SkillAgentSearch skills...

IntuneHydrationKit

Quick way to import starter configs into Intune

GenerateConvertImprove

Install / Use

/learn @jorgeasaurus/IntuneHydrationKit
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<div align="center"> <p> <a href="https://twitter.com/jorge2990"><img src="https://img.shields.io/badge/Follow-@Jorgeasaurus-1DA1F2?style=flat&logo=x&logoColor=white" alt="Twitter Follow"/></a> <a href="https://www.linkedin.com/in/jorgeasaurus/"><img src="https://img.shields.io/badge/LinkedIn-Connect-0A66C2?style=flat&logo=linkedin" alt="LinkedIn"/></a> </p> </div>

Intune Hydration Kit

<p align="center"> <img src="media/IHTLogoClearLight.png" alt="Intune Hydration Kit Logo" width="500"> </p> <p align="center"> <strong>Automate your Microsoft Intune tenant configuration with best-practice defaults</strong> </p> <p align="center"> <a href="https://www.powershellgallery.com/packages/IntuneHydrationKit"><img src="https://img.shields.io/powershellgallery/v/IntuneHydrationKit?label=PSGallery&color=blue" alt="PowerShell Gallery Version"></a> <a href="https://www.powershellgallery.com/packages/IntuneHydrationKit"><img src="https://img.shields.io/powershellgallery/dt/IntuneHydrationKit?label=Downloads&color=green" alt="PowerShell Gallery Downloads"></a> <a href="https://github.com/jorgeasaurus/Intune-Hydration-Kit/blob/main/LICENSE"><img src="https://img.shields.io/github/license/jorgeasaurus/Intune-Hydration-Kit" alt="License"></a> </p> <p align="center"> <a href="#installation">Installation</a> • <a href="#quick-start">Quick Start</a> • <a href="#configuration">Configuration</a> • <a href="#safety-features">Safety Features</a> • <a href="#troubleshooting">Troubleshooting</a> </p>

Overview

The Intune Hydration Kit is a PowerShell module that bootstraps Microsoft Intune tenants with boilerplate configurations. It automatically downloads the latest OpenIntuneBaseline policies and imports them alongside compliance policies, dynamic groups, and more—turning hours of manual configuration into a single command.

Note: This kit uses a maintained fork of the original OpenIntuneBaseline repository. This ensures stability and prevents unplanned breaking changes from affecting your deployments.

Demo

<p align="center"> <img src="media/demo.gif" alt="Demo" width="900"> </p>

What Gets Created

| Category | Count | Description | |----------|-------|-------------| | Dynamic Groups | 50 | Device and user targeting groups (OS, manufacturer, Autopilot, ownership, VMs, license-based) | | Static Groups | 5 | Update ring groups (Pilot, UAT) and Autopilot device preparation group | | Device Filters | 24 | Platform, manufacturer, and VM-based filters (Windows, macOS, iOS, Android) | | Security Baselines | 91 | OpenIntuneBaseline policies (Windows, macOS, iOS, Android) | | Compliance Policies | 10 | Multi-platform compliance (Windows, macOS, iOS, Android, Linux) | | App Protection | 8 | MAM policies following Microsoft's App Protection Framework (Level 1-3 for iOS and Android) | | Mobile Apps | 17 | Microsoft Store apps (Company Portal, Teams, Slack, Spotify, etc.) | | Enrollment Profiles | 4 | Autopilot deployment profiles, Enrollment Status Page, and Autopilot device preparation | | Conditional Access | 21 | Starter pack policy templates (created disabled) |

Important Warnings

⚠️ READ BEFORE USE

This Tool Can Modify Your Production Environment

  • Creates objects in your Intune tenant (policies, groups, filters)
  • Can delete objects when run with delete mode enabled
  • Modifies Conditional Access policies (though always created disabled)

Recommendations

  1. Test in a non-production tenant first - Use a dev/test tenant before running against production
  2. Always preview changes first - Use -WhatIf in parameter or settings mode
  3. Review the configuration - Understand what will be imported before running
  4. Have a rollback plan - Know how to manually remove configurations if needed
  5. Backup existing configurations - Export current settings before running

Deletion Safety

When using delete mode (-Delete parameter or "delete": true in settings), the kit will only delete objects that it created:

  • Objects must have "Imported by Intune-Hydration-Kit" or "Imported by Intune Hydration Kit" in their description
  • Conditional Access policies must also be in disabled state to be deleted
  • Manually created objects with the same names will NOT be deleted

Features

  • Idempotent - Safe to run multiple times; skips existing configurations
  • Dry-Run Mode - Preview changes with PowerShell -WhatIf before applying
  • Safe Deletion - Only removes objects created by this kit
  • Multi-Platform - Supports Windows, macOS, iOS, Android, and Linux
  • OpenIntuneBaseline Integration - Automatically downloads latest community baselines
  • Detailed Logging - Full audit trail of all operations
  • Summary Reports - Markdown and JSON reports of all changes

Prerequisites

Required PowerShell Version

  • PowerShell 7.0 or later

Required Modules

Install-Module Microsoft.Graph.Authentication -Scope CurrentUser

Note: This module uses Invoke-MgGraphRequest for all Graph API calls, so only the Authentication module is required.

