Automatically Renew Android Enrollment Tokens Using Power Automate

Intune can be a helpful platform to mange device, it’s not however helpful in managing enrollment tokens. I came across an article that explained most of this process beautifully, but I still wanted an end-to-end solution. Once the token gets renewed, to come full circle, we need to send the Enrollment QR Code off to recipients and store it for short term posterity. We will cover the basics in Power Automate, but otherwise you can get a very good overview here. Let’s get automating!

If you are just starting you’ll need to setup a few things to get going. Head over to the article above to get set up with a Service Principle and some other goodies. Our points of interest will take place on the Power Automate side, and all inside a cloud flow. Setup up the Trigger, and construct the parts of the API.

Basic Setup

Once we are all set up we will set a condition to check for expiration, and then do the work that needs done on each profile. I follow everything step by step up until I get to HTTP – query extended tokens. For this I changed the URI from 

https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/@{items('Apply_to_each')?['id']

to

https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/@{items('Apply_to_each')?['id']}?$select=tokenValue,tokenCreationDateTime,tokenExpirationDateTime,qrCodeImage

Why the change? Because I want the QR code. Even though the URI posted has a field for QR Image or Code you will find the return is null. That being said, pop over to Intune and get the the device token display.

Token from Enrollment

Now with that page selected open up Google Developer tools (F12) and highlight Network like so:

Developer Tools

We can also see in Preview the actual payload we need. Copy that bad boy, pass go, and collect Status 200. Parse, convert from base64 to binary, send to SharePoint for repo, and email it out your desktop team if so be.

Token retrieval

Lastly, notice the To field is set from the description. This property is a part of the enrollment profile. Depending on the group needing the profile we plop their emails or a group email into the description delimitated if need be.

Profile Description

There you have it. We now have an end-to-end solution for renewing the token and providing the rig info to the customer.

Previous article
Power BI – The PICK process of Automation
Next article
Repeatable Excel Operations

You may also like

Michael Heath

Michael Heath is a digital automation and innovation artist with over 15 years of experience reimagining and transforming spaces through technology. His diverse background in Education, Behavioral Neuroscience, Game Theory, and Information Technology allows him to craft creative solutions that drive digital transformation and growth. Michael leverages innovative technologies, including automation, artificial intelligence, and data analytics, to enhance organizational efficiency and foster a culture of innovation. Driven by a personal philosophy of continuous learning and exploration, Michael believes that innovation stems from curiosity, creativity, and imagination. He thrives on utilizing his multidisciplinary knowledge to catalyze transformative initiatives that streamline operations and revolutionize how organizations and individuals work.

Recent posts

© Copyright | Get Automating | Michael Heath