Update to Filters in Intune 2302

About 2 weeks ago Microsoft deployed the service release 2302 for Intune and with that there was a great UI update for Filters which has been a happy surprise. Filters was first released 2 years ago and have since then got a few updates a long the way. If you haven’t used Filters before check out my first post on Filters from 2021 here:

Associated Assignments tab

The new addition to Associated Assignments tab in Intune service release 2302

Link to Microsoft release notes:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#a-new-associated-assignments-tab-for-your-filters

In the Associated Assignments tab we can now see the name of the resource the filter has been applied to, what group it has been assigned to and also what the Filter mode is. If we click on the Name of the policy we will be redirected to that policy which is a perfect so we don’t have to navigate through the UI to find the policy. (I only wished it would be the same thing in reverse order which it per today is not).

Improvements that can be made

With the new update to filters we have a easier way of getting information on how a specific filter is being used and to what groups and policies it has been assigned to. However we still need to click through every filter to get an overview of all of them and this can be a struggle if we have a lot of filters. What we can do instead is to use Powershell and Graph API to get the information to get a quick overview on all our filters.

Below is an example script that can be used for inspiration to create your own script.

Powershell and Graph API

Im using the Microsoft.Graph.Intune Powershell module for this script and its simply because I find it easy to use. There are other ways of doing the same thing with powershell that I might cover in the future.

The script is also available on Github https://github.com/timmyit/Intune/blob/master/Get-FilterAssignmentOverview

Note. You need to have the Intune Powershell module installed to use the script.
https://www.powershellgallery.com/packages/Microsoft.Graph.Intune/6.1907.1.0


# Connect and change schema 
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta

$Resource = "deviceManagement/assignmentFilters"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($resource)"
 
 
$Response = Invoke-MSGraphRequest -HttpMethod GET -Url $uri 

$Filters = $Response.value

Foreach ($Filter in $Filters) {

$Payloads = Invoke-MSGraphRequest -HttpMethod GET -Url "https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/$($Filter.id)/payloads"

Write-host "Name: $($Filter.displayName)"
Write-host "Platform: $($Filter.platform)"
Write-host "Assignments: $($Payloads.value.Count)"

if ($payloads -ne $null) {
Foreach ($Payload in $Payloads.value) {
if ($Payload.groupId -like "acacacac-9df4-4c7d-9d50-4ef0226f57a9" -or $Payload.groupId -like "adadadad-808e-44e2-905a-0b7873a8a531") {

    if ($Payload.groupId -like "acacacac-9df4-4c7d-9d50-4ef0226f57a9")
    {Write-host "AssignmentGroup: All Users (Built-in Group)"}
    if ($Payload.groupId -like "adadadad-808e-44e2-905a-0b7873a8a531")
    {Write-host "AssignmentGroup: All Devices (Built-in Group)"}

}
Else {
$AADGroup = Get-AADGroup -groupId $Payload.groupId -ErrorAction SilentlyContinue
Write-host "AssignmentGroup: $($AADGroup.displayName)"
}


Write-host "    Types: $($Payload.assignmentFilterType)"

}
}
Write-host "---------------"
}

The output you get from running the script looks like this:

Where It starts with the Name of the Filter, the platform the filter is used for. How many assignments the filter currently have. The group its been assigned to and if its an Include or exclude.

I also need to mention that In the script I had to make some logic around the 2 built-in groups that a policy or app could be assigned to. Its the “All Users” and “All Devices” which are groups but not really and are treated a bit differntly. So to avoid getting error message when trying to get the AD group information in the scrip I had work around that.

So when the script runs if the assignment is to either “All Users” or “All Devices” you will see it being mentioned as (Built in group).

That’s it for this time, Don’t forget to follow me on twitter @timmyitdotcom

One comment

Leave a Reply