The Intune Toolkit is a PowerShell-based solution designed to simplify the management of Microsoft Intune policies. It provides a user-friendly interface for connecting to Microsoft Graph, managing policy assignments, and handling backup and restore operations for these assignments. The toolkit focuses on functionalities such as backing up and restoring policy assignments, adding or deleting assignments, and retrieving policy details (including the new device management intents) with robust error handling and detailed logging.
- Connect to Microsoft Graph: Authenticate with the necessary scopes.
- Connect to Microsoft Graph With Enterprise App: Authenticate using enterprise application credentials.
- Tenant Information: Display tenant details and signed-in user information.
- Policy and App Management: View and manage policies, apps, and device management intents with their assignments.
- Supported Assignments:
- Policies & Profiles:
- Settings Catalog (
configurationPolicies) - Device Configuration (
deviceConfigurations) - Device Compliance Policies
- Administrative Templates
- Endpoint Security Intents (Antivirus, Disk Encryption, etc.)
- Windows Autopilot Deployment Profiles
- App Configuration Policies
- Settings Catalog (
- Applications:
- Windows: Win32, MSI, Store Apps (New), WinGet, Office 365
- macOS: PKG, DMG, Line-of-Business
- Mobile: Android Managed Play Store, Android Enterprise, iOS Store (VPP), iOS LOB
- Web: Web Links / Web Apps
- Scripts & Remediation:
- Platform Scripts (Windows)
- Remediation Scripts (Device Health Scripts)
- macOS Shell Scripts
- macOS Custom Attributes
- Policies & Profiles:
- Assignment Management:
- Add and delete assignments for selected policies.
- Search Security Groups.
- Support for filters and installation intent.
- Backup and Restore:
- Back up and restore assignments to policies and apps.
- Export Assignments:
- Export assignments to CSV.
- Document assignments to a Markdown file:
- Selected policies/applications.
- Bulk export of a policy type.
- Unified reporting: HTML (interactive) and Markdown.
- Global Group Search:
- Search any entra security group and see all the resources assigned to it in one view.
- Automatically generates detailed documentation grouped by policy/resource type.
- Visual distinction and safety locks (read-only) to prevent accidental changes during search context.
- Advanced Policy Management:
- Delete Policies: Ability to hard delete policies (requires "Advanced Actions" toggle).
- Edit DisplayName & Description: Easily edit your policy/app names and descriptions.
- Refresh: Update and refresh your security groups and policies/apps.
- Logging: Detailed logging for all major actions and error handling.
- PowerShell 7.0 or later.
- Microsoft Graph PowerShell SDK.
- Windows Presentation Framework (WPF) for the GUI components.
- Access to Microsoft Intune with the necessary permissions.
- Microsoft Graph Permissions:
User.Read.AllDirectory.Read.AllDeviceManagementConfiguration.ReadWrite.AllDeviceManagementApps.ReadWrite.AllDeviceManagementScripts.ReadWrite.All
-
Clone the repository:
git clone https://github.com/MG-Cloudflow/Intune-Toolkit.git cd Intune-Toolkit -
Ensure you have the required assemblies and permissions to run the toolkit.
The Intune Toolkit supports multiple authentication methods to connect to Microsoft Graph. Choose the method that best fits your organization's security requirements.
Best for: Individual users, delegated permissions
Setup:
- No setup required
- Uses Microsoft's default Graph PowerShell app
- Authenticates with your user account credentials
How to use:
- Click the Connect button
- Sign in with your Microsoft 365 credentials
- Consent to the requested permissions (first time only)
Auto-reconnect: If you don't log out, the toolkit will automatically restore your session when you reopen the app.
