🔍 Intune Assignment Checker

<div align="center"> <p> <a href="https://twitter.com/UgurKocDe"> <img src="https://img.shields.io/badge/Follow-@UgurKocDe-1DA1F2?style=flat&logo=x&logoColor=white" alt="Twitter Follow"/> </a> <a href="https://www.linkedin.com/in/ugurkocde/"> <img src="https://img.shields.io/badge/LinkedIn-Connect-0A66C2?style=flat&logo=linkedin" alt="LinkedIn"/> </a> <img src="https://img.shields.io/github/license/ugurkocde/IntuneAssignmentChecker?style=flat" alt="License"/> </p> <a href="https://www.powershellgallery.com/packages/IntuneAssignmentChecker"> <img src="https://img.shields.io/powershellgallery/v/IntuneAssignmentChecker?style=flat&label=PSGallery%20Version" alt="PowerShell Gallery Version"/> </a> <a href="https://www.powershellgallery.com/packages/IntuneAssignmentChecker"> <img src="https://img.shields.io/powershellgallery/dt/IntuneAssignmentChecker?style=flat&label=PSGallery%20Downloads&color=brightgreen" alt="PowerShell Gallery Downloads"/> </a> </div>

📑 Table of Contents

• 🚀 Quick Start
• ✨ Features
• 📋 Prerequisites
• 🔐 Authentication Options
• 📖 Usage
• 💬 Community
• 🤝 Contributing
• 📄 License

Quick Start

Important: All commands must be run in a PowerShell 7 session. The script will not work in PowerShell 5.1 or earlier versions.

Option 1: Install from PowerShell Gallery (Recommended)

# Install from PowerShell Gallery
Install-PSResource IntuneAssignmentChecker

# Open a new PowerShell 7 session to run the script with
IntuneAssignmentChecker

If you encounter any issues during installation, try reinstalling:

Install-PSResource IntuneAssignmentChecker -Reinstall

To update to the latest version:

Update-PSResource IntuneAssignmentChecker

Option 2: Manual Installation

# Install Microsoft Graph PowerShell SDK
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser

# Download and run the script
.\IntuneAssignmentChecker.ps1

✨ Features

• 🔍 Check assignments for users, groups, and devices
• 📱 View all 'All User' and 'All Device' assignments
• 🔐 Support for certificate-based and client secret authentication
• 🔄 Built-in auto-update functionality
• 📊 Detailed reporting of Configuration Profiles, Compliance Policies, and Applications
• 📈 Interactive HTML reports with charts and filterable tables

🎥 Demo

<div align="center"> <a href="https://www.youtube.com/watch?v=uHBIGfa8mIM"> <img src="https://img.youtube.com/vi/uHBIGfa8mIM/maxresdefault.jpg" alt="IntuneAssignmentChecker" style="width:100%;"> </a> </div>

📋 Prerequisites

Required PowerShell Version

• PowerShell 7.0 or higher is required
  • The script will not work with PowerShell 5.1 or earlier versions
  • You can check your PowerShell version by running: $PSVersionTable.PSVersion
  • Download PowerShell 7 from: https://aka.ms/powershell-release?tag=stable

Required PowerShell Modules

• Microsoft Graph PowerShell SDK
  • Specifically Microsoft.Graph.Authentication

Required Permissions

Your Entra ID application registration needs these permissions: | Permission | Type | Description | |------------|------|-------------| | User.Read.All | Application | Read all users' full profiles | | Group.Read.All | Application | Read all groups | | Device.Read.All | Application | Read all devices | | DeviceManagementApps.Read.All | Application | Read Microsoft Intune apps | | DeviceManagementConfiguration.Read.All | Application | Read Microsoft Intune device configuration and policies | | DeviceManagementManagedDevices.Read.All | Application | Read Microsoft Intune devices | | DeviceManagementScripts.Read.All | Application | Read device management and health scripts | | CloudPC.Read.All | Application | Read Windows 365 Cloud PC provisioning policies and settings | | DeviceManagementRBAC.Read.All | Application | Read role scope tags for scope tag display and filtering |

🔐 Authentication Options

Option 1: Certificate-Based Authentication (Recommended for automation)

Follow these steps if you want to use certificate authentication with an app registration:

1. Create an Entra ID App Registration:

   • Navigate to Azure Portal > Entra ID > App Registrations
   • Click "New Registration"
   • Name your application (e.g., "IntuneAssignmentChecker")
   • Select "Accounts in this organizational directory only"
   • Click "Register"

