IntuneManagement with PowerShell and WPF UI

<p align="center"> <a href="https://twitter.com/Micke_K_72"> <img src="https://img.shields.io/twitter/follow/Micke_K_72.svg?style=social" target="_blank" /> </a> </p>

These PowerShell scripts are using Microsoft Authentication Library (MSAL), Microsoft Graph APIs and Azure Management APIs to manage objects in Intune and Azure. The scripts have a simple WPF UI and it supports operations like Export, Import, Copy, Download, Compare etc.

This makes it easy to backup or clone a complete Intune environment. The scripts can export and import objects including assignments and support import/export between tenants. The scripts will create a migration table during export and use that for importing assignments in other environments. It will create missing groups in the target environment during import. Group information like name, description and type will be imported based on the exported group e.g. dynamic groups are supported. There will be one json file for each group in the export folder.

The script also support dependencies e.g. an App Protection is depending on an App, Policy Sets are depending on Compliance Policies, objects has Scope Tags etc. Dependency support requires exported json files and that the dependency objects are imported in the environment. The script uses the exported json files to get the Id and names of the exported object and uses that information and updates Id's before import an object from a json file. The Bulk Import form shows the import order of the objects. The objects with the lowest order number will be imported first.

<p align="center"> <img src="https://raw.githubusercontent.com/Micke-K/IntuneManagement/master/IntuneManagement.PNG" height="80%" width="80%"/> </p>

This PowerShell application is based on the foundation modules CloudAPIPowerShellManagement and Core. These modules manages UI, settings, logging etc. The functionality for the application is located in the extension modules. This makes it easy to add/remove features, views etc. Additional features will be added...

Security note: Since the scripts are not signed, a warning might be display when running it and files might be blocked. The script will unblock all files. This is to avoid issues that it fails to load the MSAL library etc. If there are any security concerns, the PowerShell code can be reviewed and the DLL files can be downloaded manually from Microsoft repositories, see links below. The DLL files CAN be removed but MSAL is a pre-requisite for authentication. The script will try to find the DLL in the Az or MSAL.PS module if not found in the script root directory. DLL files are included to reduce dependencies.

Starting the App

Before starting the app:

• The CMD files needs to be unblocked before the app can be started. The app can be started without it but Windows will prompt with a security warning.
• The script will unblock all other files

Before logging on:

• The app will use the Intune PowerShell Azure Enterprise Application by default and only use the permissions granted to that appliction. Disable Use Default Permissions in Settings to request additional permissions. This will cause a consent prompt if one or more permissions are missing for the app. Note: If the app has not been approved for the organization, a consent prompt will be displayed.
• Enable Get Tenant List in Settings if accessing multiple environments with the same account e.g. a guest account in other tenants. This might cause a Consent prompt

Start the script by running Start.cmd, Start-WithJson.cmd, Start-WithConsole.cmd or Start-IntuneManagement.ps1. Start-WithConsole.cmd will leave the command prompt window open so you can see the log while running the app.

Silent Batch Job (Beta)

The script can be executed without UI. This is to support DevOps environment.

Silent batch job is supported by the following features:

• Export
• Import
• Documentation
• Compare

The Silent Batch Job feature requires an Azure App to be configured with a secret or a certificate. The app must also be delegated with the required permissions to Graph objects used by the tool.

The silent feature uses an exported json file with settings for the specified operation. This file can be generated in the Bulk Export/Import forms. Required settings for the silent job is configured in the form and then exported to a file. The path to the file is then passed on the command line. The file can be used for multiple environments if the Add company name to the path option is selected. Note that this requires that the app must have at least read permission on the Organizations API.

The following variables can be used in the path and filename:

• %Date% - This will be translated to yyyy-MM-dd format (eg 2020-02-27)
• %DateTime% - This will be translated to yyyyMMdd-HHmm format (eg 20200227-1750)
• %Organization% - Name of the tenant
• Any environment variable

The tool will by default generate the files; BulkExport.json and BulkImport.json. These files can be merged into one file but that must be done manually. These files can also be edited manually. Each setting represents a control in the UI form. When the script is triggered silently, it will create the form in the background, populate it with the values from the file and then trigger the bulk function.

Note The Silent Batch feature use settings configured in the UI. If this is triggered in a DevOps envionment, it is recommended to generate a settings JSON file with the desired settings and then use that in the DevOps environment

The app authentication can either be passed on the command line or stored in the settings. Tennant Settings is required for multiple environments.

Command line example:

Start-IntuneManagement.ps1 -Silent -TenantId "<TenantID>" -SilentBatchFile <PathToFile> [-AppId <AppId>] [-Secret <Secret> | -Certificate <CertThumb>]

Start-IntuneManagement.ps1 -Silent -SilentBatchFile "C:\Temp\BatchImport.json" -TenantId "00000000-0000-0000-0000-000000000000" -AppId "00000000-0000-0000-0000-000000000001" -Secret "KJ76P~B9###9-.8I####-_MySecret"

Setting example:

Start-IntuneManagement.ps1 -Silent -SilentBatchFile "C:\Temp\BatchImport.json" -TenantId "00000000-0000-0000-0000-000000000000"

Documentation

This script has an extension that can document profiles and policies in Intune. The output is using the same language strings as the Intune portal.

See Documentation for more information

Import

The script can import the exported json files in multiple ways.

• Always import: The script will try to import the file. It will not check if it exists. This is the default behavior

• Skip if object exists: The script will look if there is an existing object with the same name and type. It will not import the file if existing object is detected

• Replace (Preview): If an existing object is detected, the script will

  • Import the file without assignments
  • Copy assignments from the existing object
  • Run PostReplace commands - Priority will be set for Enrollment Restrictions etc.
  • Update PolicySets object(s) to use the new imported object (detected by policySet assignments)
  • Delete the original object

• Update (Preview): This will update the existing object.

  The update APIs do not support all the properties that the import APIs do and object types behaves differently during update e.g. Settings for Endpoint Security objects will not be cleared. There is no API for removing settings, only adding. If a setting does not exist in the import file, the existing setting will be set to Not Configured. Settings Catalog replaces the whole settings property during update.

  This has been tested with all supported object types except Import Scripts (Shell), Android OEM Config and Apple Enrollment Types.

  Each application type works differently. Update functionality has been tested on Win32, Windows MSI LoB, iOS Store, Microsoft Store and Microsoft 365 (Windows and MacOS).

WARNING: Use Replace with caution! Replace will delete the existing object after a new object is imported and the assignments are copied, but it could cause issues in the environment if something in the process goes wrong. Replacing single objects can break references e.g. replacing an Application can break AutoPilot profiles, App Protection and App Configuration policies. Verify the process in a test environment before using this!

Recommendation: Backup all policies before running Replace/Update.

The Replace/Update feature can be used in a scenario where all profiles/policies are managed in a separate reference (Dev/Test) and then implemented in one or more destination environments. The existing objects will then be reset to have the same settings as the reference environment

Comparison

This script has an extension that can compare objects in Intune with exported json files. It will display a data grid with the values and highlight updated values with red.

Objects can be compared based on property values or documented values.

The property value method is a quick way to compare objects but it will only show the names and values of the native Intune object. This is not a good comparison method for Settings objects since they have all the settings in one property.

The documentation method is a bit slower but will show the values as they are stated in the Intune portal. This is the recommended way to compare objects but note that this is only supported on object types that supports documentation.

Bulk compare is supported. This can be performed in two ways:

• Intune Objects with Exported Files - This will read each exported file and compare it with the existing object

  The result file will be stored in the exported folder structure. Either in the Object Type folder or the parent folder depe