Get all assigned Intune policies and apps per Azure AD group

During MMS JAZZ Edition in New Orleans a couple of weeks ago me and the amazing Sandy Zeng did a presentation on using the Intune Powershell SDK and in this demo packed session we showed off a script that were able to find assigned policies and apps from AAD groups.

https://mmsjazz.sched.com/event/Rmdh/intune-graph-api-ftw

More info about MMS:

https://mmsmoa.com/

Little bit of a back story to this script. One of the most frustating things we’ve came a cross when working with Intune and AAD is the lack of capability to go to an AAD group and see what kind of Intune assignments has been targeted to that group. What you have to do instead is to go to each policy or app and see which group it’s assigned to, this can be a nightmare if you have a lot of different policies and apps assigned to multiple groups.

In the sample script below we have one section for getting information for all the Applications thats been assigned and then we have one section for Device Compliance, Device Configuration, Device Configuration Powershell scripts and Administrative templates.

The one thing that might be confusing when looking throug the script is the fact that not all policies even tho they are in the same blade and pane in the Intune portal they haven’t one common propertyname.

So for example, Device Configuration policies and Administrative templates are different and when we use the Intune Powershell SDK and the Get-IntuneDeviceConfigurationPolicy we won’t get any Administrative templates or powershell scripts. I haven’t been able to find any specific cmdlet for those in the 1907 SDK version so thats why we need to do a Invoke-MSGraphRequest to be able to get those policies.

Note. You need to have the Intune Powershell module installed to use the script.
https://www.powershellgallery.com/packages/Microsoft.Graph.Intune/6.1907.1.0

Sample script

# Connect and change schema 
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta
Connect-MSGraph

# Which AAD group do we want to check against
$groupName = "All-Windows"

#$Groups = Get-AADGroup | Get-MSGraphAllPages
$Group = Get-AADGroup -Filter "displayname eq '$GroupName'"

#### Config Don't change

Write-host "AAD Group Name: $($Group.displayName)" -ForegroundColor Green

# Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {

Write-host $Config.displayName -ForegroundColor Yellow

}


# Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {

Write-host $Config.displayName -ForegroundColor Yellow

}


# Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {

Write-host $Config.displayName -ForegroundColor Yellow

}

# Device Configuration Powershell Scripts 
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

Write-host $Config.displayName -ForegroundColor Yellow

}



# Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments" 
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {

Write-host $Config.displayName -ForegroundColor Yellow

}



The result of running script will be output to the screen using Write-host and give you information on which group did it look at and what kind of policy or app did it find and out put the name of it.

Running the sample script on all AAD groups

If you instead want to run the script against all of your Azure AD groups you can simply do this by just changing the $Group variable and then add a foreach loop. If you have a lot of AAD groups it can take a while for the script to run.

# Connect and change schema 
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta
Connect-MSGraph

$Groups = Get-AADGroup | Get-MSGraphAllPages

#### Config 
Foreach ($Group in $Groups) {
Write-host "AAD Group Name: $($Group.displayName)" -ForegroundColor Green

# Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {

Write-host $Config.displayName -ForegroundColor Yellow

}


# Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {

Write-host $Config.displayName -ForegroundColor Yellow

}


# Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {

Write-host $Config.displayName -ForegroundColor Yellow

}

# Device Configuration Powershell Scripts 
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan

Foreach ($Config in $AllDeviceConfigScripts) {

Write-host $Config.displayName -ForegroundColor Yellow

}



# Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments" 
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {

Write-host $Config.displayName -ForegroundColor Yellow

}

}

Thats it for this time, leave any comments below and don’t forget to follow me on twitter @Timmyitdotcom

You can also find me blogging over at http://blog.ctglobalservices.com/

35 comments

  1. Exactly what I needed after inheriting an existing Intune deployment that 3 other IT providers have been administering over the past 3 years… Thanks!

  2. When I run Get-IntuneMobileApp I dont’t get “assignments”property. Any ideas why?
    Thanks!

    1. change line 17. its backwards. need to -expand property before selecting it

      $AllAssignedApps = Get-IntuneMobileApp -Expand assignments | Select id, displayName, lastModifiedDateTime, assignments | Where-Object {$_.assignments -match $Group.id}

  3. Please correct me if I’m wrong, but to my understanding “Get-AADGroup” is not a real command. What you should be using is Get-AzureADGroup ?

  4. Great resource and learning aid to GraphAPI for Intune.

    There is however an error in the # Device Configuration Powershell Scripts section in both scripts.

    $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}

    should be

    $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.groupAssignments -match $Group.id}

  5. You say “If you have a lot of AAD groups it can take a while for the script to run.” You can speed this up significantly by running:

    $AllAssignedApps = Get-IntuneMobileApp -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments
    $AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments
    $AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments

    ..outside of the main loop, and:

    $AssignedApps = $AllAssignedApps | Where-Object {$_.assignments -match $Group.id}
    $DeviceCompliance = $AllDeviceCompliance | Where-Object {$_.assignments -match $Group.id}
    $DeviceConfig = $AllDeviceConfig | Where-Object {$_.assignments -match $Group.id}

    ..inside it.

  6. Echoing the previous comment made for gathering assigned PowerShell scripts.

    $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}

    should be

    $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.groupAssignments -match $Group.id}

    you can verify by looking at $DMS.Value … there’s no “assignments” property.

  7. great script , but it doesn’t list the ” settings catalog ” profiles type deployed

    1. +1 Can you please update the script to search settings catalog as well?

