Refresh Android Enrollment Tokens step-by-step


In my previous blog I created a step-by-step guide for enrolling dedicated Android devices via a Power App. This way you don’t have to give permissions to the servicedesk in Intune. But what happens if the token expires? Because there is no standard way of knowing if the token has expired other than look within Intune or set an notification in outlook. It’s also possible to script the token refresh with PowerShell.

But the refresh of the token can also be automated. So I decided to create another step-by-step guide on how to accomplish this.

For this guide we need to create a Power Automate Flow to take care of the refresh process. Besides Power Automate, we also need Microsoft Intune and Active Directory.

First thing that needs to be done is to create an application registration within Active Directory. The creation of the application can be skipped if there is already an application that you can use. Be sure to check if the correct API permissions are in place. A custom connector needs to be build to update the token(s) and the last part is to build the actual flow.

Create an App Registration

First thing that needs to be done is to create an app registration.

  1. Login to Azure AD via https://portal.azure.com
  2. If your in Azure AD, select App registrations in the left menu.
  3. To create a new registration click + New registration
  4. Provide a Name and fill the Redirect URI with https://login.microsoftonline.com/common/oauth2/nativeclient and click Register

Now that the new registration has been done, there are just a few more configuration steps.

  1. Select Certificates & secrets in the left menu to create a secret.
  2. Click + New client secret, provide a Description and select when the secret needs to be renewed (or not)
  3. Click Add to save the secret.

Copy the secret and store it in a save location because this will be the only time that you’re able to view the secret!

  1. Select API permissions in the left menu
  2. Click + Add a permission and select Microsoft Graph
  1. Select Application permissions
  1. Look under DeviceManagementConfiguration and select both options
  2. Click Add permissions to add those permissions to the app registration
  1. Next step is to grant consent for the permissions
  1. Select Grant admin consent.. and click Yes

A few pieces that are needed within the Power Automate Flow are:

  1. app secret
  2. application (client) id
  3. tenant id

The app secret is the one that was created, the other two can be found by selecting Overview in the left menu of the app that was created.

Create a custom connector in Power Automate

There a two ways in which you can create a custom connector, that is via the Power Automate interface or by using Postman. My experience wasn’t that great with creating a custom connector via the Power Automate interface. Testing failed over and over again, while the same query was successful when executing with the graph explorer. Both step-by-step methods are described so you can decided which you want to use. 🙂

Custom connector via Power Automate

  1. Login to https://flow.microsoft.com
  2. To create a custom connector, expand Data in the left menu and select Custom connectors
  1. Select + New custom connector > Create from blank
  2. Give the connecter a Name, e.g. UpdateAndroidTokens
  3. Under General information, update a icon
  4. Host will be graph.microsoft.com
  5. Select Security on the bottom
  6. Select OAuth2.0
  7. Select as Identity Provider Azure Active Directory and use the ClientID and secret from the app registration, type https://graph.microsoft.com for resource URL
  8. Select Create connector to save the connector
  1. A redirect URL has been created that we need in the App registration. Copy the redirect URL and go to the app registration and select the Redirect URIs link to add the new redirect URL
  1. Add the URI and click Save
  2. Go back to the flow and click Update connector
  1. Select Definition to go to the next page
  2. Add a New Action and provide the some information in the fields under General, e.g. Update Android Tokens
  3. Select + Import from sample under Request
  1. Select POST
  2. Add https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/{ID}/createToken in the URL field
  3. In the Body field type:

{
“tokenValidityInSeconds”: 7776000
}

  1. Select Import and select Test
  2. Under Connections select + New connection, if all goes well you will be authenticated.
  3. An ID needs to be provided, which is the ID from the JSON output
  4. The tokenValidityInSeconds field will be filled with 7776000 which is 90 days
  5. Select Test operation to check if the connector works
  6. Now it’s time to add the custom connector to the flow.
  7. Select Update connector to save the connector

Custom connector via Postman

Download Postman from https://www.postman.com/downloads/ if you don’t have Postman. First we need to get a token for the API calls that need to be performed.

  1. Open Postman and create a New Collection
  2. Provide a Name for the collection, next select the Authorization tab
  1. Select as type OAuth 2.0 and click Get New Access Token
  2. Provide the following information:
  • Token name: Provide a logical name.
  • Callback URL: This is the redirect URI which will be used to connect to the application in Azure AD. The URI that’s going to be used is: https://app.getpostman.com/oauth2/callback. Make sure that this URI has been added to the application!

The next URLs can be found in the application that has been created earlier. when going into Azure AD > App registrations > App (created earlier). In the overview click Endpoints, this will show all the endpoints you can use.

  • Auth URL: OAuth 2.0 authorization endpoint (v2)
  • Access Token URL: OAuth 2.0 token endpoint (v2)
  • Client ID: This is the Application (client) ID, which can be found in teh Overview of the registred app.
  • Scope: The permissions that determine which resources you will be able to access from your Postman calls using this Token. Use https://graph.microsoft.com/DeviceManagementConfiguration.ReadWrite.All
  1. Click Request Token, this will popup a login window. Authenticate and the token will be available.
  2. Click Use Token to save the token
  3. Click Create to create the collection.

Now that the token is available within the collection, it’s now possible to create multiple queries within the same collection. For the custom connector we only need one request. First thing is to get a token ID, for this a new request needs to be created.

