Ignite is turning out to be boiling over with new technologies and ideas, and you can really feel the momentum building behind Intune.
For those of you that are struggling to customize Intune to suit your organization’s requirements, there is a collection of PowerShell scripts on GitHub maintained by David Falkus (@davefalkus) and others at Microsoft and the community that you need to start using. These scripts have become a great reference for using Graph API, which is the supported method for connecting to Microsoft 365 cloud services.
The scripts have also helped with day to day management. I often use them to backup and upload Intune settings, which cuts down the time it takes for me to stand up new Intune tenants for testing or quickly deploying a proof of concept environment.
The scripts have also been used to migrate settings from a test tenant to a production environment giving you more separation between production and test environments. I’m seeing more and more customers set up development environments as they explore new capabilities of Microsoft 365 and it just makes sense to prevent production outages.
Despite the accolades they deserve, the scripts are lengthy and can be a challenge to work with and that has pushed some of us to explore PowerShell modules that simplify the management of Intune.
A PowerShell module is a much more friendly way of consuming Graph API.
And leads me to the topic of this post, the Intune PowerShell SDK is live and you can find it (for free) on GitHub here: Intune PowerShell SDK. There is one technical requirement, your environment needs to have .Net 4.7.1 is installed if you are using Windows. There is a separate release for cloud support, Cloud Shell, which will be the topic for another post.
Be warned that the .NET 4.7.1 install will likely require a reboot.
First download the release from https://github.com/Microsoft/Intune-PowerShell-SDK/releases and extract it.
Copy and Paste the “net471” folder to your machine.
For simplicity’s sake, I’ve saved it to the root of my C:\ drive. Open a PowerShell prompt and go to the folder C:\net471.
Next, import the PowerShell module using the following command.
Import-Module ./Microsoft.Graph.Intune.psd1
Now let’s connect to your tenant using PowerShell.
Connect-MSGraph
For this example, the login prompt appears, but I want to connect to my test tenant so I’ll select: “Use another account”.
Enter the username for your tenant and click Next.
Enter your password and click Sign in.
This method supports multi-factor authentication, so answer the authenticator prompt to continue. And you should see output indicating the tenant you are connected to.
I’ll demonstrate the current list of commandlets by using get-command to see what is available:
Get-Command -Module Microsoft.Graph.Intune
As you can see the list is quite extensive or 1287 commandlets to be exact. Here I’ll show you how you can get a list of device configuration profiles in your tenant with the following command.
Get-DeviceManagement_DeviceConfigurations
The policies are best exported in JSON format but don’t be deceived, we need to do some formatting with PowerShell.
For now, I’ll select only one device configuration profile such as the AppLocker configuration profile by using the GUID in the ID field for the policy. The following command line will select only the AppLocker configuration profile.
Get-DeviceManagement_DeviceConfigurations -deviceConfigurationId d8ff0a99-5513-4bf2-b827-204a84ea0eb5
So we returned the policy but to convert the output to proper JSON we need to append a bit more by piping the output to the ConvertTo-Json module as shown below.
Get-DeviceManagement_DeviceConfigurations -deviceConfigurationId d8ff0a99-5513-4bf2-b827-204a84ea0eb5 | ConvertTo-Json
If I want to pull this all together and backup the settings to a JSON file I have to pipe it once more to a file by using the out-file function as shown below.
Get-DeviceManagement_DeviceConfigurations -deviceConfigurationId d8ff0a99-5513-4bf2-b827-204a84ea0eb5 | ConvertTo-Json | Out-File .\AppLocker.JSON
The output is piped to the file so we can open the file with an editor such as Visual Studio Code to view the result.
FYI I also like extensions to help with JSON in Visual Studio Code such as the JSON Editor to add a better viewing experience with JSON documents.
This not only serves as a backup of my device configuration profile, but JSON files can easily be used to input the settings into another tenant. More on that for another day.
As you can see the Intune PowerShell module opens up a world of functionality.
If you are using Intune as a customer, ISV or consultant, I strongly urge you to get to know these PowerShell commandlets and try using them to master your Intune environment. I’ve shown you how to backup your existing policies and I recommend that as a good starting place for newcomers.
Once you have the basic mechanics down then explore some of the additional functionality contained in the module. Expect more possibilities to automate common tasks and open up new scenarios in your organization with this method for using Graph API.