This post has been laying around in the draft drawer for some time now and I thought its about time to get it published and hopefully it will help someone out there in the ether. This will also be the last post of 2024 but there are more in pipeline for early 2025 so stay tuned.
I was asked a while back to help figuring out what type of applications where assigned to different Entra ID groups. We turn to Powershell and Microsoft graph when trying to solve this since there is no native way within Intune or Entra ID to do this. I’ve done some work around this is the past that could be found here:
The difference this time was that the need was only to see what applications were assigned as “required” or if it had multiple assignments where at least 1 assignment are “required” then show that.
This means that an application won’t get returned by the script if it only is assigned as “available” or if it has multiple assignment as “available“.
This table will hopefully make it a bit clearer.
| Assigned as “Available“ | Assigned as “Required“ | Returned by the script |
| X | Yes | |
| X | No | |
| X | X | Yes |
The script
The script is also available over at github https://github.com/timmyit/Intune/blob/master/Get-IntuneRequiredAppAssignments
Install-Module -Name Microsoft.Graph.DeviceManagement -Force -AllowClobber
Install-Module -Name Microsoft.Graph.Groups -Force -AllowClobber
Import-Module -Name Microsoft.Graph.Groups
Import-Module -Name Microsoft.Graph.DeviceManagement
Connect-MgGraph -scopes Group.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All, DeviceManagementApps.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementApps.ReadWrite.All
# Applications
$Resource = "deviceAppManagement/mobileApps"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$filter=(isAssigned eq true)&`$expand=Assignments"
$Apps = (Invoke-MgGraphRequest -Method GET -Uri $uri).Value | Where-Object {$_.assignments.intent -like "required"}
Write-host "Start Script output -----------------" -ForegroundColor Cyan
foreach ($App in $Apps) {
Write-host "$($App.DisplayName)" -ForegroundColor Yellow
if ($App.assignments.id -like "acacacac-9df4-4c7d-9d50-4ef0226f57a9*" -or $App.assignments.id -like "adadadad-808e-44e2-905a-0b7873a8a531*") {
if ($App.assignments.id -like "acacacac-9df4-4c7d-9d50-4ef0226f57a9*")
{Write-host "Assigned as $($App.assignments.intent) ---- EntraID Group: All Users (Built-in Group)"}
if ($App.assignments.id -like "adadadad-808e-44e2-905a-0b7873a8a531*")
{Write-host "Assigned as $($App.assignments.intent) ---- EntraID Group: All Devices (Built-in Group)"}
}
Else {
$EIDGroupId = $App.assignments.target.groupId
foreach ($group in $EIDGroupId) {
$EIdGroup = Get-MgGroup -Filter "Id eq '$group'" -ErrorAction Continue
$AssignIntent = $App.assignments | Where-Object -Property id -like "$group*"
Write-host "Assigned as $($AssignIntent.intent) ---- EntraID Group: $($EIdGroup.displayName)"
}
}
}
Write-host "End Script output -----------------" -ForegroundColor Cyan
Write-host "Total apps: $($apps.count)" -ForegroundColor Cyan
Script output
The script loops through all applications in Intune and only displays apps that have
As shown in the picture above, here we have an Win32 app thats called “AddRemove-UserFromLocalUserGroup” this application have 5 different assignments. 4 of them are “required” (at least 1 needs to be “required” for the app to show up) and 1 as “available“
The script in its current form retrieves all applications under the mobileApp resource type in Microsoft Graph
https://learn.microsoft.com/en-us/graph/api/resources/intune-apps-mobileapp?view=graph-rest-1.0
If you want to for example on get Windows apps like Win32 apps you can add a filter by changing the following line:
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?$filter=(isAssigned eq true)&$expand=Assignments"
Replace with:
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$filter=(isof('microsoft.graph.win32LobApp')) and (isAssigned eq true)&`$expand=Assignments"
Another thing with the output worth mentioning is the 2 virtual groups that Microsoft have created that you see when trying to assign apps or configurations within Intune. These 2 groups are
All Devices
All Users
These two virtual groups have their own unique group ID like any other Entra ID security group, however the thing with these groups are that they are similar in every tenant.
| Group Name | Group Id |
| All Users | acacacac-9df4-4c7d-9d50-4ef0226f57a9_1_0 |
| All Devices | adadadad-808e-44e2-905a-0b7873a8a531_1_0 |
Side note. I mentioned these groups in post back in 2023 here:
https://timmyit.com/2023/03/06/update-to-filters-in-intune-2302/
However since then it looks like Microsoft added something in Graph to these groups Ids at the end.
_1_0
As for the output it looks like this in the script when it finds an required assignment to any of those groups
That’s it for this time, Don’t forget to follow me on X (twitter) @timmyitdotcom , BlueSky @timmyit.com or connect with me on LinkedIn
Amazing, this helped us out greatly. Thank you very much!!