Share via

Intune – Unable to reliably validate application installation status via Microsoft Graph APIs

Swahela Mulla 100 Reputation points
2026-03-30T13:14:31.58+00:00

Hi Everyone,

I am working on application deployment and validation using Microsoft Intune, and I am trying to implement an automated validation step to confirm whether applications are successfully installed.

My primary requirement

  • Verify application installation status
  • Confirm per‑device installation status
  • Validate installation for specific Intune‑managed devices
  • Use Graph APIs as part of an automation workflow

APIs tested so far

1️⃣ App installation status per device (NOT working / not usable)

I initially tried using the documented API:

GET https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses

Issue:

  • This API is not working for us
  • It either returns no data or behaves as if it is not a valid / usable endpoint
  • It does not return reliable installation status
  • Hence, we cannot use this API for validation in automation

At this point, deviceStatuses is not usable as a primary source of truth in our environment.

2️⃣ Detected Apps (secondary confirmation only)

We are also using the Detected Apps API:

GET /deviceManagement/managedDevices/{deviceId}/detectedApps

This does work, however:

  • It only confirms app presence
  • It does not confirm Intune assignment or installation intent
  • We are using it strictly as a secondary confirmation, not a primary validation method

3️⃣ Intune internal API observed via browser inspection

We also tested the API that appears to be used internally by the Intune portal:

GET https://graph.microsoft.com/beta/users/{user-id}/mobileAppIntentAndStates/{device-id}

Observations:

  • The API returns data
  • However, installState frequently shows unknown
  • The Intune portal shows a different and final status (Installed / Failed / Pending)
  • This makes the API unreliable for automation
  • It appears to be troubleshooting‑oriented, not intended for reporting or validation

Questions I am looking for guidance on

  1. Is deviceStatuses known to be unreliable, tenant‑dependent, or effectively unsupported?
  2. What is the recommended API to retrieve actual app installation status per device?
  3. Are there any v1.0 APIs available for:
    • Device‑level app installation status?
      • User‑level app installation validation?
      1. What is Microsoft’s recommended best practice to validate Intune‑installed applications via automation?
      2. Is there official documentation that clearly explains:
        • Which API should be used for reporting vs troubleshooting
          • Expected delays or data inconsistencies between Graph APIs and the Intune portal

Goal

The goal is to build a reliable and supported automation‑based validation mechanism to confirm that Intune‑deployed applications are successfully installed on target devices.

Any official guidance, confirmation of known limitations, or alternative approaches would be very helpful.

Thanks in advance for your support.

Microsoft Security | Intune | Application management
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prathista Ilango 1,065 Reputation points Microsoft Employee
    2026-03-31T13:09:33.27+00:00

    Hello Swahela Mulla,

    I believe the following graph API should work (tested it recently),
    https://graph.microsoft.com/beta/deviceManagement/reports/microsoft.graph.retrieveDeviceAppInstallationStatusReport It should be a POST request not GET. And request body should contain the application ID in filter. Make sure you have atleast DeviceManagementApps.Read.All permission.

    Something like thisUser's image
    Hope this helps!

    If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

    0 comments
  2. Q&A Assist
    2026-03-30T13:15:14.99+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    deviceStatuses and related beta endpoints are not documented as reliable reporting surfaces for Intune app installation and should not be treated as the primary source of truth for automation. The supported and documented approach for app‑install status is to use Intune’s reporting surfaces (including those exposed via Microsoft Graph reports) and, when needed, the per‑app install status resources.

    Based on the available documentation, the following options are supported:

    1. Use Intune reports exposed via Graph for per‑device app install status

    The Intune reporting layer exposes a DeviceInstallStatusByApp report over Graph. This report is specifically designed to return app installation state per device and per app and is the supported reporting surface for automation.

