module · Endpoints & MDM

Microsoft Intune

Comprehensive Microsoft Intune control plane — managed devices, configuration / compliance / app-protection policies, apps (iOS / Android / Win32 / macOS), enrollment profiles, assignment filters, scripts (PowerShell / shell / macOS), and Windows / macOS update policies.

Namespace: weave intune Env: AZURE_TENANT_ID

Commands

State kinds

Endpoints & MDM

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Microsoft Graph device management

Variable	Description	Status
AZURE_TENANT_ID	Required for authentication.	required
AZURE_CLIENT_ID	Required for authentication.	required
AZURE_CLIENT_SECRET	Required for authentication.	required
AZURE_AD_ENDPOINT	Override AAD token endpoint (e.g. login.microsoftonline.us for GCC High).	optional
GRAPH_BASE_URL	Override Graph base URL (e.g. graph.microsoft.us for GCC High).	optional

Sanity-check the wiring:

weave secrets check
weave intune --help
weave doctor   # reports AZURE_TENANT_ID status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
app	✓	✓	✓	✓	·	·	·
app-assignments	·	·	·	·	✓	✓	·
app-protection-policies	·	·	·	·	✓	✓	·
app-protection-policy	·	✓	·	·	·	·	·
compliance-policies	·	·	·	·	✓	✓	✓
compliance-policy	✓	✓	✓	·	·	·	·
configuration-profile	✓	✓	✓	·	✓	✓	✓
device	✓	·	✓	✓	·	·	·
device-action	·	✓	·	·	·	·	·
device-compliance	·	·	·	·	✓	✓	·
device-compliance-status	·	✓	·	·	·	·	·
enrollment-profile	·	✓	·	·	✓	✓	·
enrollment-progress	·	·	·	·	·	·	·
filter	·	✓	·	·	✓	✓	✓
managed-device	·	✓	·	·	✓	✓	·
script	·	✓	·	·	✓	✓	·
update-policies	·	·	·	·	✓	✓	·
update-policy	·	✓	·	·	·	·	·

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (4)

find app

read

Find a managed app by displayName, bundleId, or id.

weave intune find app <identifier>

find compliance-policy

read

Find a compliance policy by displayName or id.

weave intune find compliance-policy <identifier>

find configuration-profile

read

Find a device-configuration profile by displayName or id.

weave intune find configuration-profile <identifier>

find device

read

Find a managed device by serial, name, or device id.

weave intune find device <identifier>

list (11)

list app-protection-policies

read

List iOS / Android / Windows app-protection policies.

weave intune list app-protection-policies <arg>

list apps

read

List managed apps (iOS / Android / Win32 / macOS).

weave intune list apps <arg>

list compliance-policies

read

List compliance policies.

weave intune list compliance-policies <arg>

list configuration-profiles

read

List device-configuration profiles.

weave intune list configuration-profiles <arg>

list device-actions

read

Per-device action history (operational verb unique to weave).

weave intune list device-actions <arg>

list device-compliance-status

read

List per-device compliance state (read-only).

weave intune list device-compliance-status <arg>

list enrollment-profiles

read

List Apple DEP / Windows Autopilot / Android enrollment profiles.

weave intune list enrollment-profiles <arg>

list filters

read

List assignment filters.

weave intune list filters <arg>

list managed-devices

read

List managed devices (optionally by OS).

weave intune list managed-devices <arg>

list scripts

read

List PowerShell / shell / macOS scripts.

weave intune list scripts <arg>

list update-policies

read

List Windows + macOS update / feature update policies.

weave intune list update-policies <arg>

show (4)

show app

read

Full record for a managed app id.

weave intune show app <app-id>

show compliance-policy

read

Full record for a compliance policy id.

weave intune show compliance-policy <policy-id>

show configuration-profile

read

Full record for a device-configuration profile id.

weave intune show configuration-profile <profile-id>

show device

read

Full record for a managed device id.

