This short blog will be about a question I received on Linkedin. The question was about Graph Explorer and why it wasn’t returning the OMA-URI values configured. It only showed some nice ****

Afbeelding met tekst  Automatisch gegenereerde beschrijving

I will divide this blog into multiple parts

  1. Replicating the Problem
  2. What Happening?
  3. Fixing the Problem

If we need to fix the problem, we need to experience the problem ourselves. To start replicating the problem I opened the graph explorer first.

Graph Explorer is an excellent tool when you are starting with creating Graph API requests. So the tool can be used when you need to check some settings.

Let’s take a look at what settings are returned when we run this query.

https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/99b324ca-937e-4494-ac54-b06d889b04e8

As shown above, the value has some nice **** instead of the real values. So what’s happening?

When taking another good look at the screenshot above, you could also have noticed another funny setting: “IsEncrypted”: True

I guess it’s obvious what “isencrypted” means when it’s configured to 1. If not… the official documentation says the value field is encrypted.

So, Microsoft has suddenly switched the default value of isencrypted to 1 last month? I guess I missed that announcement?

But okay, no problem… Encryption is always a good thing. How are we going to decrypt it? When looking at the outcome of the query, we also noticed the “Secretreferencevalueid” in it.

Okay… So we can use this “id/key” to decrypt the oma settings value. But luckily there is no official documentation to tell us how?

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Looking back at the wonderful history of GitHub commits, I noticed the “isencrypted” and the needed “secretreferencevalueid” appeared in the commit from 14 April

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Okay, but how are we going to get back the URI we need? Fiddler to the rescue! When we need some more information about what happens when we are configuring Intune, we need to use fiddler. If you want to know how it works, please visit this blog.

So how does the URI looks like?

I guess we have everything we need now, let’s create a PowerShell script to get back the values ourselves.

And the PowerShell script with all the stuff in it, we discussed in this blog. Please test it out yourself but don’t forget to change the device configuration id to your liking

$authResult = Get-MsalToken -ClientId 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547' -Scopes 'https://graph.microsoft.com/.default'
$headers1b = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}

$deviceconfigid = "99b324ca-937e-4494-ac54-b06d889b04e8"

#get the device configuration
$url = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$deviceconfigid"
$deviceconfiguration = Invoke-RestMethod -Uri $url -Headers $headers1b -Method get

#get the secretid needed to unencrypt the data
$secretid = $deviceconfiguration.omasettings.secretReferenceValueId

#parsing the secretid to unencrypt it
$Value = Invoke-restmethod -Headers $headers1b -Method get -uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$deviceConfigid/getOmaSettingPlainTextValue(secretReferenceValueId='$($secretid)')"
$value | fl

When I need to choose between spending my free evening watching some series or helping someone with a question I didn’t have the answer for? (at that time)

What You're Thinking When Painting | Steve zissou, Giphy, Zissou

I guess you all know what my choice was.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.