    The DeviceInstallStatusByApp report returns, among others, the following properties:

    • ApplicationId
    • DeviceId
    • DeviceName
    • AppInstallState
    • AppInstallStateDetails
    • InstallState
    • InstallStateDetail
    • ErrorCode
    • HexErrorCode
    • LastModifiedDateTime
    • Platform
    • UserId
    • UserName
    • UserPrincipalName

    The report can be filtered by:

    • ApplicationId (required)
    • AppInstallState
    • HexErrorCode

    This report is intended for exactly the scenario described: validating app installation per device and per app in an automated way. It is part of the Intune reporting framework and is the recommended primary source of truth for automation instead of deviceStatuses.

    1. Use mobileAppInstallStatus for per‑app, per‑device status (beta)

    For scenarios where per‑app, per‑device status is needed directly from the app object, the mobileAppInstallStatus resource can be queried via:

    GET /deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses/{mobileAppInstallStatusId}
GET /deviceAppManagement/mobileApps/{mobileAppId}/userStatuses/{userAppInstallStatusId}/deviceStatuses/{mobileAppInstallStatusId}

    This is a beta Intune Graph API and requires DeviceManagementApps.Read.All or DeviceManagementApps.ReadWrite.All. It returns a mobileAppInstallStatus object that represents the install status of the app on a device. Because it is beta, it is supported but subject to change and should be used with awareness that it is not the long‑term reporting surface; the reporting APIs (such as DeviceInstallStatusByApp) are preferred for stable automation.

    1. Use the Intune Troubleshoot portal for interactive validation and error details

    For operational troubleshooting (not automation), the Intune admin center provides the Troubleshoot pane:

    1. Go to Troubleshoot + support in the Intune admin center.
    2. Select the user, then the device.
    3. Open Managed Apps to see per‑device, per‑app lifecycle information (created, modified, targeted, delivered) and installation issues.
    4. Selecting an app with a failure shows detailed error information.

    This surface is explicitly described as troubleshooting‑oriented and is not the recommended programmatic reporting interface, which aligns with the behavior observed where some Graph troubleshooting endpoints return unknown or transient states.

    1. Error codes and reliability considerations

    For automation that validates success vs failure, the Intune app installation error reference and the app installation error reporting table are the authoritative sources for interpreting error codes and states. For example, the app installation error reporting table documents error codes like 0x87D5501C0x87D5507D, whether they are retried automatically, and guidance on what they mean.

    When using DeviceInstallStatusByApp or mobileAppInstallStatus:

    • Use AppInstallState / InstallState and HexErrorCode / ErrorCode to determine success vs failure.
    • Expect that status is updated after the Intune Management Extension / agent completes install and reporting; there can be a delay between device completion and portal/report update.
    1. Recommended best practice for automation

    Given the documented surfaces, a supported pattern for automation is:

    1. Use Intune assignment to deploy the app.
    2. Poll the Intune reporting API (DeviceInstallStatusByApp) filtered by ApplicationId (and optionally AppInstallState) to retrieve per‑device install status.
    3. Interpret AppInstallState / InstallState and HexErrorCode according to the documented error reference and app installation error reporting table.
    4. Optionally, for deeper per‑device/per‑app diagnostics, query mobileAppInstallStatus (beta) or use the Troubleshoot portal interactively.
    5. Use detectedApps only as a secondary confirmation of app presence, not as the primary Intune deployment status signal.
    6. Reporting vs troubleshooting APIs and expected differences
    • Reporting / validation (automation)
      • Use Intune reporting APIs such as DeviceInstallStatusByApp exposed via Graph.
      • These are designed for aggregated and per‑device reporting and are the recommended source of truth for automation.
    • Troubleshooting
      • Use the Intune admin center Troubleshoot pane and related troubleshooting APIs for interactive investigation.
      • These may expose transient or intermediate states (such as unknown) and are not positioned as the primary reporting interface.

    The documentation explicitly distinguishes between the troubleshooting portal (for help desk and interactive use) and the reporting APIs (for programmatic reporting and export). For automation, rely on the reporting APIs rather than the troubleshooting‑oriented endpoints.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.