Required Permissions

The authenticated user/app needs these Microsoft Graph permissions:

  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementScripts.ReadWrite.All
  • DeviceManagementApps.ReadWrite.All
  • Group.ReadWrite.All
  • Policy.Read.All
  • Policy.ReadWrite.ConditionalAccess
  • Application.Read.All
  • Directory.ReadWrite.All
  • LicenseAssignment.Read.All
  • Organization.Read.All

Installation

Option A: PowerShell Gallery (Recommended)

Install directly from the PowerShell Gallery:

Install-Module -Name IntuneHydrationKit -Scope CurrentUser

To update to the latest version:

Update-Module -Name IntuneHydrationKit

Option B: Clone from GitHub

For development or to use the latest unreleased changes:

git clone https://github.com/jorgeasaurus/Intune-Hydration-Kit.git
cd Intune-Hydration-Kit
Import-Module ./IntuneHydrationKit.psd1

Quick Start

The kit supports two invocation methods: parameters (recommended) or settings file (for complex configurations).

Using the PSGallery Module

After installing from PSGallery, use the Invoke-IntuneHydration function directly:

# Preview all targets with interactive auth
Invoke-IntuneHydration -TenantId "your-tenant-id" `
    -Interactive `
    -Create `
    -All `
    -WhatIf

# Run specific targets only
Invoke-IntuneHydration -TenantId "your-tenant-id" `
    -Interactive `
    -Create `
    -ComplianceTemplates `
    -DynamicGroups `
    -DeviceFilters

# Filter by platform (Windows only)
Invoke-IntuneHydration -TenantId "your-tenant-id" `
    -Interactive `
    -Create `
    -All `
    -Platform Windows

# Filter by multiple platforms
Invoke-IntuneHydration -TenantId "your-tenant-id" `
    -Interactive `
    -Create `
    -All `
    -Platform Windows, macOS

# Use service principal authentication
$secret = ConvertTo-SecureString "your-secret" -AsPlainText -Force
Invoke-IntuneHydration -TenantId "your-tenant-id" `
    -ClientId "app-id" `
    -ClientSecret $secret `
    -Create `
    -All

# Use a settings file for complex configurations
Invoke-IntuneHydration -SettingsPath ./settings.json

# Preview with settings file
Invoke-IntuneHydration -SettingsPath ./settings.json -WhatIf

Using the Cloned Repository

If you cloned the repository, use the wrapper script:

# Preview all targets with interactive auth
./Invoke-IntuneHydration.ps1 -TenantId "your-tenant-id" `
    -Interactive `
    -Create `
    -All `
    -WhatIf

# Run specific targets only
./Invoke-IntuneHydration.ps1 -TenantId "your-tenant-id" `
    -Interactive `
    -Create `
    -ComplianceTemplates `
    -DynamicGroups `
    -DeviceFilters

# Filter by platform (Windows and macOS only)
./Invoke-IntuneHydration.ps1 -TenantId "your-tenant-id" `
    -Interactive `
    -Create `
    -All `
    -Platform Windows, macOS

# Use service principal authentication
$secret = ConvertTo-SecureString "your-secret" -AsPlainText -Force
./Invoke-IntuneHydration.ps1 -TenantId "your-tenant-id" `
    -ClientId "app-id" `
    -ClientSecret $secret `
    -Create `
    -All

Using a Settings File

For complex or repeated configurations, use a settings file:

1. Create Your Settings File

# If using cloned repo
Copy-Item settings.example.json settings.json

# If using PSGallery module, create your own settings.json

Edit settings.json with your tenant details:

{
    "tenant": {
        "tenantId": "your-tenant-id-here",
        "tenantName": "yourtenant.onmicrosoft.com"
    },
    "authentication": {
        "mode": "interactive"
    },
    "options": {
        "dryRun": false,
        "create": true,
        "delete": false,
        "force": false
    }
}

2. Preview Changes (Recommended First Step)

# PSGallery module
Invoke-IntuneHydration -SettingsPath ./settings.json -WhatIf

# Cloned repo
./Invoke-IntuneHydration.ps1 -SettingsPath ./settings.json -WhatIf

3. Run the Hydration

# PSGallery module
Invoke-IntuneHydration -SettingsPath ./settings.json

# Cloned repo
./Invoke-IntuneHydration.ps1 -SettingsPath ./settings.json

Configuration

Settings File Options

Tenant Configuratio

jorgeasaurus

View profile

View on GitHub
GitHub Stars119
CategoryDevelopment
Updated1d ago
Forks11
jorgeasaurus/IntuneHydrationKit

Languages

PowerShell

Security Score

100/100

Audited on Mar 26, 2026

No findings