Forum Discussion
Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!
==>>A special thanks to Timmy Andersson for the PowerShell script!!<<==
Dear Microsoft Intune Friends,
In Microsoft Intune, it is possible to work with configuration profiles, among other things. OK, this is nothing new. But which Azure Active Directory groups have been assigned to the configuration profiles? I am confronted with this question again and again.
This is where PowerShell comes into play. Let's explore this together.
I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):
The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE.
Set-Location C:\Temp
Clear-Host
#Install the module
Install-Module -Name Microsoft.Graph.Intune -AllowClobber -Verbose -Force
#Connect and change the scheme
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta
Connect-MSGraph
#Which group do you want to check?
$groupName = "AutoPilot Geräte"
$Group = Get-AADGroup -Filter "displayname eq '$GroupName'"
####Config Start####
Write-host "Azure Active Directory Group: $($Group.displayName)" -ForegroundColor Green
#Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {
Write-host $Config.displayName -ForegroundColor Yellow
}
#Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {
Write-host $Config.displayName -ForegroundColor Yellow
}
#Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {
Write-host $Config.displayName -ForegroundColor Yellow
}
#Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfigScripts) {
Write-host $Config.displayName -ForegroundColor Yellow
}
#Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {
Write-host $Config.displayName -ForegroundColor Yellow
}
####Config End####
Now let's check all the groups from Azure Active Directory.
$Groups = Get-AADGroup | Get-MSGraphAllPages
####Config Start ####
Foreach ($Group in $Groups) {
Write-host "Azure Active Directory Group Name: $($Group.displayName)" -ForegroundColor Green
#Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {
Write-host $Config.displayName -ForegroundColor Yellow
}
#Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {
Write-host $Config.displayName -ForegroundColor Yellow
}
#Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {
Write-host $Config.displayName -ForegroundColor Yellow
}
#Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfigScripts) {
Write-host $Config.displayName -ForegroundColor Yellow
}
#Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {
Write-host $Config.displayName -ForegroundColor Yellow
}
}
####Config End####
I hope this article was useful. Thank you for taking the time to read the article.
Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
Hi Tom
I have the MD graph powershell module installed on my PC.
When I try to connect to MS Graph I'm prompted 'Need admin approval'
Is this just Application Administrator approval or is it full Azure AD Administrator approval.I'm already an Intune administrator and am trying find standard information (such as groups a device is assigned to or applications assigned to a group), but this is proving at least very awkward or downright impossible in the Intune console (Microsoft Endpoint Manager Admin Centre
Cameron CoxMicrosoft
Keith_Eves To use Graph for Intune within your Tenant, your GA must give consent to using graph. The simplest method to do this is have someone with GA rights to run the script below. This is a one time thing.
powershell-intune-samples/AdminConsent at master · microsoftgraph/powershell-intune-samples · GitHub
- Nice Script Tom.
You helped me a lot.
I developed a C# App to retrieve information about Assignments using MSGraph.
Maybe you could check out too 😉
https://github.com/sibranda/GetIntuneAssignmentsThat sound and looks pretty nice, but security wise how can know it 100% safe to use?
Wim_Groffils Thanks for your question.
I create the app using the best practices and orientation from Microsoft docs.
But you right to concern about security.
I explain in the doc to create and give just read permission to Azure App because the app just queries the data.
- AzureAD module has been deprecated. Have you updated to work with the new MgGraph commands?
- Hello JabinB
Thanks for ask.
I don't use PowerShell commands in this App, everything is query from MsGraph using Get and queries commands 🙂
By the way. I published a new version and now you can use Client Secret if you want.
Just keep in mind to create an Azure App with READ Only permissions 😉
TomWechsler Has the mobileapps functionality changed as I don't get the assignments back when I try it. I've even tried the Graph command directly in Graph explorer and I don't get them.
- Try to verify if you're using v1.0 instead of beta.
hi , can CAs and/or Enrollment device platform restrictions be added into the results?
- Hello, do you think the script will be updated to support Settings Catalog ?
- That's really useful! I don't know how many times I hoped to have this information easily. Something similar should be implemented in Intune, though.
- I started out withTimmy Andersson's script, but modified it to get the info to a CSV.
https://github.com/jmanuelng/MEM_AssignedGroups- Wow, that's ridiculous! Great Job!!
I'm still a bit struggling to make the CSV more kind to the human eye, after a "text to column" it's already much better.
And indeed https://doitpsway.com/get-all-intune-policies-assigned-to-the-specified-account-using-powershell looks promising too!
Keep it up!
Hello Tom,
Script is working, but I can see only few configuration profiles that has been assigned to that group. For example script is showing me only 2 cfg., profiles but there are more than 10. Maybe you know why is it so?
Thank you
