This blog post is about the following tool of mine: Intune Assignment Checker (ugurkoc.de)
The Goal of this Script is to get a overview of all Assignments in Intune based on your search criteria.
Input (Identity):
- User(s)
- Group(s)
- Device(s)
Output (Assignments):
- Configuration Profile
- Compliance Policy
- Application
Demo
Background and Motivation
After releasing the tool, I want to provide some details and background information about the topic in this blog post.
Firstly, I am a big advocate for integrating such features into the product (in this case, Intune). Until these are available in Intune, I will continue to write scripts and automate them via Graph.
My motivation for creating this script was to have a straightforward way to view all assignments for an identity, whether it’s users or devices, in Intune at a glance. Of course, I can view the assignments through the portal, but only for one device. Generally I do not have insight into the assignments of a user or an entire Entra ID group in the Intune Portal.
After automating the process for the user part via Graph, I expanded the script to support groups and devices. However, this was quite challenging because the responses from the Graph query sometimes changed and I had to adjust the script to understand the response.
Following the release and announcements on Twitter and LinkedIn, I realized there was a significant demand in the community. Due to the feedback and issues on GitHub, I will expand the script and fix bugs. So feel free to visit the GitHub repository: https://github.com/ugurkocde/IntuneAssignmentChecker
Functionality
As mentioned above, the Graph API is the core component of this script. Essentially, the Graph API is the backend, and the Intune portal is the frontend. In short, the Graph API is the heart of it all. Depending on the permissions (Read, Write), we can do various tasks with Graph, even more than what the portal allows, including actions for which there are no colorful buttons 😁.
The Connect-MgGraph command facilitates authentication with the Graph API. I prefer using an App Registration for several reasons, including the ability to run the script independently of a single admin user and the potential to implement authentication via a certificate in the future.
Once authentication is successful, we can interact with Graph in different ways. Although Microsoft theoretically offers cmdlets, I primarily use Invoke-MgGraphRequest. I find it simpler because I don’t have to spend time looking up the names of individual endpoints; instead, I can check the network tab in the browser to see how the Intune portal makes queries in the background.
Simplified process:
- Get Object ID of User, Group oder Device from Entra ID
- Check Members of Group / Check Groupmemberships of the user or device
- Download all Intune Profiles and Apps
- Check Group IDs inside the Assignments of each Profile and App
- Output results
Feel free to look at the code in the repository. I’ve tried to comment and clarify as much as possible within the code.
Conclusion
I hope the tool achieves its goal and helps you and the community to find the assignments more quickly. If you have any questions, you can reach me on X (@ugurkocde) or feel free to create an issue in the GitHub repository.