cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Tech Accelerator: Microsoft Intune Suite
Apr 11 2023 08:00 AM - Apr 12 2023 11:00 AM (PDT)
Find out more

Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

TomWechsler
MVP

‎Feb 26 2022 10:37 PM - edited ‎Feb 27 2022 08:55 PM

‎Feb 26 2022 10:37 PM - edited ‎Feb 27 2022 08:55 PM

Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

 

==>>A special thanks to Timmy Andersson for the PowerShell script!!<<==

 

Dear Microsoft Intune Friends,

 

In Microsoft Intune, it is possible to work with configuration profiles, among other things. OK, this is nothing new. But which Azure Active Directory groups have been assigned to the configuration profiles? I am confronted with this question again and again.

 

_Intune_1.JPG_Intune_2.JPG

 

This is where PowerShell comes into play. Let's explore this together.

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio  Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE.

 

Set-Location C:\Temp
Clear-Host

 

#Install the module
Install-Module -Name Microsoft.Graph.Intune -AllowClobber -Verbose -Force

 

#Connect and change the scheme
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta
Connect-MSGraph

#Which group do you want to check?
$groupName = "AutoPilot Geräte"

 

$Group = Get-AADGroup -Filter "displayname eq '$GroupName'"

####Config Start####

Write-host "Azure Active Directory Group: $($Group.displayName)" -ForegroundColor Green

#Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {

Write-host $Config.displayName -ForegroundColor Yellow

 

}

####Config End####

 

_Intune_1.JPG

 

Now let's check all the groups from Azure Active Directory.

 

$Groups = Get-AADGroup | Get-MSGraphAllPages

####Config Start ####


Foreach ($Group in $Groups) {
Write-host "Azure Active Directory Group Name: $($Group.displayName)" -ForegroundColor Green

#Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {

Write-host $Config.displayName -ForegroundColor Yellow

}

}

####Config End####

 

_Intune.JPG

 

I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

32.8K Views
9 Likes
14 Replies
Reply
14 Replies
Keith_Eves

‎Apr 11 2022 03:27 AM

‎Apr 11 2022 03:27 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

@TomWechsler 

Hi Tom

 

I have the MD graph powershell module installed on my PC.


When I try to connect to MS Graph I'm prompted 'Need admin approval'

Is this just Application Administrator approval or is it full Azure AD Administrator approval.

I'm already an Intune administrator and am trying find standard information (such as groups a device is assigned to  or applications assigned to a group), but this is proving at least very awkward or downright impossible in the Intune console (Microsoft Endpoint Manager Admin Centre

1 Like
Reply
matthlock25

‎Apr 28 2022 01:13 PM

‎Apr 28 2022 01:13 PM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

@TomWechsler Has the mobileapps functionality changed as I don't get the assignments back when I try it.  I've even tried the Graph command directly in Graph explorer and I don't get them.

0 Likes
Reply
D0wniel

‎Jul 11 2022 03:01 PM - edited ‎Jul 11 2022 04:02 PM

‎Jul 11 2022 03:01 PM - edited ‎Jul 11 2022 04:02 PM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

hi , can CAs and/or Enrollment device platform restrictions be added into the results?

0 Likes
Reply
Arnaud_Bigot

‎Oct 03 2022 12:05 AM

‎Oct 03 2022 12:05 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

Hello, do you think the script will be updated to support Settings Catalog ?
0 Likes
Reply
SidSB

‎Oct 20 2022 04:53 AM

‎Oct 20 2022 04:53 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

Nice Script Tom.
You helped me a lot.
I developed a C# App to retrieve information about Assignments using MSGraph.
Maybe you could check out too ;)
https://github.com/sibranda/GetIntuneAssignments
1 Like
Reply
Wim_Groffils

‎Nov 08 2022 03:13 AM

‎Nov 08 2022 03:13 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

@SidSB 

That sound and looks pretty nice, but security wise how can know it 100% safe to use? 

0 Likes
Reply
JabinB

‎Nov 16 2022 10:19 AM

‎Nov 16 2022 10:19 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

@Wim_Groffils 

 

An Attacker would have to sniff out your Tenant ID, App ID and crack your secret before being able to use it to simply read the data it has access to.  It cannot make changes to your environment.

0 Likes
Reply
JabinB

‎Nov 16 2022 10:21 AM

‎Nov 16 2022 10:21 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

AzureAD module has been deprecated. Have you updated to work with the new MgGraph commands?
0 Likes
Reply
SidSB

‎Nov 16 2022 11:51 AM

‎Nov 16 2022 11:51 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

@Wim_Groffils Thanks for your question.

 

I create the app using the best practices and orientation from Microsoft docs.

But you right to concern about security.

I explain in the doc to create and give just read permission to Azure App because the app just queries the data.

 

1 Like
Reply
SidSB

‎Nov 16 2022 11:52 AM

‎Nov 16 2022 11:52 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

Hello JabinB
Thanks for ask.

I don't use PowerShell commands in this App, everything is query from MsGraph using Get and queries commands :)

By the way. I published a new version and now you can use Client Secret if you want.
Just keep in mind to create an Azure App with READ Only permissions ;)
1 Like
Reply
MaxMorsia

‎Nov 16 2022 10:28 PM

‎Nov 16 2022 10:28 PM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

That's really useful! I don't know how many times I hoped to have this information easily. Something similar should be implemented in Intune, though.
0 Likes
Reply
JabinB

‎Nov 17 2022 09:58 AM

‎Nov 17 2022 09:58 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

@MaxMorsia If they'd finish adding the old aad and msgraph commands to the new graph commands, we could just write a good script.  I don't get how they are ok deprecating stuff before full transfer.

0 Likes
Reply
Manuel_Nieto

‎Dec 21 2022 11:40 AM

‎Dec 21 2022 11:40 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

I started out withTimmy Andersson's script, but modified it to get the info to a CSV.

https://github.com/jmanuelng/MEM_AssignedGroups
0 Likes
Reply
Wim_Groffils

‎Dec 22 2022 03:14 AM

‎Dec 22 2022 03:14 AM

Re: Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

Wow, that's ridiculous! Great Job!!
I'm still a bit struggling to make the CSV more kind to the human eye, after a "text to column" it's already much better.
And indeed https://doitpsway.com/get-all-intune-policies-assigned-to-the-specified-account-using-powershell looks promising too!

Keep it up!
1 Like
Reply