weave intune show device <device-id>

do (9)

do assign-app

write

POST an app's assignments array (replaces current assignments).

weave intune do assign-app <app-id>

do delete-device

write

Delete a managed device record from Intune (does not wipe).

weave intune do delete-device <device-id>

do locate

write

Locate a supervised iOS / macOS device.

weave intune do locate <device-id>

do reset-passcode

write

Clear the passcode on a supervised iOS / macOS device.

weave intune do reset-passcode <device-id>

do restart

write

Reboot a managed device.

weave intune do restart <device-id>

do retire

write

Retire a device (remove company data only).

weave intune do retire <device-id>

do sync

write

Force a check-in.

weave intune do sync <device-id>

do unassign-app

write

POST an app's assignments array as empty (clears assignments).

weave intune do unassign-app <app-id>

do wipe

write

Issue a full wipe (irreversible).

weave intune do wipe <device-id>

watch (1)

watch enrollment-progress

write

Watch a user's managed devices for a fresh enrollment.

weave intune watch enrollment-progress <arg>

snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diff → apply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/intune/.

configuration-profiles

snapshot diff apply

All Intune device-configuration profiles (full apply via Graph PATCH/POST/DELETE; handles all platforms via @odata.type discriminator).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: intune
kind: configuration-profiles
items:
  - # <fields specific to this kind — see snapshot output>

compliance-policies

snapshot diff apply

Device compliance policies (full apply via Graph; iOS/Android/Windows/macOS).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: intune
kind: compliance-policies
items:
  - # <fields specific to this kind — see snapshot output>

filters

snapshot diff apply

Assignment filters (full apply via Graph).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: intune
kind: filters
items:
  - # <fields specific to this kind — see snapshot output>

managed-devices

snapshot diff apply

Managed device inventory (key fields keyed by device id; complianceState excluded from diff).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: intune
kind: managed-devices
items:
  - # <fields specific to this kind — see snapshot output>

app-protection-policies

snapshot diff apply

iOS/Android/Windows app-protection (MAM) policies (snapshot + diff).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: intune
kind: app-protection-policies
items:
  - # <fields specific to this kind — see snapshot output>

app-assignments

snapshot diff apply

Per-app assignment list (target + intent) for audit (snapshot + diff).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: intune
kind: app-assignments
items:
  - # <fields specific to this kind — see snapshot output>

enrollment-profiles

snapshot diff apply

Apple DEP / Windows Autopilot / Android KME enrollment profiles (snapshot + diff).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: intune
kind: enrollment-profiles
items:
  - # <fields specific to this kind — see snapshot output>

scripts

snapshot diff apply

PowerShell / shell / macOS scripts (snapshot + diff; script content kept opaque).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: intune
kind: scripts
items:
  - # <fields specific to this kind — see snapshot output>

update-policies

snapshot diff apply

Windows + macOS feature/quality/driver update policies (snapshot + diff).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: intune
kind: update-policies
items:
  - # <fields specific to this kind — see snapshot output>

device-compliance

snapshot diff apply

Per-device compliance state for audit (snapshot + diff; never written).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: intune
kind: device-compliance
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Daily fleet audit (drift detection)

Snapshot devices + compliance + configuration profiles, commit, diff tomorrow.

weave intune snapshot managed-devices
weave intune snapshot device-compliance
weave intune snapshot configuration-profiles
git add .weave-state/intune && git commit -m 'intune inventory `date +%F`'
# … next day, in CI …
weave intune diff managed-devices       # surface fleet churn
weave intune diff device-compliance     # spot non-compliant drift
weave intune diff configuration-profiles # any unexpected profile edits?

