Post

Export & Import Intune policies and configuration using Graph API
Intune or Microsoft Endpoint Manager is to tool for Mobile Device Management (MDM) or Mobile Application Management (MAM). This script can be customized to suit your needs as it can also be used as a backup solution for your policies and configuration, or just to verify if the policies are the same as they were 1 month ago.

Intune or Microsoft Endpoint Manager is to tool for Mobile Device Management (MDM) or Mobile Application Management (MAM). Device management was mostly focussed on devices like iOS and Android where Windows 10 was most likely managed using System Center Configuration Manager (SCCM). Windows 10 is perfectly manageable in an MDM scenario for years using Microsoft Intune. I’ve created some default policies in my developer tenant which I’ll be exporting and importing using the Graph API. My focus at the moment is Windows 10 but I’ll be adding iOS, Android and MacOS policies later. Some iOS, Android and MacOS policies will also be downloaded automatically. This script can be customized to suit your needs as it can also be used as a backup solution for your policies and configuration, or just to verify if the policies are the same as they were 1 month ago.

Intune policies

Besides some general configuration I’ve created the following policies:

    • Deployment profiles
    • Compliance policy
    • Security baselines
    • Update rings
    • App protection policy
    • Configuration policies

The following settings are still a work in progress

  • Enrollment profiles
  • Apps
  • Branding
  • Other config

Graph API

I will be using the Graph API for exporting and importing Intune policies and configuration.

Permissions

We will be reading and writing so we need to add application permissions to call the API’s in Azure Active Directory.

Add the below API permissions. (Note that these permissions can do harm in the wrong hands. Create conditional access policies to limit the attack surface.)

  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All

image

Note the following information as we will need it for the script

  • Client ID
  • Client Secret
  • Tenant ID
  • Output location

Export Intune policies

The script has been uploaded to O365ExportImport/ExportAndImport/Intune at main · CloudSecuritea/O365ExportImport · GitHub where it can be downloaded, changed and used. Run the following command to start the export:

export-intune.ps1 and provide the script with the required parameters

SNAGHTML7dfaea

The files will be created in the specified location

image

Import Conditional Access policies

We have just exported the Intune policies. The JSON files will now be used to import this configuration. Note that running the script will create new policies and you will need to delete old policies if present. Assignments are currently not configured directly and will need to be set afterwards.

image

The script has been uploaded to O365ExportImport/ExportAndImport/Intune at main · CloudSecuritea/O365ExportImport · GitHub where it can be downloaded, changed and used. Run the following command to start the import:

import-intune.ps1 and provide the script with the required parameters

SNAGHTML80c3fd

image

Things to do

  • Add more configuration items
  • Automatically delete and assign

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Archive