What I've Learned This Week #2. WinGet, Logic Apps, MS Graph

Background

Welcome to another week of learning!

This week we focus on WinGet, Azure Logic Apps, Microsoft Graph, and some Intune tricks.

This is the second post in this series, and we continue down the same format as before.

I hope there is something that you can take away from this week!

Use WinGet with the Import switch

I found a tool called Winstall that helps you select apps and download a preconfigured JSON.

This is excellent as it supports searching and multi-select, significantly simplifying the process!

You need to select at least five applications to use the site, but there are definitely more apps that you need than five!

A cool feature is that you can choose to download a script in bat or ps1 format instead if you don’t want to use a JSON with the import switch.

Thank you for this solution!

winstall – GUI for Windows Package Manager

mehedi hassan. (builtbymeh.com)

Getting current Time and Date in a Logic App

This is useful whenever you use a flow and need to use the current date.

For example, you want to put a timestamp into a property, or you are using the Create Blob action and want to put it in a folder matching the current date.

formatDateTime(utcNow(), 'yyyy-MM-dd')

How to get current date in logic app | How to format date time in Logic App (tech-findings.com)

How to handle Null when expecting string in Logic App

You can modify your JSON schema by including “null” in the expected type. Put this into brackets and you should be good to go!

I had an object that I wanted to export as a JSON file, but sometimes the required property doesn’t have a value.

Buy modifying the Parse JSON step you can specify that you allow empty values. It sure helped me out!

"type": ["string","null"]

How to get Intune Powershell Scripts and Proactive Remediation Scripts from Microsoft Graph

By using MS Graph, you can get the remediation and Powershell scripts that you use in Intune.

You need to use the correct URI go get them and then use their ID to get the actual script content.

After getting the IDs using deviceManagementScripts, you can use it with deviceHealthScripts to get the actual script.

This is how you do it in a Logic App.

Substitute the Id variable with your information.

Microsoft Graph Explorer

How to assign permissions to Managed Identities for Microsoft Graph

I recently had the opportunity to create my first Logic App that uses Microsoft Graph API to read and write data.

This gave me the chance to properly work with Managed Identities, and to discover why they are such a blessing to work with.

Managed Identities are a key part of some Azure services such as Logic apps and Automation Accounts. They can access resources using permissions, without the need of credentials. You can’t even access any credentials, which totally eliminates the need for password management.

It is all done by the app!

This is an example of powershell code that you can use to grant your service principal (Logic App in this scenario) the permissions you need to Microsoft Graph. In my example, I grant DeviceManagementConfiguration.Read.All, to give the app permissions to read from Microsoft Intune.

$MSGraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfLogicApp = "<name of logic app>"
$PermissionName = "DeviceManagementConfiguration.Read.All"
$MI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfLogicApp'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MSGraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | `
    Where-Object { $_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application" }
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MSI.ObjectId `
    -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id

There are also similar ways to do this if you want to grant permissions to users or groups instead. Just substitute New-AzureAdServiceAppRoleAssignment with User or Group and change the $MI variable to contain the user or group instead.

Grant Graph API Permission to Managed Identity Object – Microsoft Community Hub

Managed identities for Azure resources – Microsoft Entra | Microsoft Learn

How to publish Office templates in a tenant

I had a need recently to find a way to distribute Office document templates to a customer. The environment is cloud-only using Microsoft 365 licenses, which means no fileservers and no Active Directory and GPOs.

After doing some digging I found a pretty nice solution that allowed me to share the templates and have them show up in the Office apps.

Using the powershell code below, you can create a folder in SharePoint and publish it in your organization. There is no need to configure any additional settings on the clients or in the Office apps, as this configuration follows the tenant and the user login.

$domain = <domainname>
Connect-SPOService -Url https://$domain-admin.sharepoint.com
Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $True
Add-SPOOrgAssetsLibrary -LibraryUrl "https://$domain.sharepoint.com/Templates" -OrgAssetType OfficeTemplateLibrary -CdnType Private

The next time you start Word to create a new document, you will notice your Company name and that you can find all the published templates there.

A benefit to this, is that you can control access to the source folder in SharePoint, only giving edit access to the marketing department or other persons that should add and update templates.

Add-SPOOrgAssetsLibrary (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

Summary

This week we learned new things concerning WinGet, Graph API, and Logic Apps!

How we can use the Import switch with WinGet to import a JSON file to install multiple applications.
How we can use a variable for getting the current date in a Logic App and Power Automate.
Sometimes a value can be required in the JSON schema. This can be changed to accept null values.
How we can use MS Graph API to get Proactive Remediation scripts from Intune.
How to assign MS Graph permissions to Managed Identities.
How centrally publish Office templates to all users in your tenant.