Enable Lost Mode for Intune Device with PowerShell and Microsoft Graph API

I had a Requirement these days to activate the Device Lost Mode for a Mobile Intune Device during the User Leaving Process. So I checked MS Graph API if that is possible, and, yes it is.

! NOTE, as I have written this Post, this Request is under BETA Mode

To learn more from Microsoft GRAPH API, see my Blog Series:
Part 1 – Authentication and Azure App – Use Microsoft Graph API with PowerShell – Part 1 » TechGuy
Part 2 – Oauth2.0 – Use Microsoft Graph API with PowerShell – Part 2 » TechGuy
Part 3 – First Powershell Script to get a Teams Lis and Walkthrough – Use Microsoft Graph API with PowerShell – Part 3 » TechGuy
Part 4 – this one – Use Microsoft Graph API with PowerShell – Part 4 » TechGuy

API Reference and Permissions

The official documentation is here:

• enableLostMode action – Microsoft Graph beta | Microsoft Docs

Azure App Registration Rights:

• Application: DeviceManagementManagedDevices.PriviligedOperation.All

The PowerShell Script to enable Device Lost Mode using MS GRAPH API on Intune

That’s the Script on using PowerShell with MS GRAPH API to enable Lost Mode for an Intune Device. Make sure you see the GitHub Repo for the newest Version.

We get all Devices for a User and check if Operating System is iOS, and then enable Lost Mode.

$clientID = "yourClientID"
$Clientsecret = "yourSecret"
$tenantID = "yourTenantID"

#Configure Device Properties
$UPN = "michael.seidl@au2mator.com"


#Connect to GRAPH API
$tokenBody = @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    Client_Id     = $clientId
    Client_Secret = $clientSecret
}
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token" -Method POST -Body $tokenBody
$headers = @{
    "Authorization" = "Bearer $($tokenResponse.access_token)"
    "Content-type"  = "application/json"
}


#Get User ID
$URLGetUser = "https://graph.microsoft.com/v1.0/users/$UPN"
$USER = Invoke-RestMethod -Method GET -Uri $URLGetUser -Headers $headers


#Get Managed Device from User
$UriGetDevices = "https://graph.microsoft.com/v1.0/users/$($User.id)/managedDevices"
$Devices = (Invoke-RestMethod -Method GET -Uri $UriGetDevices -Headers $headers).value

if (@($Devices).count -gt 0) {
    foreach ($D in $Devices)
    {
        if ($D.operatingSystem -eq "iOS")
        {
            $URL="https://graph.microsoft.com/beta/deviceManagement/managedDevices/$($d.id)/enableLostMode"

            $BodyJson = @"
            {
                "message": "Please Contact your IT",
                "phoneNumber": "+43 1111 11111",
                "footer": "Company IT"
            }
"@

Invoke-RestMethod -Uri $URL -Method POST -header $headers -body $BodyJson
        }
    }
}




#$URL="https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$($d.id)/disableLostMode"
#Invoke-RestMethod -Uri $URL -Method POST -header $authHeader

The Result, Mobile in Lost Mode

GitHub Repo

Here you can find the GitHub Repo: Seidlm/Microsoft-Graph-API-Examples (github.com)

Michael Seidl aka Techguy
au2mate everything