Best for: Automation, unattended scripts, app-only permissions
Azure Setup Required:
- Go to Azure Portal → Entra ID → App Registrations → New registration
- Name:
Intune-Toolkit(or your preferred name) - Supported account types: Accounts in this organizational directory only
- Click Register
- Copy the Application (client) ID and Directory (tenant) ID
- Go to Certificates & secrets → New client secret
- Description:
Intune-Toolkit-Secret - Expiration: Choose based on your security policy
- Click Add and copy the Value immediately (you won't be able to see it again)
- Description:
- Go to API permissions → Add a permission → Microsoft Graph → Application permissions
- Add these permissions:
User.Read.AllDirectory.Read.AllDeviceManagementConfiguration.ReadWrite.AllDeviceManagementApps.ReadWrite.AllDeviceManagementManagedDevices.ReadWrite.All
- Click Grant admin consent for your tenant
How to use:
- Click Connect to Graph App
- Select App Permissions - Client Secret
- Enter your Tenant ID, App ID, and Client Secret
- Optionally save this configuration for future use
- Click Connect
Best for: Enhanced security, no secret rotation, automated workflows
Azure Setup Required:
- Follow steps 1-5 from Method 2 (App Registration)
- Create a self-signed certificate (or use your organization's PKI):
$cert = New-SelfSignedCertificate -Subject "CN=Intune-Toolkit" ` -CertStoreLocation "Cert:\CurrentUser\My" ` -KeyExportPolicy Exportable ` -KeySpec Signature ` -KeyLength 2048 ` -KeyAlgorithm RSA ` -HashAlgorithm SHA256 ` -NotAfter (Get-Date).AddYears(2)
- Export the certificate:
$cert | Export-Certificate -FilePath "C:\Temp\IntuneToolkit.cer"
- Go to Certificates & secrets → Certificates → Upload certificate
- Upload the
.cerfile you exported
- Upload the
- Go to API permissions and add the same permissions as Method 2
- Click Grant admin consent
How to use:
- Click Connect to Graph App
- Select App Permissions - Certificate
- Enter Tenant ID and App ID
- Click Browse to select your certificate from the certificate store, or manually enter the thumbprint
- Optionally save this configuration
- Click Connect
Best for: Custom app with user authentication, delegated permissions, single-tenant apps
Azure Setup Required:
- Follow steps 1-5 from Method 2 (App Registration)
- Important for single-tenant apps: Set Supported account types to:
- Accounts in this organizational directory only (Single tenant)
- Go to Authentication → Add a platform → Mobile and desktop applications
- Add these redirect URIs:
http://localhosthttp://localhost:8400https://login.microsoftonline.com/common/oauth2/nativeclienturn:ietf:wg:oauth:2.0:oob
- Under Advanced settings, set Allow public client flows to Yes
- Click Save
- Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions
- Add these permissions:
User.Read.AllDirectory.Read.AllDeviceManagementConfiguration.ReadWrite.AllDeviceManagementApps.ReadWrite.AllDeviceManagementManagedDevices.ReadWrite.All
- Click Grant admin consent (if required by your organization)
How to use:
- Click Connect to Graph App
- Select Delegated Permissions - Interactive Login
- Enter Tenant ID (required for single-tenant apps)
- Enter your custom App ID
- Customize scopes if needed (defaults are provided)
- Optionally save this configuration
- Click Connect
- Sign in with your user credentials
Note: Leave Tenant ID blank for multi-tenant apps.
The toolkit includes a built-in configuration manager to save and load your connection settings:
- Save Configuration: After filling in your connection details, click Save Configuration and give it a name (e.g., "Production Tenant")
- Load Configuration: Select a saved configuration from the dropdown and click Load
- Auto-naming: Configurations are automatically tagged with their authentication method:
- Example:
Production (Client Secret),Dev Tenant (Certificate),Test (Interactive)
- Example:
- Storage: Configurations are stored in the Windows Registry under
HKEY_CURRENT_USER\Software\IntuneToolkit\TenantConfigs(no admin rights required) - Security: Client secrets are NOT saved - you must enter them each time for security
-
Launch the Main Script:
.\Invoke-IntuneToolkit.ps1 -
Connect to Microsoft Graph:
- Choose your preferred authentication method (see Authentication Methods above)
- If you have a cached session, the toolkit will automatically connect on launch
-
View Connection Status:
- The top bar displays:
- Line 1: Tenant name and signed-in user
- Line 2: Connected app name and App ID
- The top bar displays:
-
View Connection Status:
- The top bar displays:
- Line 1: Tenant name and signed-in user
- Line 2: Connected app name and App ID
- The top bar displays:
-
Manage Policies and Intents:
-
Manage Policies and Intents:
- Select the type of policy you want to manage (e.g., Configuration Policies, Device Compliance Policies, Mobile Applications, Device Management Intents, etc.) using the corresponding buttons.
