Automatically renew Android enrollment tokens using Power Automate

This month’s post is a continuation of automation with Intune data using Power Automate and Graph. When managing Android devices utilizing Device Owner enrollment (i.e. Android Enterprise) there are options for enrollment, NFC, QR Code, and Zero Touch. Each enrollment option requires an enrollment token as well and those are displayed in the Microsoft Endpoint Manager (MEM) admin center. With Android Device Owner dedicated (i.e. kiosk) enrollments, MEM Intune provides the option to create enrollment profiles where each has their own enrollment token. Organizations may choose to create multiple profiles for various reasons, however enrollment profiles may be utilized to automatically to add devices to Azure AD dynamic groups. This makes management of devices and targeting policy/apps seamless.

One point of feedback I’ve received is about the token lifetime of 90 days for Device Owner dedicated enrollment profiles. When an enrollment token expires no new devices may be enrolled until the token lifetime is extended (existing enrolled devices are not impacted). Token extensions may be completed in the MEM admin center or through PowerShell. However, why not automate the process? This is exactly what I do in this month’s post.

Let’s get started

Requirements

  • Microsoft Endpoint Manager Intune
  • Microsoft Power Automate (aka Microsoft Flow)
  • Azure Active Directory

Description of the process

The process of renewing token when they near their expiration is as follows:

  1. Introduce a recurrence trigger where the Flow processes every day.
  2. Set a timeframe to look for when tokens are about to expire.
  3. Make a graph call through HTTP.
  4. Parse the JSON that comes from the output of the Graph call.
  5. Look for any tokens that expire within 10 days.
  6. If successful, extend the token for another 90 days.
  7. Make another Graph call and parse JSON to get the tokens that were extended.
  8. Send a notification of which tokens were extended to Teams.

Here is the entire Flow we’ll walk through:

Power Automate

Log into Power Automate, i.e. flow.microsoft.com and create a new Flow.

Scheduled run

Insert a Recurrence trigger and modify to run every day at a specific time.

Add to time

We need to set a timeframe for when the token is set to expire. I chose 10 days, and later on we’ll use this value to look and see if tokens are set to expire within 10 days.

Register an app with Azure AD

To make Graph calls we need to register an app in Azure AD and grant it the following delegated permissions: DeviceManagementConfiguration.ReadWrite.All

We can pull all the information to build the query from: https://docs.microsoft.com/en-us/graph/api/intune-androidforwork-androiddeviceownerenrollmentprofile-createtoken?view=graph-rest-beta

POST https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/{androidDeviceOwnerEnrollmentProfileId}/createToken

Content-type: application/json

Content-length: 35

{

“tokenValidityInSeconds”: 7776000

}

This API is under /beta and may change, please make note of this.

Add a Redirect URI, I pull this from the connector I created in a previous post:


Create a client secret to utilize in authentication:

Grant proper API permissions:


Use Graph to query for all Android enrollment tokens

Add an HTTP action and configure as shown in the image below. This is a GET method.

Refer to the Azure AD app registration completed in the previous step to fill in Client ID and Secret.

Add a Parse JSON action so we can utilize the values that come back in the GET method.

Choose the “Body” of the HTML action and for the Schema, make a Graph call using Graph Explorer by doing the following:

Add a Condition action (this will turn into a Apply to each automatically)

In the first field add tokenExpirationDateTime (this will trigger the Apply to each action) > is less than or equal to > in the second field add “Add to time” output from the action created in the beginning of this post:

Add an “And” in the condition and in the first field add tokenExpirationDateTime > is greater than or equal to > and in the second field choose utcNow() from Expression.

What the condition is doing is checking to see if the date of the token expiration falls within 10 days, if not do nothing, if yes, we extend the token with actions under “If yes” which I cover next.

Extending the Android enrollment token

The fist step if the condition is true is to update the tokens that expire within 10 days. I created a custom connector as this is a POST method and I found the best method is to create a connector with variables that are exposed in the connector I can add in.

To create a connector, in Power Automate expand Data and select Custom connectors and select new create from blank. I import from Postman and if you’re interested in how to do that, please refer my previous post on the topic.

Security tab

Use the same Client ID and secret from the Azure AD app registration step completed earlier. For the Resource URL, type in https://graph.microsoft.com (the redirect URL will auto generate once Update connector is selected, the URL should match what’s in the Azure AD app registration):

Definition tab

Add a “New action” and add some details as shown in the image below, the Operation ID is something you’ll make up:

For the Request, select import from sample, select POST, add in the URL below, and add in the JSON in the body and select Import:

https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/{ID}/createToken

We now have the parameters needed for the POST method (which will extend the token for x number of day, e.g. 90 days):

Select Update connector and test the connector by creating a new connection and filling in the blank fields with static data. ID will be the ID of a token.

Back in the Flow, add an action and select custom and choose the new connector. ID will be the ID from the JSON output and tokenValidityInSeconds is self-explanatory, 7776000 which translates to 90 days.

Next we want to validate the tokens that were extended by calling Graph. We do this by adding two actions, an HTTP action and a Parse JSON action.

The HTTP action is identical to the one we created earlier, however append it by adding the ID of the token from the dynamic content list. Use the same process for Parse JSON as we did in the previous step as well. This step will only pull the tokens that were extended.

Lastly I’d like to know when enrollment tokens were extended so I send messages to Teams.

The reason why we query for the tokens that were extended in the step above is because we need to utilize that output to populate the Teams messages.

I have a couple tokens I set to expire in 5 days (in fact you can set any expiration date within 90 days directly from the MEM admin center if needed. It’s good for testing as well.):

I ran the Flow and here are the results posted to Teams, however you can send to email, SMS, SharePoint, etc. if you prefer, just look for the diffrent templates in Power Automate:

And in the Intune console:

One last item

If you’d rather view and extend Tokens by hand in the UI, you can do so by selecting Filter then Inactive which shows all expired and active tokens.

That’s it, utilizing Power Automate and Microsoft Graph we have automated extending Android enrollment token expiration dates and posted the results to Teams.

Author: Courtenay Bernier

Courtenay is a technology professional with expertise in aligning traditional software and cloud services to strategic business initiatives. He has over 20 years of experience in the technology field as well as industry experience working with distribution centers, call centers, manufacturing, retail, restaurant, software development, engineering, and consulting. I am a Principal PM on the Microsoft Endpoint Management Engineering Team, all posts, opinions, statements are my own.

2 thoughts on “Automatically renew Android enrollment tokens using Power Automate”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.