πIntune Assignment Checker
π Table of Contents
- π Quick Start
- β¨ Features
- π Prerequisites
- π Authentication Options
- π Usage
- π€ Contributing
- π License
π Quick Start
# Install Microsoft Graph PowerShell SDK
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
# Download and run the script
.\IntuneAssignmentChecker_v2.ps1β¨ Features
- π Check assignments for users, groups, and devices
- π± View all 'All User' and 'All Device' assignments
- π Support for certificate-based authentication
- π Built-in auto-update functionality
- π Detailed reporting of Configuration Profiles, Compliance Policies, and Applications
π₯ Demo
π Prerequisites
Required PowerShell Modules
- PowerShell 7.0 or higher
- Microsoft Graph PowerShell SDK
- Specifically Microsoft.Graph.Authentication
Required Permissions
| Your Entra ID application registration needs these permissions: | Permission | Type | Description |
|---|---|---|---|
| User.Read.All | Application | Read all users' full profiles | |
| Group.Read.All | Application | Read all groups | |
| Device.Read.All | Application | Read all devices | |
| DeviceManagementApps.Read.All | Application | Read Microsoft Intune apps | |
| DeviceManagementConfiguration.Read.All | Application | Read Microsoft Intune device configuration and policies | |
| DeviceManagementManagedDevices.Read.All | Application | Read Microsoft Intune devices |
π Authentication Options
Option 1: Certificate-Based Authentication (Recommended for automation)
Follow these steps if you want to use certificate authentication with an app registration:
-
Create an Entra ID App Registration:
- Navigate to Azure Portal > Entra ID > App Registrations
- Click "New Registration"
- Name your application (e.g., "IntuneAssignmentChecker")
- Select "Accounts in this organizational directory only"
- Click "Register"
-
Grant required Application permissions:
- In your app registration, go to "API Permissions"
- Click "Add a permission" > "Microsoft Graph"
- Select "Application permissions"
- Add all required permissions listed in Prerequisites
- Click "Grant admin consent"
-
Create and configure certificate authentication:
# Create self-signed certificate New-SelfSignedCertificate ` -Subject "CN=IntuneAssignmentChecker" ` -CertStoreLocation "cert:\CurrentUser\My" ` -NotAfter (Get-Date).AddYears(2) ` -KeySpec Signature ` -KeyExportPolicy Exportable # Export the certificate $cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -like "*IntuneAssignmentChecker*"} Export-Certificate -Cert $cert -FilePath "C:\temp\IntuneAssignmentChecker.cer" -
Upload certificate to your app registration:
- In Azure Portal, go to your app registration
- Click "Certificates & secrets"
- Select "Certificates"
- Click "Upload certificate"
- Upload the .cer file you exported (C:\temp\IntuneAssignmentChecker.cer)
-
Configure the script with your app details:
# Update these values in the script $appid = '<YourAppIdHere>' # Application (Client) ID $tenantid = '<YourTenantIdHere>' # Directory (Tenant) ID $certThumbprint = '<YourThumbprint>' # Certificate Thumbprint
Option 2: Interactive Authentication (Simpler setup)
If you prefer not to set up an app registration, you can use interactive authentication:
You can just run the script without any changes. It will ask if you want to use interactive authentication where you will type "y" and press enter.
This will prompt you to sign in with your credentials when running the script. The permissions will be based on your user account's roles and permissions in Entra ID.
Which Option Should I Choose?
-
Choose Certificate Authentication if you:
- Need to run the script unattended
- Want to automate the process
- Need consistent permissions regardless of user
- Are comfortable with more complex setup
-
Choose Interactive Authentication if you:
- Want a simpler setup
- Don't need automation
- Are comfortable using your user credentials
- Only need to run the script occasionally
Note: Keep your certificate and app credentials secure! Anyone with access to these can access your Intune environment with the configured permissions.
π Usage
The script provides a comprehensive menu-driven interface with the following options:
π― Assignment Checks
-
Check User(s) Assignments
- View all policies and apps assigned to specific users
- Supports checking multiple users (comma-separated)
- Shows direct and group-based assignments
-
Check Group(s) Assignments
- View all policies and apps assigned to specific groups
- Supports checking multiple groups
- Shows assignment types (Include/Exclude)
-
Check Device(s) Assignments
- View all policies and apps assigned to specific devices
- Supports checking multiple devices
- Shows inherited assignments from device groups
π Policy Overview
-
Show All Policies and Their Assignments
- Comprehensive view of all Intune policies
- Grouped by policy type and platform
- Includes assignment details
-
Show All 'All Users' Assignments
- Lists policies assigned to all users
- Includes apps and configurations
- Helps identify broad-scope policies
-
Show All 'All Devices' Assignments
- Lists policies assigned to all devices
- Shows platform-specific assignments
- Identifies universal device policies
βοΈ Advanced Options
-
Search for Assignments by Setting Name
- Search across all policy types
- Find specific settings or configurations
- Includes partial name matching
-
Show Policies Without Assignments
- Identifies unassigned policies
- Grouped by policy type
- Helps clean up unused policies
-
Check for Empty Groups in Assignments
- Finds assignments to empty groups
- Helps identify ineffective policies
- Supports CSV export of findings
π οΈ System Options
- Exit (0): Safely disconnect and close
- Report Bug (99): Opens GitHub issues page
All operations support CSV export for detailed analysis and reporting.
π€ Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
π License
This project is licensed under the MIT License - see the LICENSE file for details.