  8. Here is what I added to the script get the settings catalogs:

    # Settings Catalogs
    $Resource = “deviceManagement/configurationPolicies”
    $graphApiVersion = “Beta”
    $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments”
    $SC = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
    $AllSC = $SC.value | Where-Object {$_.assignments -match $Group.id}
    Write-host “Number of Device Settings Catalogs found: $($AllSC.Name.Count)” -ForegroundColor cyan

    Foreach ($Config in $AllSC) {

    Write-host $Config.Name -ForegroundColor Yellow

    }

  9. Thank you! This is great as is and an awesome jumping off point to customize and learn!

  10. I would like to try this script. Does anyone have a version that combines the improvements from chaozkreator and the section for Settings Catalogue at GitHub or another location? Unfortunately I cannot access the script at the location chaozkreator provided.

    Thank you all for your help!

    1. # Fixed scripts
      # Added group members
      # Added Settings Catalogs

      # Connect and change schema
      Connect-MSGraph -ForceInteractive
      Update-MSGraphEnvironment -SchemaVersion beta
      Connect-MSGraph

      # All Intune groups in AAD
      $Groups = Get-AADGroup | Get-MSGraphAllPages | Where {($_.displayName -like “NL-*” -or $_.displayName -like “*Intune*”)}

      #### Config
      Foreach ($Group in $Groups) {
      Write-host “AAD Group Name: $($Group.displayName)” -ForegroundColor Green

      # Members
      $AllAssignedUsers = (Get-AADGroupMember -groupId $Group.id) | Select-Object -Property displayName
      Write-host ” Number of Users found: $($AllAssignedUsers.DisplayName.Count)” -ForegroundColor cyan
      Foreach ($User in $AllAssignedUsers) {

      Write-host ” “, $User.DisplayName -ForegroundColor Gray

      }

      # Apps
      $AllAssignedApps = Get-IntuneMobileApp -Filter “isAssigned eq true” -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
      Write-host ” Number of Apps found: $($AllAssignedApps.DisplayName.Count)” -ForegroundColor cyan
      Foreach ($Config in $AllAssignedApps) {

      Write-host ” “, $Config.displayName -ForegroundColor Yellow

      }

      # Device Compliance
      $AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
      Write-host ” Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)” -ForegroundColor cyan
      Foreach ($Config in $AllDeviceCompliance) {

      Write-host ” “, $Config.displayName -ForegroundColor Yellow

      }

      # Device Configuration
      $AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
      Write-host ” Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)” -ForegroundColor cyan
      Foreach ($Config in $AllDeviceConfig) {

      Write-host ” “, $Config.displayName -ForegroundColor Yellow

      }

      # Device Configuration Powershell Scripts
      $Resource = “deviceManagement/deviceManagementScripts”
      $graphApiVersion = “Beta”
      $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments”
      $DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
      $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.groupAssignments -match $Group.id}
      Write-host ” Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)” -ForegroundColor cyan

      Foreach ($Config in $AllDeviceConfigScripts) {

      Write-host ” “, $Config.displayName -ForegroundColor Yellow

      }

      # Settings Catalogs
      $Resource = “deviceManagement/configurationPolicies”
      $graphApiVersion = “Beta”
      $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments”
      $SC = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
      $AllSC = $SC.value | Where-Object {$_.assignments -match $Group.id}
      Write-host “ Number of Device Settings Catalogs found: $($AllSC.Name.Count)” -ForegroundColor cyan

      Foreach ($Config in $AllSC) {

      Write-host ” “, $Config.Name -ForegroundColor Yellow

      }

      # Administrative templates
      $Resource = “deviceManagement/groupPolicyConfigurations”
      $graphApiVersion = “Beta”
      $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments”
      $ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
      $AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
      Write-host ” Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)” -ForegroundColor cyan
      Foreach ($Config in $AllADMT) {

      Write-host ” “, $Config.displayName -ForegroundColor Yellow

      }

      }

  11. Hi, great tool! Thanks

    Sharing my modification

    ##################### select groups by containing text

    # All Intune groups in AAD
    $Groups = Get-AADGroup | Get-MSGraphAllPages | Where {($_.displayName -like “NL-*” -or $_.displayName -like “*Intune*”)}

    ###################### new section listing members of the group

    # members
    $AllAssignedUsers = (Get-AADGroupMember -groupId $Group.id) | Select-Object -Property displayName
    Write-host ” Number of Users found: $($AllAssignedUsers.DisplayName.Count)” -ForegroundColor cyan
    Foreach ($User in $AllAssignedUsers)
    {
    Write-host ” “, $User.DisplayName -ForegroundColor Gray
    }

    ############################################################################

  12. You guys are the best.
    Had a call with MS re this yesterday and they had nothing!!
    Thank the Lord for community

  13. Trying to use this (looks helpful) but I am unsure how to make it work. I placed the code into a .ps1 file and tried to execute it but even after allowing the script to run it still fails and does not even attempt to prompt me to connect to the online services. I am use MFA.

  14. For some reason I don’t see the powershell scripts. Result show 0 but I have some assigned to the group?

  15. Love it….. is there a way to do the following I tried to decipher the PS code but was unsuccessful.
    1. Get any security policies: Antivirus, Firewall, Encryption ect.
    2. Instead of scanning a security Group scan a device by name?

  16. hey guys. how about displaying the Proactive Remediation scripts? do you have any idea how to do it?

  17. Your original script is fantastic. Thank you!!
    Our environment has thousands of AAD groups so it’s a lot to weed through. I’ve used some of the tweaks that others have made to improve the script in the following ways:
    1. Faster as it only does a single API query run for all groups and uses a for-each to process the data from the array.
    2. Added Settings Catalogs to the script
    3. My own addition of a conditional for outputting data from each group, as I’m not interesting in knowing if a group has 0 assigned policies and apps. Literally thousands! 🙂

    https://pastebin.com/Taz6KFtk

    1. ^ This way I only get AAD groups which have Intune policies, apps etc

Leave a Reply