ?> GetDeviceManagementScriptAsync ( string id , CancellationToken cancellationToken = default ); Task < DeviceManagementScript > CreateDeviceManagementScriptAsync ( DeviceManagementScript script , CancellationToken cancellationToken = default ); Task < DeviceManagementScript > UpdateDeviceManagementScriptAsync ( DeviceManagementScript script , CancellationToken cancellationToken = default ); Task DeleteDeviceManagementScriptAsync ( string id , CancellationToken cancellationToken = default ); Task < List < DeviceManagementScriptAssignment >> GetAssignmentsAsync ( string scriptId , CancellationToken cancellationToken = default ); Task AssignScriptAsync ( string scriptId , List < DeviceManagementScriptAssignment > assignments , CancellationToken cancellationToken = default ); }
Example: var scriptContent = await File . ReadAllBytesAsync ( "install-app.ps1" , ct ); var script = new DeviceManagementScript { DisplayName = "Install Custom App" , Description = "Deploys custom LOB application" , ScriptContent = scriptContent , RunAsAccount = RunAsAccountType . System , EnforceSignatureCheck = false , RunAs32Bit = false }; var created = await scriptService . CreateDeviceManagementScriptAsync ( script , ct );
See IDeviceManagementScriptService.cs:6 for the complete interface.
IDeviceShellScriptService Manages shell scripts for macOS devices (same pattern as PowerShell scripts).
See IDeviceShellScriptService.cs for details.
IDeviceHealthScriptService Manages proactive remediation scripts (detect + remediate pattern).
Example: var detectScript = await File . ReadAllBytesAsync ( "detect.ps1" , ct ); var remediateScript = await File . ReadAllBytesAsync ( "remediate.ps1" , ct ); var healthScript = new DeviceHealthScript { DisplayName = "Check Disk Space" , Description = "Alerts if disk space below 10GB" , DetectionScriptContent = detectScript , RemediationScriptContent = remediateScript , RunAsAccount = RunAsAccountType . System , EnforceSignatureCheck = false , RunAs32Bit = false }; var created = await healthScriptService . CreateDeviceHealthScriptAsync ( healthScript , ct );
IComplianceScriptService Manages custom compliance scripts (JSON output evaluated against rules).
See IComplianceScriptService.cs for details.
Windows Update Management IFeatureUpdateProfileService Manages Windows 10/11 feature update rings.
var profile = new WindowsFeatureUpdateProfile { DisplayName = "Windows 11 23H2 Deployment" , Description = "Deploy Windows 11 23H2 to pilot group" , FeatureUpdateVersion = "Windows 11, version 23H2" , RolloutSettings = new WindowsUpdateRolloutSettings { OfferStartDateTimeInUtc = DateTime . UtcNow . AddDays ( 7 ), OfferIntervalInDays = 1 } }; var created = await featureUpdateService . CreateFeatureUpdateProfileAsync ( profile , ct );
IQualityUpdateProfileService Manages Windows quality update rings (monthly patches).
IDriverUpdateProfileService Manages Windows driver update profiles.
See respective interface files for complete method signatures.
Conditional Access IConditionalAccessPolicyService Read-only access to Conditional Access policies.
public interface IConditionalAccessPolicyService { Task < List < ConditionalAccessPolicy >> ListPoliciesAsync ( CancellationToken cancellationToken = default ); Task < ConditionalAccessPolicy ?> GetPolicyAsync ( string id , CancellationToken cancellationToken = default ); }
Conditional Access write operations are intentionally excluded to prevent accidental lockout scenarios.
Example: var policies = await conditionalAccessService . ListPoliciesAsync ( ct ); var mfaPolicies = policies . Where ( p => p . GrantControls ? . BuiltInControls ? . Contains ( ConditionalAccessGrantControl . Mfa ) == true ); foreach ( var policy in mfaPolicies ) { Console . WriteLine ( $"MFA policy: { policy . DisplayName } (State: { policy . State } )" ); }
See IConditionalAccessPolicyService.cs:6 for the complete interface.
Groups and Assignments IGroupService Enhanced group management with assignment lookup.
public interface IGroupService { Task < List < Group >> ListDynamicGroupsAsync ( CancellationToken cancellationToken = default ); Task < List < Group >> ListAssignedGroupsAsync ( CancellationToken cancellationToken = default ); Task < GroupMemberCounts > GetMemberCountsAsync ( string groupId , CancellationToken cancellationToken = default ); Task < List < GroupMemberInfo >> ListGroupMembersAsync ( string groupId , CancellationToken cancellationToken = default ); Task < List < Group >> SearchGroupsAsync ( string query , CancellationToken cancellationToken = default ); Task < List < GroupAssignedObject >> GetGroupAssignmentsAsync ( string groupId , IConfigurationProfileService configService , ICompliancePolicyService complianceService , IApplicationService appService , Action < string >? progressCallback = null , CancellationToken cancellationToken = default ); }
GetGroupAssignmentsAsync Finds all Intune objects assigned to a specific group.
configService
IConfigurationProfileService
required
Configuration profile service instance
complianceService
ICompliancePolicyService
required
Compliance policy service instance
appService
IApplicationService
required
Application service instance
Optional callback for progress updates
return
Task<List<GroupAssignedObject>>
All Intune objects (configs, policies, apps) assigned to the group
Example: var assignments = await groupService . GetGroupAssignmentsAsync ( groupId , configService , complianceService , appService , progressCallback : msg => Console . WriteLine ( msg ), ct ); Console . WriteLine ( $"Found { assignments . Count } assigned objects" ); foreach ( var obj in assignments ) { Console . WriteLine ( $" { obj . ObjectType } : { obj . DisplayName } " ); }
See IGroupService.cs:6 for the complete interface.
Common Patterns All List* methods handle pagination automatically using Graph SDK’s PageIterator.
Polymorphic Types Graph models use OData type discriminators. Always check runtime types:
var configs = await configService . ListDeviceConfigurationsAsync ( ct ); foreach ( var config in configs ) { switch ( config ) { case Windows10GeneralConfiguration win10 : // Handle Windows 10 specific properties break ; case IosGeneralDeviceConfiguration ios : // Handle iOS specific properties break ; default : // Handle base or unknown types break ; } }
Error Handling Graph SDK throws ServiceException for HTTP errors:
try { await configService . DeleteDeviceConfigurationAsync ( id , ct ); } catch ( ServiceException ex ) when ( ex . StatusCode == 404 ) { Console . WriteLine ( "Configuration not found (may already be deleted)" ); } catch ( ServiceException ex ) when ( ex . StatusCode == 403 ) { Console . WriteLine ( "Insufficient permissions to delete configuration" ); }
Next Steps
Cache Service Cache Graph responses to reduce API calls
Export Service Export configurations to JSON for backup/migration