Create Web Link with PowerShell in Intune

Web Link is a simple way to publish URL shortcuts in Intune. It allows the administrator to control which URL shortcut appear on user’s mobile device either without user consent or as an optional application. The way to create it is fairly simple, you can look at Microsoft’s documentation. Recently I had a need to automate this process using Graph API. In the end it wasn’t difficult but I haven’t found any ready article about it. Hence, I would like to describe here – step by step – the way to create Web Link with PowerShell in Intune.

Connect to Intune with Graph API

If you already used MS Graph API with PowerShell – skip to the next chapter. There will be nothing new here. But if this is your first time connecting this way – continue reading. First of all, you need an App Registration in your tenant with proper access rights. In Azure AD console go to ‘App Registrations’ and click on ‘New Registration’. Provide the name. ‘Redirect URL’ won’t be used so you can skip it.

I used client secret for authentication, you can select other ways if you like. When you have the new secret created in ‘Certificates & secrets’ sections, go to ‘API permissions’. Here you can grant access to manage Web Apps in Intune. What you need is ‘DeviceManagementApps.ReadWrite.All’ with ‘Application’ type. Remember to consent this access right as admin.

Once it’s ready, you need to get the access token. In PowerShell run:

$AppRegistrationID  = "[YOUR APP REGISTRATION ID]"
$Secret             = "[YOUR APP REGISTRATION SECRET]"

$TokenGrantType     = "client_credentials"
$TokenScope         = "https://graph.microsoft.com/.default"      # Token scope for Intune queries in Graph
$TokenURL           = "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token"

$tokenBody  = @{
        Grant_Type    = $TokenGrantType 
        Scope         = $TokenScope 
        Client_Id     = $AppRegistrationID
        Client_Secret = $Secret
    }
$tokenResponse = Invoke-RestMethod -Uri $TokenURL -Method POST -Body $tokenBody
$Token         = $tokenResponse.access_token

$Headers = @{ 
        Authorization    = "Bearer $Token"
        Accept           = "application/json"
    } 

The $Headers variable will be used in every call to the API – this way they are authenticated. Continue reading to see how to do it.

Add new Web App

Once you establish the connection, it’s time to create Web Link with PowerShell in Intune. You can look at Microsoft’s API documentation (I really encourage you to read it carefully, you can learn a lot). The way to use it in PowerShell is:

    $body = @{    
        "@odata.type"     = "#microsoft.graph.webApp"    
        displayName       = [WEB APP NAME]
        description       = [DESCRIPTION]
        publisher         = [PUBLISHER]
        appUrl            = [URL OF YOUR APP]
        useManagedBrowser = $false  # depends on your choice

        # you can add an icon if you like
        largeIcon = @{
            "@odata.type"   = "microsoft.graph.mimeContent"
            type            = "image/jpeg"
            value           = [BASE64 REPRESENTATION OF THE ICON]
       }
    } | ConvertTo-Json


    $Request = @{
        Method           = "Post"
        Uri              = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps"
        Headers          = $Headers
        Body             = $body 
        ContentType      = "application/json"
    }  

    $id = (Invoke-RestMethod @postWebAppRequest).id # we will use the id later to create an assignment

As simple as that, the new web link app is created. The only thing left is to assign it to users.

Assign you web link to users

To achieve it, you need firstly to define the assignment and then send it with a request:

    $assignment = @{    
        "@odata.type"       = "#microsoft.graph.mobileAppAssignment"    
        intent              = "required"
        target              = @{
            "@odata.type"                               = "#microsoft.graph.groupAssignmentTarget"
            deviceAndAppManagementAssignmentFilterType  = "none"
            groupId                                     = [THE AZURE AD ID OF THE GROUP OF USERS YOU WANT TO ASSIGN THE APP]
        }        
    } | ConvertTo-Json

    $request = @{
        Method           = "Post"
        Uri              = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$id/assignments"
        Headers          = $Headers
        Body             = $assignment
        ContentType      = "application/json"
    } 

    Invoke-RestMethod @request

Uninstall

In the same mannaer you can also assign uninstallation request to users or remove the web link completely from Intune. Be careful when doing it. In case you remove the web link in Intune before it’s actually uninstalled from a device it will be stuck in this device. The only way to fix it I found was to re-deploy the device to Intune… So, talking about uninstallation assignment, you need to firstly find the app:

$foundApps       = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps" -Headers $Headers
$targetApps = $foundApps.value | ? {$_.DisplayName -like [INTUNE WEB LINK NAME]}

Next step is to find all assignments for this app, if there is any for installation we need to delete it so it’s not interfering with the uninstallation.

foreach ($app in $targetApps){
        $request = @{
            Method           = "Get"
            Uri              = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($app.id)/assignments"
            Headers          = $Headers
            ContentType      = "application/json"
        } 
    
        $assignments = Invoke-RestMethod @request

        foreach ($assignmnt in $assignments.value){
            if ($assignmnt.intent -eq "required"){
                $u = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($app.id)/assignments/$($assignmnt.id)"
                Invoke-RestMethod -Uri $u -Headers $Headers -Method Delete
            }
         }
}

At the end, just add the uninstallation assignment for the group you need (it needs to be the GUID of the group from Azure AD).

$body = @{    
    "@odata.type"   = "#microsoft.graph.mobileAppAssignment"    
    intent          = "uninstall"
    target          = @{
        "@odata.type"                               = "#microsoft.graph.groupAssignmentTarget"
        deviceAndAppManagementAssignmentFilterType  = "none"
        groupId                                     = [THE ASSIGNMENT GROUP ID FROM AAD]
    }        
} | ConvertTo-Json

$request = @{
    Method           = "Post"
    Uri              = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($app.id)/assignments"
    Headers          = $Headers
    Body             = $body  
    ContentType      = "application/json"
} 

Invoke-RestMethod @request 
Wiktor Mrówczyński

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top