HomeAutomationAutomatically Renew Android Enrollment Tokens Using Power Automate

Automatically Renew Android Enrollment Tokens Using Power Automate

Category

Automation

Date

read time

2 min.

Intune can be a helpful platform to mange device, it’s not however helpful in managing enrollment tokens. I came across an article that explained most of this process beautifully, but I still wanted an end-to-end solution. Once the token gets renewed, to come full circle, we need to send the Enrollment QR Code off to recipients and store it for short term posterity. We will cover the basics in Power Automate, but otherwise you can get a very good overview here. Let’s get automating!

If you are just starting you’ll need to setup a few things to get going. Head over to the article above to get set up with a Service Principle and some other goodies. Our points of interest will take place on the Power Automate side, and all inside a cloud flow. Setup up the Trigger, and construct the parts of the API.

Basic Setup

Once we are all set up we will set a condition to check for expiration, and then do the work that needs done on each profile. I follow everything step by step up until I get to HTTP – query extended tokens. For this I changed the URI from 

https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/@{items('Apply_to_each')?['id']

to

https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/@{items('Apply_to_each')?['id']}?$select=tokenValue,tokenCreationDateTime,tokenExpirationDateTime,qrCodeImage

Why the change? Because I want the QR code. Even though the URI posted has a field for QR Image or Code you will find the return is null. That being said, pop over to Intune and get the the device token display.

Token from Enrollment

Now with that page selected open up Google Developer tools (F12) and highlight Network like so:

Developer Tools

We can also see in Preview the actual payload we need. Copy that bad boy, pass go, and collect Status 200. Parse, convert from base64 to binary, send to SharePoint for repo, and email it out your desktop team if so be.

Token retrieval

Lastly, notice the To field is set from the description. This property is a part of the enrollment profile. Depending on the group needing the profile we plop their emails or a group email into the description delimitated if need be.

Profile Description

There you have it. We now have an end-to-end solution for renewing the token and providing the rig info to the customer.

“Keep close to Nature’s heart… and break clear away, once in a while, and climb a mountain or spend a week in the woods. Wash your spirit clean.”

-John Muir
Previous article
Power BI – The PICK process of Automation
Next article
Repeatable Excel Operations

You may also like

Michael Heath

Michael Heath is an enablement specialist with over 15 years of experience. His background in Education, Behavioral Neuroscience, Game Theory, and IT has afforded him a unique perspective and ability to provide creative transformative solutions for the modern workplace. From napkin ideation to law, Michael utilizes human-centered techniques to solve problems in a creative and innovative way. His design thinking methodologies have resulted in millions of hours saved by strategizing big wins around usage and adoption of the Microsoft Power Platform. In his spare time, Michael loves experiencing new places, cultures, and foods with his family. He also enjoys lacing up a pair of hiking boots and exploring the great outdoors.

Recent posts

© Copyright | Get Automating | Michael Heath