Skip to main content
Intune Commander Core is a .NET 10 class library that provides a comprehensive API for managing Microsoft Intune configurations across multiple cloud environments. The Core library uses Microsoft Graph Beta SDK and follows a service-oriented architecture.

Architecture

Service Lifecycle

Intune Commander uses a hybrid dependency injection model: Registered in DI (Singleton)
  • IAuthenticationProvider - Handles credential creation
  • IntuneGraphClientFactory - Creates authenticated Graph clients
  • ProfileService - Manages tenant profiles
  • ICacheService - LiteDB-backed caching layer
  • IProfileEncryptionService - DataProtection-based encryption
Created Post-Authentication Graph API services are NOT registered in DI. After successful authentication, the application creates them directly: 
var graphClient = await factory.CreateClientAsync(profile);

// Services created manually after authentication
var configService = new ConfigurationProfileService(graphClient);
var complianceService = new CompliancePolicyService(graphClient);
var appService = new ApplicationService(graphClient);

Service Registration

All Core services are registered via the extension method: 
services.AddIntuneCommanderCore();
This configures:
  • DataProtection with file-based key storage at %LocalAppData%/Intune.Commander/keys
  • Legacy key migration from IntuneManager paths
  • Singleton authentication and factory services
  • Transient export service
See ServiceCollectionExtensions.cs:10 for the complete registration.

Multi-Cloud Support

Intune Commander supports four Microsoft cloud environments:
EnvironmentGraph EndpointAuthority Host
Commercialhttps://graph.microsoft.com/betaAzure Public Cloud
GCChttps://graph.microsoft.com/betaAzure Public Cloud
GCC-Highhttps://graph.microsoft.us/betaAzure Government
DoDhttps://dod-graph.microsoft.us/betaAzure Government
The correct endpoints are automatically selected based on the TenantProfile.Cloud property. See CloudEndpoints.cs:7 for endpoint resolution logic.

Graph API Service Pattern

All Graph services follow a consistent interface pattern: 
public interface IXxxService
{
    // List all resources
    Task<List<T>> ListAsync(CancellationToken cancellationToken = default);
    
    // Get single resource by ID
    Task<T?> GetAsync(string id, CancellationToken cancellationToken = default);
    
    // Create new resource
    Task<T> CreateAsync(T resource, CancellationToken cancellationToken = default);
    
    // Update existing resource
    Task<T> UpdateAsync(T resource, CancellationToken cancellationToken = default);
    
    // Delete resource
    Task DeleteAsync(string id, CancellationToken cancellationToken = default);
    
    // Get assignments (where applicable)
    Task<List<TAssignment>> GetAssignmentsAsync(string id, CancellationToken cancellationToken = default);
    
    // Assign resource (where applicable)
    Task AssignAsync(string id, List<TAssignment> assignments, CancellationToken cancellationToken = default);
}
Services are thin wrappers around Microsoft Graph Beta SDK types (DeviceConfiguration, DeviceCompliancePolicy, etc.) with no custom model layer.

Key Services

Configuration Management

  • IConfigurationProfileService - Device configuration profiles
  • ICompliancePolicyService - Compliance policies
  • ISettingsCatalogService - Settings catalog policies
  • IEndpointSecurityService - Endpoint security intents
  • IAdministrativeTemplateService - ADMX-backed administrative templates

Application Management

  • IApplicationService - Mobile applications
  • IAppProtectionPolicyService - App protection policies
  • IManagedAppConfigurationService - Managed app configurations

Scripts and Remediation

  • IDeviceManagementScriptService - PowerShell scripts (Windows)
  • IDeviceShellScriptService - Shell scripts (macOS)
  • IDeviceHealthScriptService - Proactive remediation scripts
  • IComplianceScriptService - Custom compliance scripts

Windows Update Management

  • IFeatureUpdateProfileService - Windows feature updates
  • IQualityUpdateProfileService - Windows quality updates
  • IDriverUpdateProfileService - Windows driver updates

Enrollment and Provisioning

  • IEnrollmentConfigurationService - Enrollment restrictions and ESP
  • IAutopilotService - Windows Autopilot profiles
  • IAppleDepService - Apple DEP tokens

Identity and Access

  • IConditionalAccessPolicyService - Conditional Access policies
  • IAuthenticationStrengthService - Authentication strength policies
  • IAuthenticationContextService - Authentication contexts
  • INamedLocationService - Named locations
  • ITermsOfUseService - Terms of Use agreements

Organization

  • IGroupService - Azure AD groups with assignment lookup
  • IUserService - User management
  • IScopeTagService - Role-based access scope tags
  • IRoleDefinitionService - Custom RBAC role definitions

Data Management

  • IExportService - Export configurations to JSON
  • IImportService - Import configurations with ID remapping
  • ICacheService - Encrypted LiteDB cache with TTL

Error Handling

Services throw Graph SDK exceptions directly:
  • ServiceException - Graph API errors with status codes
  • UnauthorizedException - 401 authentication failures
  • ForbiddenException - 403 permission errors
Callers should handle exceptions appropriately: 
try
{
    var policies = await complianceService.ListCompliancePoliciesAsync(ct);
}
catch (ServiceException ex) when (ex.StatusCode == 403)
{
    // Handle permission denied
}

Next Steps

Authentication

Credential types, Graph client factory, multi-cloud auth

Graph Services

Device configs, compliance, apps, scripts with method signatures

Cache Service

LiteDB storage, encryption, TTL, polymorphic deserialization

Export Service

JSON export, import with ID remapping, migration tables

Build docs developers (and LLMs) love

Get started for freeTalk to us