Have you asked yourself “I wonder what’s assigned to this group”? Well, if you’re here, you probably already answered that question with a ‘yes’. This is the first part of a series on group-centric documentation or GCD. Let me take you on my journey to write my biggest public project yet. In fact so big I had to split it up!
Why group-centric documentation?
Currently, when you assign anything in Intune, you have to select an Entra group, and sometimes “All Devices” and/or “All Users” are also available. You can find out the assignments to a user by looking at the ‘Troubleshooting + Support’ page. This is a very user-centric approach, and it’s usually sufficient, especially if the endpoints you manage are not too complex or diverse. Another scenario might be that you’re building out your tenant, and over time you learn more about how you want to structure things. Or maybe you want to analyze your Intune setup for reasons I can’t even think of! The answer to all of this is a way to see assignments to a group. Hence the name ‘group-centric documentation’. Turns out it’s not as easy as it sounds.
Group-centric documentation, what’s inside?
We’re yet again working with PowerShell but this time with
a dash a heap of Microsoft Graph! It’s not a secret I love PowerShell – especially due to its availability on many different platforms, without requiring too many additional resources. In fact, I’m just using the Microsoft Graph PowerShell SDK 1. Fair warning though I might have used the occasional PowerShell 7 function, when uploading the script 5.1 worked just fine. Neither of those are great at storing and handling data – potentially lots of it. Considering, that a tenant might have thousands of groups and objects to assign I’d have to use some kind of database. My answer to this in the end was JSON!
So, what do I get if I use this solution?
First and foremost you’ll get one/multiple JSON file that contains all groups, that have assignments to them. Groups that have no assignments to them are not added to the final outcome. The same is true for the other way, if an assignable object (think application or policy) isn’t assigned to a group it’s not in the results. With releasing part one aka Version 1.0 of GCD aka F.O.C.U.S. (Fast Operations Could Use Speed) has the following features:
- Will gather the following assignments (some edge cases are missing, see next chapter)
- Configuration Policies (all types)
- Compliance Policies (all types)
- Scripts and Remediations
- Update Policies, including feature update policies and the more recent driver policies
- App protection policies
- App configuration policies
- Output in JSON in one or multiple files (per group)
The longest journey – What’s next?
This project was a bit of a stretch for me at first, as I hadn’t really delved into Graph that much before. After discovering batching for my purposes and countless hours of tweaking the script, while discovering fun things that are not quite documented, I decided to make a cut. Here’s what v2 will include. Hopefully, Co-Pilot hasn’t superseded this project by then. (At least this solution will stay free 🙂 )
- Object-Types that I can’t easily test might be added
- embeddedSIMActivationCodePools (aka eSIM-Profiles)
- iosLobAppProvisioningConfigurations (aka iOS AppProvisioning)
- wdacSupplementalPolicies (aka S-Mode Policies for Windows in S-Mode)
- managedEBooks (aka iOS EBooks)
- More Granular selection for the type of assignments
- A simple GUI(?)
- Further optimization of the script
- Proper error handling and logging
- Group-Member count – I wanted to get this in but it was just too slow (yet)
- As always: The WinAdmins community! 2
- Dave Falkus for “IntuneFilter_Get.ps1” – This greatly helped me understand more about how to connect filters with other graph objects. 3