2. Grant required Application permissions:

   • In your app registration, go to "API Permissions"
   • Click "Add a permission" > "Microsoft Graph"
   • Select "Application permissions"
   • Add all required permissions listed in Prerequisites
   • Click "Grant admin consent"

3. Create and configure certificate authentication:

   # Create self-signed certificate
   New-SelfSignedCertificate `
       -Subject "CN=IntuneAssignmentChecker" `
       -CertStoreLocation "cert:\CurrentUser\My" `
       -NotAfter (Get-Date).AddYears(2) `
       -KeySpec Signature `
       -KeyExportPolicy Exportable
   
   # Export the certificate
   $cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -like "*IntuneAssignmentChecker*"}
   Export-Certificate -Cert $cert -FilePath "C:\temp\IntuneAssignmentChecker.cer"
   

4. Upload certificate to your app registration:

   • In Azure Portal, go to your app registration
   • Click "Certificates & secrets"
   • Select "Certificates"
   • Click "Upload certificate"
   • Upload the .cer file you exported (C:\temp\IntuneAssignmentChecker.cer)

5. Configure the script with your app details:

   # Update these values in the script
   $appid = '<YourAppIdHere>'           # Application (Client) ID
   $tenantid = '<YourTenantIdHere>'     # Directory (Tenant) ID
   $certThumbprint = '<YourThumbprint>' # Certificate Thumbprint
   

Option 2: Client Secret Authentication

If you prefer a simpler setup than certificates but still need non-interactive authentication, you can use a client secret:

1. Create an Entra ID App Registration (same steps as Option 1, steps 1-2)

2. Create a client secret:

   • In Azure Portal, go to your app registration
   • Click "Certificates & secrets"
   • Select "Client secrets"
   • Click "New client secret"
   • Add a description and select an expiry period
   • Click "Add"
   • Copy the secret value immediately -- it will not be shown again

3. Run the script with the client secret:

   .\IntuneAssignmentChecker.ps1 -AppId "your-app-id" -TenantId "your-tenant-id" -ClientSecret "your-client-secret"
   

Security Note: Never hard-code client secrets in scripts or commit them to source control. Use secure methods such as Azure Key Vault, environment variables, or secure parameter input to manage secrets.

Option 3: Interactive Authentication (Simpler setup)

If you prefer not to set up an app registration, you can use interactive authentication:

You can just run the script without any changes. It will ask for the intune environment you wish to connect (Global, USGov, or USGovDoD) and if you want to use interactive authentication where you will type "y" and press enter.

This will prompt you to sign in with your credentials when running the script. The permissions will be based on your user account's roles and permissions in Entra ID.

Which Option Should I Choose?

• Choose Certificate Authentication if you:

  • Need to run the script unattended
  • Want the most secure non-interactive option
  • Need consistent permissions regardless of user
  • Are comfortable with certificate management

• Choose Client Secret Authentication if you:

  • Need to run the script unattended
  • Want a simpler setup than certificates
  • Are able to securely manage secret rotation before expiry
  • Prefer not to deal with certificate creation and installation

• Choose Interactive Authentication if you:

  • Want the simplest setup
  • Don't need automation
  • Are comfortable using your user credentials
  • Only need to run the script occasionally

Note: Keep your certificate and app credentials secure! Anyone with access to these can access your Intune environment with the configured permissions.

📋 Prerequisites (Automated Setup Available)

Good news! You can automate most prerequisites using the provided helper script.

✅ Automated Setup

You can use the provided PowerShell automation script Register-IntuneAssignmentCheckerApp.ps1 to automatically:

• Create the Entra ID App Registration
• Assign all required Microsoft Graph permissions
• Generate a self-signed certificate
• Upload the certificate to the app registration
• Export the certificate for use with the script

Run the automation script:

# Download the script from the repository
# Make sure to run with sufficient permissions (Global Admin)

.\Register-IntuneAssignmentCheckerApp.ps1

Note: After the script completes, you still need to grant Admin Consent for the assigned API permissions in the Azure Portal: Entra ID → App registrations → Your App → API permissions → "Grant admin consent for ...".

📖 Usage

The script can be used in two ways:

1. Interactive Mode: Menu-driven interface for manual exploration
2. Command-Line Mode: Parameter-based execution for automation and scripting

🖥️ Command-Line Parameters

You can run the script with parameters to automate tasks without user interaction:

# Check assignments for a specific user and export to CSV
.\IntuneAssignmentChecker.ps1 -CheckUser -U