  1. Type in the Enter request URL field: https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles
  2. Click Save
  3. Provide a Request name, e.g. Get Get androidDeviceOwnerEnrollmentProfiles
  4. Select on the bottom the collection that was just created and click Save
  5. Run the request by clicking Send
  6. The Body will show the result, in the result there wil be the id

Now it’s time to create the request that is needed to import to the custom connector.

  1. Create a new request by clicking the plus sign
  2. Under Untitled Request field select POST
  1. Type in the Enter request URL field: https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/<id>/createtoken (copy the id from the previous request)
  2. Save the request to the collection as we did before
  3. Select the Body tab, select raw, select as type JSON and type: { “tokenValidityInSeconds”: 7776000 }
  1. Click Send to see if the response is OK.

If the response is OK, then it’s time to export the collection with only the last query.

  1. Delete the query that was used to get the id or create a new collection and drag the query to it
  2. Right click on the collection name and click export
  1. Select to export to Collection v1 (depricated), this is the only way to import it into the custom connector

A json file will be downloaded to your computer. Now its time to import this file into the custom connector

  1. Login to https://flow.microsoft.com
  2. To create a custom connector, expand Data in the left menu and select Custom connectors
  1. Select + New custom connector > Import a Postman collection
  1. Provide a Connector name, e.g. UpdateAndroidTokens
  2. Click Import and import the json file that was exported with Postman and click Continue
  3. Under General information, upload an icon
  4. Select Security on the bottom
  5. Select OAuth2.0
  6. Select as Identity Provider Azure Active Directory and use the ClientID and secret from the app registration, type https://graph.microsoft.com for resource URL
  7. Select Create connector to save the connector
  8. Add a New Action and provide the some information in the fields under General, e.g. Update Android Tokens.
  9. There is a request, which has been created via Postman, select Test
  10. Under Connections select + New connection, if all goes well you will be authenticated.
  11. The tokenValidityInSeconds field will be filled with 7776000 which is 90 days
  12. Select Test operation to check if the connector works
  13. Select Update connector to save the custom connector

Creating the Power Automate Flow

  1. Login to https://flow.microsoft.com
  2. Create a new scheduled flow
  3. Provide a Name, e.g. AndroidTokenRefresh and set the schedule to run every day at a certain time
  1. Click Create
  2. Click + New step and add the action Add to time
  3. Select Base time, a flyout menu will show with two tabs, Dynamic content and Expression. select Exprsession, type utcNow() and click OK
  1. Set Interval at 10 and Time unit on Day
  1. Select + New step and add an HTTP action
  2. Select as Method GET
  3. The URI will be https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles
  4. Select Show advanced options to configure Azure AD authentication
  5. Select Active Directory OAuth from the drop-down menu (do not select one of the other menu items, because then you’re not able to save. The flow checker thinks that you need to fill the required fields when selecting another menu item). Make sure that you fill out https://graph.microsoft.com as Audience! Now fill the other required fields with the correct ones from the app registration we did earlier.
  1. Click + New step
  2. Search for json, select Parse JSON
  1. Use for Content Body from the Dynamic content tab
  1. To set a scheme, the first thing is to make a Graph call. This can be accomplished by signing into the Graph Explorer and GET https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/
  2. Choose a profile and append the query with the ID HIERBIJ MIS JE VALUE
  3. Copy the JSON output
  4. Go back to the flow and select Generate from sample, paste the JSON output and select Done
  1. Select + New step and add a Condition
  2. In the first field add tokenExpirationDateTime (this will trigger the Apply to each action), add a condition of is less than or equal to and add in the second field Calculated time
  3. Select + Add and add a new row
  4. In the first field add tokenExpirationDateTime (this will trigger the Apply to each action), add a condition of is greater than or equal to and add in the second field utcNow() from the Expression tab

If the condition is true (if Yes) then it’s time to update the token that will expire in 10 days. The custom connector that has been build is needed to update the token.

  1. Select Add an action and select the Custom tab to see the custom connectors, click twice on the connector to add it.
  1. Type 7776000 in the tokenValidityInSeconds field.
  1. Select Add an action to add an HTTP action
  2. Select GET as a Method
  3. Type https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/ in the URI followed with id from Parse JSON
  1. Select Show advanced options to configure Azure AD authentication
  2. Select Active Directory OAuth from the drop-down menu (do not select one of the other menu items, because then you’re not able to save. The flow checker thinks that you need to fill the required fields when selecting another menu item). Make sure that you fill out https://graph.microsoft.com as Audience! Now fill the other required fields with the correct ones from the app registration we did earlier.
  1. Click + Add a action
  2. Search for json, select Parse JSON
  3. Use for Content Body from the Dynamic content tab
  1. To set a scheme, the first thing is to make a Graph call. This can be accomplished by signing into the Graph Explorer and GET https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles/
  2. Choose a profile and append the query with the ID
  3. Copy the JSON output
  4. Go back to the flow and select Generate from sample, paste the JSON output and select Done

Next action will be a choice, you can send a message through teams or send an email.

Add a message to Teams

  1. Click Add an action, search for post a message and add it to the flow
  2. Select Signin to connect to Microsoft Teams
  3. Select the team in which the message needs to be put
  4. Select the proper channel
  5. Create a message
  1. Save the flow and test

Send a mail

  1. Click Add an action, search for mail and add it to the flow
  2. Provide in To a valid mail address
  3. Create a Subject and Body
  1. Save the flow and test

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.