Export All Scope Tags of All Devices, Apps, Policies, and Scripts in Intune

I was working on a blog post about Intune RBAC and also created a couple of scripts and tools around that same topic, I wanted to share a script of mine to export all scope tags in Intune. This is a simple Powershell Script that will interact with the Graph API and export a CSV File that will contain all assigned scope tags to all Intune Objects including Devices, Apps and Policies.

You can find the script here:


How does this script work?

Let´s walk through the PowerShell script step by step:

Step 1: Authentication to Microsoft Graph: The first step is to authenticate to the Microsoft Graph API using OAuth 2.0. The script uses an App Registration to authenticate. Users need to fill in their App ID, Tenant ID, and Secret in the appropriate variables. This authentication step is crucial for ensuring secure access to Microsoft Graph resources.

Step 2: Function to Fetch Scope Tag Details: The script defines a function called Get-ScopeTagDetails. This function queries the Microsoft Graph API to retrieve details about role scope tags. Role scope tags are used for managing access control for various device management operations.

Step 3: Function to Fetch Devices and their Scope Tags: The Get-ManagedDevices function is used to fetch details about managed devices. It makes API calls to retrieve a list of managed devices and their associated role scope tags. The script handles pagination to ensure all devices are fetched.

Step 4: Function to Fetch Device Configuration Details: The Get-DeviceConfigDetails function retrieves information about device configurations. It takes a device configuration as input and fetches details, including the associated scope tags.

Step 5: Function to Fetch Device Compliance Policy Details: Similarly, the Get-DeviceCompliancePolicyDetails function fetches details about device compliance policies, including their associated scope tags.

Step 6: Function to Fetch Device Shell Script Details: The Get-DeviceShellScriptDetails function retrieves information about device shell scripts, including the scope tags associated with each script.

Step 7: Function to Fetch Configuration Policy Details: The Get-ConfigurationPolicyDetails function fetches details about configuration policies, including the scope tags and supported platforms.

Step 8: Function to Fetch Mobile App Details: The Get-MobileAppDetails function focuses on mobile apps. It retrieves details about mobile apps, including their scope tags, and handles pagination for a comprehensive list.

Step 9: Fetching and Processing Data: In this step, the script combines all the retrieved data into a single collection called $results. This collection contains information about managed devices, device configurations, compliance policies, shell scripts, configuration policies, and mobile apps. The script iterates through each item and formats it for output.

Final Output Options: The script offers various output options:

  • It can display the results in a list format using Format-List.
  • It can display the results in a grid view for interactive selection using Out-GridView.
  • It can export the results to a CSV file for further analysis or reporting.


PowerShell Version: The script requires PowerShell version 5.1 or higher to function correctly.

EntraID App Registration: To authenticate with the Microsoft Graph API, you need to create an Azure AD App Registration. This involves creating an application in the Azure portal, which will provide you with an App ID and Secret.

Appropriate Permissions: The App Registration used by the script should have the necessary permissions and scopes assigned to access the Microsoft Graph resources related to device management. The script specifies the required scopes:

  • DeviceManagementManagedDevices.Read.All,
  • DeviceManagementRBAC.Read.All,
  • DeviceManagementApps.Read.All, and
  • DeviceManagementConfiguration.Read.All.

Ensure that these permissions are granted to the App Registration.


I wrote this script to help myself with a nice overview of all Scope Tags that are currently assigned to all the Objects in Intune. I hope that this script will also help you.

Any questions or suggestions? Message me on Twitter @ugurkocde

3 thoughts on “Export All Scope Tags of All Devices, Apps, Policies, and Scripts in Intune”

  1. Hello,

    Thanks for you work, is rellay interested!
    Will be good to have the required permission required by the registered app.

    • Hello,

      the permissions are listed on line 37 in the PowerShell Script.

      -> DeviceManagementManagedDevices.Read.All,
      -> DeviceManagementRBAC.Read.All,
      -> DeviceManagementApps.Read.All,
      -> DeviceManagementConfiguration.Read.All

      This permissions are enough to read the scopes from all objects in Intune.

      Best regards

Comments are closed.