Android QR Code Device Enrollment Portal step-by-step


When you don’t want to provide Intune permissions to the servicedesk because they only need to scan a QR Code for enrolling Android dedicated devices building a portal isn’t a bad idea. I have been playing around with the roles and the permissions within Intune and haven’t found a way to provide permissions to the servicedesk to only read the Android Tokens. So as mentioned the solution has to be build. It is possible to build a portal with the help of MS Graph, Power Automate and Power Apps.

This portal or PowerApp will show a QR-code that’s needed for device enrollment of Android devices. The advantaged is that there is no need to provide permissions to Intune.

Because this is my first time building something with Power Automate and Power Apps, I thought lets make a step-by-step guide.

How does the end result looks like? When all components are build is should look like this:

First thing that needs to be done is to create an App registration within Azure AD. This is necessary to get the information from Intune. To get the information to the portal it’s necessary to create a power automate flow and pass the results to the PowerApp.

Step 1. Create an App Registration

First thing that needs to be done is to create an app registration.

  1. Login to Azure AD via https://portal.azure.com
  2. If your in Azure AD, select App registrations in the left menu.
  3. To create a new registration click + New registration
  4. Provide a Name and fill the Redirect URI with https://login.microsoftonline.com/common/oauth2/nativeclient and click Register

Now that the new registration has been done, there are just a few more configuration steps.

  1. Select Certificates & secrets in the left menu to create a secret.
  2. Click + New client secret, provide a Description and select when the secret needs to be renewed (or not)
  3. Click Add to save the secret.

Copy the secret and store it in a save location because this will be the only time that you’re able to view the secret!

  1. Select API permissions in the left menu
  2. Click + Add a permission and select Microsoft Graph
  1. Select Application permissions
  1. Look under DeviceManagementConfiguration and select both options
  2. Click Add permissions to add those permissions to the app registration
  1. Next step is to grant consent for the permissions
  1. Select Grant admin consent.. and click Yes

A few pieces that are needed within the Power Automate Flow are:

  1. app secret
  2. application (client) id
  3. tenant id

The app secret is the one that was created, the other two can be found by selecting Overview in the left menu of the app that was created.

Step 2. Create a Power Automate Flow

  1. Login to https://flow.microsoft.com
  2. Select + Create on the left menu
  3. Select Instant flow below Start from blank
  1. Provide a Flow name, select PowerApps and click Create
  1. Click + New step
  2. Search for Current time, select Current time
  1. Click + New step
  2. Search for http, select HTTP and select HTTP

9. Fill out the required fields

https://graph.microsoft.com/beta/DeviceManagement/androidDeviceOwnerEnrollmentProfiles?$filter=tokenExpirationDateTime gt @{body('Current_time')}&$select=displayName,enrollmentMode,enrolledDeviceCount,qrCodeContent,qrCodeImage&$OrderBy=displayName
  1. Select Show advanced options to configure Azure AD authentication
  2. Select Active Directory OAuth from the drop-down menu (do not select one of the other menu items, because then you’re not able to save. The flow checker thinks that you need to fill the required fields when selecting another menu item). Make sure that you fill out https://graph.microsoft.com as Audience! Now fill the other required fields with the correct ones from the app registration we did earlier.
  1. Click + New step
  2. Search for json, select Parse JSON
  1. Use for Content Body
  2. In order to have the correct Schema, click Generate from sample. This will bring up an empty field which is going to be filled in a moment.

Login to the Graph Explorer and run this query:

https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles?$filter=tokenExpirationDateTime%20gt%202020-11-11T15:52:33.99Z%20and%20enrollmentMode%20eq%20%27corporateOwnedDedicatedDevice%27&$select=displayName,enrollmentMode,enrolledDeviceCount,qrCodeImage&$OrderBy=displayName
  1. Paste the result into the sample JSON Payload and click Done
  1. Click + New step
  2. Search for response, select Response
  3. Select Show advanced options and fill Body with value and click Generate from sample
  4. Copy and paste the following JSON array:
{
     "type": "array",
     "items": {
         "type": "object",
         "properties": {
             "displayName": {
                 "type": "string"
             },
             "enrollmentMode": {
                 "type": "string"
             },
             "enrolledDeviceCount": {
                 "type": "integer"
             },
             "qrCodeImage": {
                 "type": "object",
                 "properties": {
                     "type": {
                         "type": "string"
                     },
                     "value": {
                         "type": "string"
                     }
                 }
             }
         }
     }
 }
  1. Click Done
  2. Now the automation flow is created click Save

Step 3. Create a PowerApp

  1. Sign in to https://make.powerapps.com
  2. Select + Create in the left side menu
  3. Select Canvas app from blank
  1. Provide an App name and click Create. This will bring up the environment to build the app.
  2. Drag 5 Text blocks, a dropdown list, a button and an image on to your work environment.
  3. Rename the individual pieces like in the picture
  1. Select Android Kiosk Device Enrollment in the tree view, in the menu on the right side select the advanced tab.
  2. Select Action from the top menu
  1. Select Power Automate and select GetAndroidEnrollmentTokens to connect the Power Automate Flow to the PowerApp
  1. Paste the code below under ACTION in the OnVisible box
ClearCollect(AndroidTokenCollection,{displayName:""});Collect(AndroidTokenCollection,'GetAndroidEnrollmentTokens'.Run());Set(JSONVariable, JSON(AndroidTokenCollection,JSONFormat.IncludeBinaryData))
  1. Select Token list dropdown in the tree view, add AndroidTokenCollection in Items under DATA
  1. Select Refresh Token list button in the tree view, add the code below to OnSelect under ACTION
ClearCollect(AndroidTokenCollection,{displayName:""});Collect(AndroidTokenCollection,'GetAndroidEnrollmentTokens'.Run());Set(JSONVariable, JSON(AndroidTokenCollection,JSONFormat.IncludeBinaryData))
  1. Select Enrollment Mode value in the tree view, add the code below to Text under DATA
'Token list dropdown'.SelectedText.enrollmentMode
  1. Select Current Enrollment value in the tree view, add the code below to Text under DATA
'Token list dropdown'.SelectedText.enrolledDeviceCount
  1. Select QR Code in the tree view, add the code below to Image under DATA
Concatenate("data:image/jpeg;base64,",'Token list dropdown'.SelectedText.qrCodeImage.value)

To test the PowerApp, press Alt on the keyboard and hit the Token Refresh Button!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.