Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Use PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!

%3CLINGO-SUB%20id%3D%22lingo-sub-3217498%22%20slang%3D%22en-US%22%3EUse%20PowerShell%20to%20retrieve%20all%20assigned%20Intune%20policies%20and%20applications%20per%20Azure%20AD%20group!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3217498%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3D%3D%26gt%3B%26gt%3BA%20special%20thanks%20to%20Timmy%20Andersson%20for%20the%20PowerShell%20script!!%26lt%3B%26lt%3B%3D%3D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDear%20Microsoft%20Intune%20Friends%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Microsoft%20Intune%2C%20it%20is%20possible%20to%20work%20with%20configuration%20profiles%2C%20among%20other%20things.%20OK%2C%20this%20is%20nothing%20new.%20But%20which%20Azure%20Active%20Directory%20groups%20have%20been%20assigned%20to%20the%20configuration%20profiles%3F%20I%20am%20confronted%20with%20this%20question%20again%20and%20again.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Intune_1.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F351469iB49939F446AC202A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Intune_1.JPG%22%20alt%3D%22_Intune_1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Intune_2.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F351470iD60CB9A988C707B8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Intune_2.JPG%22%20alt%3D%22_Intune_2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20where%20PowerShell%20comes%20into%20play.%20Let's%20explore%20this%20together.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20used%20the%20PowerShell%20ISE%20for%20this%20configuration.%20But%20you%20are%20also%20very%20welcome%20to%20use%20Visual%20Studio%26nbsp%3B%20Code%2C%20just%20as%20you%20wish.%20Please%20start%20with%20the%20following%20steps%20to%20begin%20the%20deployment%20(the%20Hashtags%20are%20comments)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20first%20two%20lines%20have%20nothing%20to%20do%20with%20the%20configuration%2C%20but%20make%20some%20space%20below%20in%20the%20blue%20part%20of%20the%20ISE.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESet-Location%20C%3A%5CTemp%3CBR%20%2F%3EClear-Host%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Install%20the%20module%3CBR%20%2F%3EInstall-Module%20-Name%20Microsoft.Graph.Intune%20-AllowClobber%20-Verbose%20-Force%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Connect%20and%20change%20the%20scheme%20%3CBR%20%2F%3EConnect-MSGraph%20-ForceInteractive%3CBR%20%2F%3EUpdate-MSGraphEnvironment%20-SchemaVersion%20beta%3CBR%20%2F%3EConnect-MSGraph%3CBR%20%2F%3E%3CBR%20%2F%3E%23Which%20group%20do%20you%20want%20to%20check%3F%3CBR%20%2F%3E%24groupName%20%3D%20%22AutoPilot%20Ger%C3%A4te%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24Group%20%3D%20Get-AADGroup%20-Filter%20%22displayname%20eq%20'%24GroupName'%22%3CBR%20%2F%3E%3CBR%20%2F%3E%23%23%23%23Config%20Start%23%23%23%23%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%22Azure%20Active%20Directory%20Group%3A%20%24(%24Group.displayName)%22%20-ForegroundColor%20Green%3CBR%20%2F%3E%3CBR%20%2F%3E%23Apps%3CBR%20%2F%3E%24AllAssignedApps%20%3D%20Get-IntuneMobileApp%20-Filter%20%22isAssigned%20eq%20true%22%20-Select%20id%2C%20displayName%2C%20lastModifiedDateTime%2C%20assignments%20-Expand%20assignments%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Apps%20found%3A%20%24(%24AllAssignedApps.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllAssignedApps)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%23Device%20Compliance%3CBR%20%2F%3E%24AllDeviceCompliance%20%3D%20Get-IntuneDeviceCompliancePolicy%20-Select%20id%2C%20displayName%2C%20lastModifiedDateTime%2C%20assignments%20-Expand%20assignments%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Device%20Compliance%20policies%20found%3A%20%24(%24AllDeviceCompliance.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllDeviceCompliance)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%23Device%20Configuration%3CBR%20%2F%3E%24AllDeviceConfig%20%3D%20Get-IntuneDeviceConfigurationPolicy%20-Select%20id%2C%20displayName%2C%20lastModifiedDateTime%2C%20assignments%20-Expand%20assignments%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Device%20Configurations%20found%3A%20%24(%24AllDeviceConfig.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllDeviceConfig)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%23Device%20Configuration%20Powershell%20Scripts%20%3CBR%20%2F%3E%24Resource%20%3D%20%22deviceManagement%2FdeviceManagementScripts%22%3CBR%20%2F%3E%24graphApiVersion%20%3D%20%22Beta%22%3CBR%20%2F%3E%24uri%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24(%24Resource%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24(%24Resource%3C%2FA%3E)%3F%60%24expand%3DgroupAssignments%22%3CBR%20%2F%3E%24DMS%20%3D%20Invoke-MSGraphRequest%20-HttpMethod%20GET%20-Url%20%24uri%3CBR%20%2F%3E%24AllDeviceConfigScripts%20%3D%20%24DMS.value%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Device%20Configurations%20Powershell%20Scripts%20found%3A%20%24(%24AllDeviceConfigScripts.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3E%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllDeviceConfigScripts)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%23Administrative%20templates%3CBR%20%2F%3E%24Resource%20%3D%20%22deviceManagement%2FgroupPolicyConfigurations%22%3CBR%20%2F%3E%24graphApiVersion%20%3D%20%22Beta%22%3CBR%20%2F%3E%24uri%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24(%24Resource%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24(%24Resource%3C%2FA%3E)%3F%60%24expand%3DAssignments%22%3CBR%20%2F%3E%24ADMT%20%3D%20Invoke-MSGraphRequest%20-HttpMethod%20GET%20-Url%20%24uri%3CBR%20%2F%3E%24AllADMT%20%3D%20%24ADMT.value%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Device%20Administrative%20Templates%20found%3A%20%24(%24AllADMT.