Quarantine a lost laptop

Confirm the device, retire it (removes company data), then wipe if not recovered.

weave intune find device <device-id>
weave intune list device-actions --device <device-id>
weave intune do retire <device-id> --yes
weave intune watch enrollment-progress --user user@corp.com --timeout 300
# if not recovered:
weave intune do wipe <device-id> --yes

Roll out a configuration profile

Snapshot, edit YAML in PR, diff, apply via Graph PATCH.

weave intune snapshot configuration-profiles
$EDITOR .weave-state/intune/<tenant>/configuration-profiles.yaml
weave intune diff configuration-profiles
weave intune apply configuration-profiles --yes

Assign an app to a security group

Idempotent assignment — POST replaces the entire array, so include every group you want.

weave intune find app 'Microsoft Edge'
weave intune do assign-app <app-id> --group <aad-group-id> --intent required --yes
weave intune snapshot app-assignments   # capture for audit / PR review

Onboard a new hire (Autopilot watch)

Watch managed devices for a fresh enrollment under one UPN.

weave intune watch enrollment-progress --user new.hire@corp.com --timeout 1800
weave intune find device <device-id>   # once it appears
weave intune do sync <device-id> --yes  # force a check-in

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
(microsoft/microsoft365 + microsoft/intune partial coverage)	weave ships the operator-facing 80% of Intune as discoverable verbs The community Terraform ecosystem for Intune is fragmented; the table below cross-walks against the shape of those resources where possible.
azuread_application_permission_scope (app registration)	Set AZURE_TENANT_ID / AZURE_CLIENT_ID / AZURE_CLIENT_SECRET on the same Graph app reg as Entra Reuse the Entra Graph client — same auth seam
intune_device_configuration_*	weave intune list/find/show configuration-profile + snapshot/apply configuration-profiles (full round-trip) Handles all platforms (Windows, iOS, macOS, Android) via the @odata.type discriminator
intune_device_compliance_policy_*	weave intune list/find/show compliance-policy + snapshot/apply compliance-policies (full round-trip)
intune_assignment_filter	weave intune list filters + snapshot/apply filters (full round-trip)
intune_managed_device	weave intune list/find managed-devices + show device + snapshot managed-devices snapshot+diff for audit; complianceState is excluded from the diff field set since Intune computes it
intune_app_protection_policy_* (iOS / Android / Windows)	weave intune list app-protection-policies + snapshot app-protection-policies snapshot+diff — MAM policy schemas vary per platform
intune_managed_app_assignment / intune_mobile_app	weave intune list/find/show app + do assign-app / unassign-app + snapshot app-assignments Assignment writes via `do assign-app` are idempotent (POST replaces the array)
intune_enrollment_profile_*	weave intune list enrollment-profiles + snapshot enrollment-profiles snapshot+diff; profile authoring varies by platform
intune_device_management_script / intune_device_shell_script	weave intune list scripts + snapshot scripts snapshot+diff; script content kept opaque (binary uploads aren't safe to round-trip via YAML)
intune_windows_feature_update_profile / intune_macos_software_update	weave intune list update-policies + snapshot update-policies snapshot+diff for audit
(per-device compliance audit)	weave intune snapshot device-compliance Read-only audit kind — compliance is computed by Intune from policies + telemetry, never written
(per-device action history)	weave intune list device-actions --device <id> Operational verb unique to weave — surfaces issued + completed device commands
(enrollment progress watch)	weave intune watch enrollment-progress --user <upn> Operational verb unique to weave — useful right after Autopilot / company-portal sign-in
(MDM commands — Wipe, Retire, Sync, Restart, Locate, ResetPasscode, DeleteDevice)	weave intune do wipe / retire / sync / restart / locate / reset-passcode / delete-device Device-destructive verbs (wipe, retire, restart, reset-passcode, delete-device) refuse to run without --yes.
Windows Autopilot device-import (CSV)	(intentionally skipped) CSV-driven import has a weird API contract; out of scope for round-trip.
macOS Setup Assistant skip-screens	(intentionally skipped) Deeply nested per-platform schema — planned for a later iteration.
Apple MDM Push token / certificate renewal	(intentionally skipped) One-shot human-driven flow with browser-based Apple Business Manager hand-off.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including AZURE_TENANT_ID) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave intune diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/intune. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.