I often face the challenge that field supporters without any Intune admin roles need to add/upload Autopilot hashes to Intune. This can be a time-consuming and error-prone process.

In this article, I will show you how to build a logic app that can be used to upload hardware hashes to Autopilot without admin rights. This logic app can be used to automate the process of adding devices to Autopilot.

Table of Contents

Prerequisites

Before you begin, you will need the following:

Build the Solution yourself

Create a SharePoint list

Create a SharePoint list that contains the hardware hashes of the devices that you want to add to Autopilot. The list should have at least two columns:

  • Serialnumber
  • Hardware Hash

To create it, navigate to the SharePoint site where you want to create the list. There, under Site Content, click New and then click List.

SharePoint, add new list

Now define the name of the list. I chose "Autopilot Hash Upload".

SharePoint, new list name Autopilot Hash Upload

Once in the list, I add a new coloum called Hardware Hash.
Because a single line of text can only hold 255 characters, you must use the Multiple Lines of Text field.

SharePoint List, add Multiple lines of text field

For a beter userexperience you can change the Name of the title to Serialnumber.
My list in the end looks like this:

SharePoint LIst for Autopilot Hash Upload

Create a Logic App

Create a Logic App in the Azure porta by searching for Locig App and click Add.

Create new Logic App

As the hosting option is consumption based, it is absolutely free and will cost you almost nothing.

Select Consuumption Logic App plan

The next step is to define which subscription and resource group the Logic application should be in, and the name of the application itself:

Set Logic App Basics in Azure

After clicking Review + create your will be redirectet to the Logic App.

Activation and permisson for the Managed Identity

To use Managed Identity, you must enable it under Identity in the Logic application. Set the status to On and save the change.

Enable Managed Identity for Logic App

Now we have the Logic App and the Managed Identity and need to asign the necessary permissions to access Intune/Autopilot.

Unfortunately, the Azure portal doesn't offer a UI for this step, but no worries! PowerShell comes to the rescue and lets us configure permissions quickly.

Ensure you have the Microsoft Graph PowerShell module installed. Run the following command in your PowerShell window:

Install-Module Microsoft.Graph -Scope CurrentUser

The following script grants the Logic App's managed identity the ability to upload the device information to Intune. You can modify it to assign additional permissions if needed.
The script will promt you for the name of the Managed Identy, thats the same as the name of your Logic App.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.Read.All","AppRoleAssignment.ReadWrite.All","RoleManagement.ReadWrite.Directory"


# You will be prompted for the Name of you Managed Identity
$MdId_Name = Read-Host "Name of your Managed Identity"
$MdId_ID = (Get-MgServicePrincipal -Filter "displayName eq '$MdId_Name'").id

# Adding Microsoft Graph permissions
$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

# Add the required Graph scopes
$graphScopes = @(
  "DeviceManagementServiceConfig.ReadWrite.All"
)

ForEach($scope in $graphScopes){
  $appRole = $graphApp.AppRoles | Where-Object {$_.Value -eq $scope}

  if ($null -eq $appRole) { Write-Warning "Unable to find App Role for scope $scope"; continue; }

  # Check if permissions isn't already assigned
  $assignedAppRole = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MdId_ID | Where-Object { $_.AppRoleId -eq $appRole.Id -and $_.ResourceDisplayName -eq "Microsoft Graph" }

  if ($null -eq $assignedAppRole) {
    New-MgServicePrincipalAppRoleAssignment -PrincipalId $MdId_ID -ServicePrincipalId $MdId_ID -ResourceId $graphApp.Id -AppRoleId $appRole.Id
  }else{
    write-host "Scope $scope already assigned"
  }
}

Add a trigger

Add a trigger to your Logic App. You can use the When an item is created or modified trigger for SharePoint.

To do so navigate to the Logic app designer and click "Add a trigger":

Add Trogger to Logic App

In here search for SharePint and choose the "When an item is created or modified" trigger:

Select SharePoint trigger for list items

You will need to connect the connector to an account that has permissions to the list. Unfortunately, we cannot use a managed identity for this trigger. So make sure you have a well-protected service account.

Connect SharePoint to Logic App

Add an action

Add an action to your Logic App to upload the Autopilot Hash from the SharePoint list. For this I use a HTTP action.

In the Logic App Designer, below the trigger, click the plus sign and add an action. Look for HTTP and select it:

Configure the HTTP action (Hash Upload)

Configure the HTTP action as follows:

MethodPost
URIhttps://graph.microsoft.com/beta/deviceManagement/importedWindowsAutopilotDeviceIdentities
Body{
"serialNumber": "",
"hardwareIdentifier": ""
}
Authentification TypeManaged Identity / System Assigned
Audiencehttps://graph.microsoft.com
Logic App HTTP Post configuration for Autopilot Hash Upload

Finally: Test your Logic App

Test your Logic App by adding a new item to your SharePoint list. The Logic App should upload the hardware hash to Autopilot which takes around 1-5 minutes.

Additional tips & improvements

  • You can use the Send email action to send an email notification when a device has been successfully added to Autopilot (or not).
  • This is a very simple logic app, you could add error handling including notifications.
  • You can add a state to even remove hashes when they are no longer needed.

I hope this article has been helpful. If you have any questions, please feel free to leave a comment below.