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllADMT)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%7D%3C%2FP%3E%0A%3CP%3E%23%23%23%23Config%20End%23%23%23%23%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Intune_1.JPG%22%20style%3D%22width%3A%20660px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F351513iAD0D5E02A3F11384%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Intune_1.JPG%22%20alt%3D%22_Intune_1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20let's%20check%20all%20the%20groups%20from%20Azure%20Active%20Directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24Groups%20%3D%20Get-AADGroup%20%7C%20Get-MSGraphAllPages%3CBR%20%2F%3E%3CBR%20%2F%3E%23%23%23%23Config%20Start%20%23%23%23%23%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EForeach%20(%24Group%20in%20%24Groups)%20%7B%3CBR%20%2F%3EWrite-host%20%22Azure%20Active%20Directory%20Group%20Name%3A%20%24(%24Group.displayName)%22%20-ForegroundColor%20Green%3CBR%20%2F%3E%3CBR%20%2F%3E%23Apps%3CBR%20%2F%3E%24AllAssignedApps%20%3D%20Get-IntuneMobileApp%20-Filter%20%22isAssigned%20eq%20true%22%20-Select%20id%2C%20displayName%2C%20lastModifiedDateTime%2C%20assignments%20-Expand%20assignments%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Apps%20found%3A%20%24(%24AllAssignedApps.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllAssignedApps)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%23Device%20Compliance%3CBR%20%2F%3E%24AllDeviceCompliance%20%3D%20Get-IntuneDeviceCompliancePolicy%20-Select%20id%2C%20displayName%2C%20lastModifiedDateTime%2C%20assignments%20-Expand%20assignments%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Device%20Compliance%20policies%20found%3A%20%24(%24AllDeviceCompliance.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllDeviceCompliance)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%23Device%20Configuration%3CBR%20%2F%3E%24AllDeviceConfig%20%3D%20Get-IntuneDeviceConfigurationPolicy%20-Select%20id%2C%20displayName%2C%20lastModifiedDateTime%2C%20assignments%20-Expand%20assignments%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Device%20Configurations%20found%3A%20%24(%24AllDeviceConfig.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllDeviceConfig)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%23Device%20Configuration%20Powershell%20Scripts%20%3CBR%20%2F%3E%24Resource%20%3D%20%22deviceManagement%2FdeviceManagementScripts%22%3CBR%20%2F%3E%24graphApiVersion%20%3D%20%22Beta%22%3CBR%20%2F%3E%24uri%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24(%24Resource%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24(%24Resource%3C%2FA%3E)%3F%60%24expand%3DgroupAssignments%22%3CBR%20%2F%3E%24DMS%20%3D%20Invoke-MSGraphRequest%20-HttpMethod%20GET%20-Url%20%24uri%3CBR%20%2F%3E%24AllDeviceConfigScripts%20%3D%20%24DMS.value%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Device%20Configurations%20Powershell%20Scripts%20found%3A%20%24(%24AllDeviceConfigScripts.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3E%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllDeviceConfigScripts)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%23Administrative%20templates%3CBR%20%2F%3E%24Resource%20%3D%20%22deviceManagement%2FgroupPolicyConfigurations%22%3CBR%20%2F%3E%24graphApiVersion%20%3D%20%22Beta%22%3CBR%20%2F%3E%24uri%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24(%24Resource%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24(%24Resource%3C%2FA%3E)%3F%60%24expand%3DAssignments%22%3CBR%20%2F%3E%24ADMT%20%3D%20Invoke-MSGraphRequest%20-HttpMethod%20GET%20-Url%20%24uri%3CBR%20%2F%3E%24AllADMT%20%3D%20%24ADMT.value%20%7C%20Where-Object%20%7B%24_.assignments%20-match%20%24Group.id%7D%3CBR%20%2F%3EWrite-host%20%22Number%20of%20Device%20Administrative%20Templates%20found%3A%20%24(%24AllADMT.DisplayName.Count)%22%20-ForegroundColor%20cyan%3CBR%20%2F%3EForeach%20(%24Config%20in%20%24AllADMT)%20%7B%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-host%20%24Config.displayName%20-ForegroundColor%20Yellow%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%7D%3C%2FP%3E%0A%3CP%3E%23%23%23%23Config%20End%23%23%23%23%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Intune.JPG%22%20style%3D%22width%3A%20758px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F351514iE6D5AA670E6E773F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Intune.JPG%22%20alt%3D%22_Intune.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20article%20was%20useful.%20Thank%20you%20for%20taking%20the%20time%20to%20read%20the%20article.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EBest%20regards%2C%20Tom%20Wechsler%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EP.S.%20All%20scripts%20(%23PowerShell%2C%20Azure%20CLI%2C%20%23Terraform%2C%20%23ARM)%20that%20I%20use%20can%20be%20found%20on%20github!%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Ftomwechsler%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Ftomwechsler%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3217498%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3281738%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20PowerShell%20to%20retrieve%20all%20assigned%20Intune%20policies%20and%20applications%20per%20Azure%20AD%20group!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3281738%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F593067%22%20target%3D%22_blank%22%3E%40TomWechsler%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Tom%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20MD%20graph%20powershell%20module%20installed%20on%20my%20PC.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWhen%20I%20try%20to%20connect%20to%20MS%20Graph%20I'm%20prompted%20'Need%20admin%20approval'%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20this%20just%20Application%20Administrator%20approval%20or%20is%20it%20full%20Azure%20AD%20Administrator%20approval.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI'm%20already%20an%20Intune%20administrator%20and%20am%20trying%20find%20standard%20information%20(such%20as%20groups%20a%20device%20is%20assigned%20to%26nbsp%3B%20or%20applications%20assigned%20to%20a%20group)%2C%20but%20this%20is%20proving%20at%20least%20very%20awkward%20or%20downright%20impossible%20in%20the%20Intune%20console%20(Microsoft%20Endpoint%20Manager%20Admin%20Centre%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3298167%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20PowerShell%20to%20retrieve%20all%20assigned%20Intune%20policies%20and%20applications%20per%20Azure%20AD%20group!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3298167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F593067%22%20target%3D%22_blank%22%3E%40TomWechsler%3C%2FA%3E%26nbsp%3BHas%20the%20mobileapps%20functionality%20changed%20as%20I%20don't%20get%20the%20assignments%20back%20when%20I%20try%20it.%26nbsp%3B%20I've%20even%20tried%20the%20Graph%20command%20directly%20in%20Graph%20explorer%20and%20I%20don't%20get%20them.%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