- For Device Management Intents, the toolkit retrieves intents along with their assignments by performing additional API calls for each intent.
- View and manage the assignments for the selected policies.
-
Backup Policies:
-
Backup Policies:
- Click the Backup button to save the current assignments of your policies to a JSON file. (Currently, only bulk backups are supported; individual policy backups will be available in future updates.)
-
Restore Policies:
- Click the Restore button to load all assignments of the selected policy type from a backup file. (Individual policy restores will be available in future updates.)
-
Add/Remove Assignments:
- Use the Add Assignment and Delete Assignment buttons to manage assignments for the selected policies.
- You can select one or multiple policies with assignments. When you click Add Assignment, it will add to the existing assignments of those policies, processing them until all have been updated.
- When adding assignments, a pop-up dialog will appear allowing you to select a security group, choose whether to include or exclude it from the policy, and apply possible filters for applications. You will also have the option to select the installation intent of the application.
- Remediation Script Scheduling: When assigning device health scripts (Remediation Scripts), the dialog supports detailed scheduling configuration (Daily, Hourly, or One-time execution).
- When you click the Delete Assignment button, it will delete the assignments you selected.
- Click the Search Group toggle button in the sidebar (it will turn blue).
- Select a Security Group from the search dialog.
- The grid will populate with ALL Intune resources assigned to that group (Configuration profiles, Apps, Scripts, Compliance policies, etc.).
- A new "Policy Type" column helps you identify the resource category.
- Safety Lock: Action buttons (Delete, Rename, Move) are automatically disabled in this view to prevent accidental changes.
- Click Assignment Report to generate a comprehensive HTML or Markdown report of all assignments for that group, automatically grouped by Policy Type.
- Enable the Advanced Actions checkbox in the bottom-left corner of the sidebar.
- The red Delete button will appear in the Tools panel.
- Select one or more policies and click Delete.
- A confirmation dialog will appear. Click the red "Delete" button to confirm the permanent removal of the resource.
- Invoke-IntuneToolkit.ps1: The main script that initializes the application, loads the UI, and imports other scripts.
- Scripts/: Contains all function scripts for various actions.
- Functions.ps1: Contains common functions used across the toolkit.
- ConnectButton.ps1: Handles the connect button click event.
- LogoutButton.ps1: Handles the logout button click event.
- ConfigurationPoliciesButton.ps1: Handles loading configuration policies.
- DeviceConfigurationButton.ps1: Handles loading device configurations.
- ComplianceButton.ps1: Handles loading compliance policies.
- AdminTemplatesButton.ps1: Handles loading administrative templates.
- ApplicationsButton.ps1: Handles loading applications.
- IntentsButton.ps1: Handles loading device management intents. (new)
- DeleteAssignmentButton.ps1: Handles deleting assignments.
- AddAssignmentButton.ps1: Handles adding assignments.
- BackupButton.ps1: Handles backing up policies.
- RestoreButton.ps1: Handles restoring policies.
- Show-SelectionDialog.ps1: Displays the selection dialog for groups and filters.
- SearchButton.ps1: Handles search functionality.
- XML/: Contains XAML files for defining the UI layout.
- Main.xaml: XAML file for the main window layout.
- SelectionDialog.xaml: XAML file for the selection dialog layout.
- Logs/: Contains the log files generated during the execution of the toolkit.
The toolkit logs all major actions and errors to IntuneToolkit.log. Each log entry includes a timestamp, component, context, type, thread, and file information to aid in troubleshooting and tracking activities.
This project is licensed under the MIT License. See the LICENSE file for details.
- Microsoft Graph PowerShell SDK for providing the necessary APIs to manage Intune.