Let’s discuss Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script. This post will help you export Microsoft Intune Device settings, configuration profiles, policies, etc., present in the Intune tenant using PowerShell Scripts and Microsoft Graph API. These settings are the core configurations for device management from the Intune tenant.
As we know, Intune Settings and Configurations can be exported directly from the Intune portal. But in this post, you will learn how to export all settings or configurations in bulk at once. Using different Intune Sample PowerShell scripts, we can export the desired types of configurations from the Intune tenant.
You may have exported Intune settings, policies, and profiles as Jason or ADMX files manually, one by one, from the Intune portal. Today, we will learn how to leverage Microsoft’s graph API and PowerShell scripts to export all required configurations from the Intune tenant simultaneously.
This can be helpful when replicating settings and configuration from one Intune tenant to another, backing up the tenant settings/profiles, or sharing the configuration settings.
Table of Contents
Before You Get Started
Before you begin, ensure you have configured Entra App registration for Microsoft Graph’s identity and authentication purposes. As we will be using the Microsoft Entra app registration for authentication into the Tenant in order to export desired settings and profiles.
- Best Guide To Configure App Registration In Microsoft Entra
- Import Export Settings Catalog Policy from Intune
- Download Intune Configuration Spreadsheet Excel List of Policies Configurations
- Backup Your Intune Settings Using Script|MEM
Let’s look at the Pre-requirements you need to consider.
Pre Requirements For Exporting Intune Configurations |
---|
Microsoft Entra App registration is needed for authentication and identity. |
Microsoft sample PowerShell scripts from Github Repository |
Update Sample scripts with MSAL authentication method and Entra App ID. |
PowerShell v5.0 is required to use these Graph API Intune PowerShell samples. |
Install the AzureAD PowerShell module by running ‘Install-Module AzureAD‘ from elevated PowerShell. |
An Entra account with Intune administrator permissions |
Requires a Global Administrator of the Tenant to accept the application’s permissions to run these scripts for the first time only. |
Using Microsoft Graph API Sample Scripts to Export Intune settings
Microsoft Graph is a RESTful API that allows access to Microsoft Cloud services. MS Graph can be used to build applications, analyze data, fetch data from external sources into Microsoft Graph, and manage user and device identity, compliance, access, and security. Vincent Biret has this great GitHub repository which contains Microsoft Graph API Intune PowerShell sample scripts. Thanks Vincent for the scripts..!
Note! Some of these MS PowerShell script samples retrieve information from your Intune tenant, and a few can create, update, or delete data for your tenant. understand the impact of the sample script before running it; testing should be done in a non-production or test tenant account.
Let’s understand how we can use these sample PowerShell scripts with Graph API to export Intune configurations.
- Download the required scripts from GitHub repository.
- Extract the files to a local folder (e.g. C:\IntuneGraphSamples)
- Open PowerShell x64 as administrator.
- Browse to the directory (e.g. cd C:\IntuneGraphSamples)
- Update the downloaded PowerShell script with required authentication method as described in next section.
We can use any sample script per the requirement; we must update the script with our Entra registered application ID and tenant ID.
Update Sample PowerShell Script to Make It Working With Intune Tenant
Due to an update in the authentication method in the Graph SDK PowerShell module, Microsoft Intune PowerShell application ID-based authentication is no longer used. Hence, we will have to update the sample scripts with our Microsoft Entra ID registered application ID and change the Authentication method to make the script work. This authentication method has yet to be updated in the Sample scripts on GitHub.
This is a screenshot of the Sample PowerShell script SettingCatalog_export.ps1, downloaded from GitHub before any changes.
Let’s Update the Sample script using the PowerShell code below for MSAL authentication so that it can work with our App registration.
Remove the “Authentication” part of the Sample script downloaded from Github. This part goes from line 12 to line 151 in the downloaded script. Delete the code until “Function Get-SettingsCatalogPolicy” and place the below code as a new authentication function on top of the script.
Replace ***** in $clientid and $tenantid with your Entra Application ID (client ID) and tenant ID (Object ID)
#######################
function Get-AuthToken {
Write-Host "Checking for MSAL module…"
$MsalModule = Get-Module -Name "MSAL.PS" -ListAvailable
if ($MsalModule -eq $null) {
Write-Host "MSAL.PS PowerShell module not found, installing..."
Install-Module -Name "MSAL.PS" -Scope CurrentUser -Force -AllowClobber
}
$clientId = "***************************"
$tenantId = "**************************"
$authority = "https://login.microsoftonline.com/$tenantId"
$scopes = "https://graph.microsoft.com/.default"
try {
$authResult = Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $scopes -Interactive
if($authResult.AccessToken){
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
} else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
}
}
#########################
After updating the script, it will look like below. Now, the PowerShell script is ready to work with our registered App. We can run the updated script from elevated Powershell to export the Settings catalogue from the Intune tenant. Similarly we can download and update other sample scripts to export desired policies from Intune.
How to Use PowerShell Sample Script to Export Settings Catalog from Intune Tenant
This will export all settings catalogues in JSON and CSV format to the output folder location. These JSON and CSV files contain all the configurations and settings code.
- Launch PowerShell as an administrator.
- Launch the updated Microsoft Graph API PowerShell script for Settingscatalog_export.
- PowerShell will prompt you to enter the credentials to authenticate Microsoft Graph (Use Intune Administrator Credentials only)
- Specify the output folder to save the exported settings catalogue files.
PS C:\IntuneGraphSamples\SettingsCatalog> .\SettingsCatalog_Export_Updated.ps1 Please specify a path to export the policy data to, e.g. C:\IntuneOutput: c:\temp\ExportSettingsCatalog Path ‘c:\temp\ ExportSettingsCatalog doesn’t exist. Do you want to create this directory? Y or N? y AllowTemporaryEnterpriseFeatureContro Export Path: c:\temp\ ExportSettingsCatalog JSON created in c:\temp\ ExportSettingsCatalog \AllowTemporaryEnterpriseFeatureContro_09-10-2024-20-37-30.json… SEC-WIN-BITLOCKER-1.0 Found template reference Export Path: c:\temp\testexport JSON created in c:\temp\ ExportSettingsCatalog \SEC-WIN-BITLOCKER-1.0_09-10-2024-20-37-31.json… |
Outcome – Exported Configuration Items
The settings catalog or any policy exported as a JSON (JavaScript Object Notation) file is a format used in development to transfer data between a server and an application. This JSON file contains different values and strings like Policy name, Description, settings etc. which are required to create a specific policy or profile in Intune using Graph API.
I hope this post was beneficial for you. I appreciate your patience in reading this post. Keep supporting the HTMD Community.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Sachin Chauhan is a Microsoft certified professional and Modern device management consultant with over 10 years of experience in Microsoft technologies like MECM, Intune, Windows, Autopilot, Operating system deployments and management, Azure, and PowerShell Automation.