 

==>>A special thanks to Timmy Andersson for the PowerShell script!!<<==

 

Dear Microsoft Intune Friends,

 

In Microsoft Intune, it is possible to work with configuration profiles, among other things. OK, this is nothing new. But which Azure Active Directory groups have been assigned to the configuration profiles? I am confronted with this question again and again.

 

_Intune_1.JPG_Intune_2.JPG

 

This is where PowerShell comes into play. Let's explore this together.

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio  Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE.

 

Set-Location C:\Temp
Clear-Host

 

#Install the module
Install-Module -Name Microsoft.Graph.Intune -AllowClobber -Verbose -Force

 

#Connect and change the scheme
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta
Connect-MSGraph

#Which group do you want to check?
$groupName = "AutoPilot Geräte"

 

$Group = Get-AADGroup -Filter "displayname eq '$GroupName'"

####Config Start####

Write-host "Azure Active Directory Group: $($Group.displayName)" -ForegroundColor Green

#Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {

Write-host $Config.displayName -ForegroundColor Yellow

 

}

####Config End####

 

_Intune_1.JPG

 

Now let's check all the groups from Azure Active Directory.

 

$Groups = Get-AADGroup | Get-MSGraphAllPages

####Config Start ####


Foreach ($Group in $Groups) {
Write-host "Azure Active Directory Group Name: $($Group.displayName)" -ForegroundColor Green

#Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

Write-host $Config.displayName -ForegroundColor Yellow

}

#Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {

Write-host $Config.displayName -ForegroundColor Yellow

}

}

####Config End####

 

_Intune.JPG

 

I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

2 Replies

@TomWechsler 

Hi Tom

 

I have the MD graph powershell module installed on my PC.


When I try to connect to MS Graph I'm prompted 'Need admin approval'

Is this just Application Administrator approval or is it full Azure AD Administrator approval.

I'm already an Intune administrator and am trying find standard information (such as groups a device is assigned to  or applications assigned to a group), but this is proving at least very awkward or downright impossible in the Intune console (Microsoft Endpoint Manager Admin Centre

@TomWechsler Has the mobileapps functionality changed as I don't get the assignments back when I try it.  I've even tried the Graph command directly in Graph explorer and I don't get them.