Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

MVP

 

==>>A special thanks to Timmy Andersson for the PowerShell script!!<<==

 

Dear Microsoft Intune Friends,

 

In Microsoft Intune, it is possible to work with configuration profiles, among other things. OK, this is nothing new. But which Azure Active Directory groups have been assigned to the configuration profiles? I am confronted with this question again and again.

 

_Intune_1.JPG_Intune_2.JPG

 

This is where PowerShell comes into play. Let's explore this together.

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio  Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE.

 

Set-Location C:\Temp
Clear-Host

 

#Install the module
Install-Module -Name Microsoft.Graph.Intune -AllowClobber -Verbose -Force

 

#Connect and change the scheme
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta
Connect-MSGraph

#Which group do you want to check?
$groupName = "AutoPilot Geräte"

 

$Group = Get-AADGroup -Filter "displayname eq '$GroupName'"

####Config Start####

Write-host "Azure Active Directory Group: $($Group.displayName)" -ForegroundColor Green

#Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {

Write-host $Config.displayName -ForegroundColor Yellow

 

}

####Config End####

 

_Intune_1.JPG

 

Now let's check all the groups from Azure Active Directory.

 

$Groups = Get-AADGroup | Get-MSGraphAllPages

####Config Start ####


Foreach ($Group in $Groups) {
Write-host "Azure Active Directory Group Name: $($Group.displayName)" -ForegroundColor Green

#Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {

Write-host $Config.displayName -ForegroundColor Yellow

}

}

####Config End####

 

_Intune.JPG

 

I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

17 Replies

@TomWechsler 

Hi Tom

 

I have the MD graph powershell module installed on my PC.


When I try to connect to MS Graph I'm prompted 'Need admin approval'

Is this just Application Administrator approval or is it full Azure AD Administrator approval.

I'm already an Intune administrator and am trying find standard information (such as groups a device is assigned to  or applications assigned to a group), but this is proving at least very awkward or downright impossible in the Intune console (Microsoft Endpoint Manager Admin Centre

@TomWechsler Has the mobileapps functionality changed as I don't get the assignments back when I try it.  I've even tried the Graph command directly in Graph explorer and I don't get them.

hi , can CAs and/or Enrollment device platform restrictions be added into the results?

Hello, do you think the script will be updated to support Settings Catalog ?
Nice Script Tom.
You helped me a lot.
I developed a C# App to retrieve information about Assignments using MSGraph.
Maybe you could check out too ;)
https://github.com/sibranda/GetIntuneAssignments

@SidSB 

That sound and looks pretty nice, but security wise how can know it 100% safe to use? 

@Wim_Groffils 

 

An Attacker would have to sniff out your Tenant ID, App ID and crack your secret before being able to use it to simply read the data it has access to.  It cannot make changes to your environment.

AzureAD module has been deprecated. Have you updated to work with the new MgGraph commands?

@Wim_Groffils Thanks for your question.

 

I create the app using the best practices and orientation from Microsoft docs.

But you right to concern about security.

I explain in the doc to create and give just read permission to Azure App because the app just queries the data.

 

Hello JabinB
Thanks for ask.

I don't use PowerShell commands in this App, everything is query from MsGraph using Get and queries commands :)

By the way. I published a new version and now you can use Client Secret if you want.
Just keep in mind to create an Azure App with READ Only permissions ;)
That's really useful! I don't know how many times I hoped to have this information easily. Something similar should be implemented in Intune, though.

@MaxMorsia If they'd finish adding the old aad and msgraph commands to the new graph commands, we could just write a good script.  I don't get how they are ok deprecating stuff before full transfer.

I started out withTimmy Andersson's script, but modified it to get the info to a CSV.

https://github.com/jmanuelng/MEM_AssignedGroups
Wow, that's ridiculous! Great Job!!
I'm still a bit struggling to make the CSV more kind to the human eye, after a "text to column" it's already much better.
And indeed https://doitpsway.com/get-all-intune-policies-assigned-to-the-specified-account-using-powershell looks promising too!

Keep it up!

@TomWechsler 

 

Hello Tom,

Script is working, but I can see only few configuration profiles that has been assigned to that group. For example script is showing me only 2 cfg., profiles but there are more than 10. Maybe you know why is it so?

Thank you

@Keith_Eves To use Graph for Intune within your Tenant, your GA must give consent to using graph. The simplest method to do this is have someone with GA rights to run the script below. This is a one time thing. 
powershell-intune-samples/AdminConsent at master · microsoftgraph/powershell-intune-samples · GitHub

Try to verify if you're using v1.0 instead of beta.