All / Intune / Powershell

List all Intune assignments of an Azure AD Group

jannikreinhard5 Comments

All assignments in Intune are based on Azure AD groups. I think you also already had the problem that you wanted to find out to which Intune Object a certain AAD group in already assigned, but there is no way in the portal to find this out. To solve this problem I have written a script that gives you exactly this output.

How does it work

  • First we authenticate to the Azure AD to get an authentication token.
  • After that we read in the group we want to searched for and check if it exists. If the group exist we get the group id. If the input does not exist, we list all groups and ask until the input is correct.
  • After that we check all device configurations, ADMX, apps, compliance policies and scripts if there is an assignment or exclude for this group.

What you have to do

  • First you need to download my script from my Git hub repository.
  • Run the script and enter your UPN with sufficient permissions.
  • Enter the name of an Azure AD group (If you want to list all groups press enter without content).
  • That is it. Now you get all assignments and excludes of the group listed.

Conclusion

I hope I could help you with this script if you are looking for the Intune assignment of an Azure AD group in the future. If you are using the script in a larger environment it may take some time to run the script as it has to go through all the objects and look at the assignment. If you are missing a category in the script then let me know so I can add it.

Stay healthy, Cheers
Jannik

Update 02.08.2022

You can also download my script from the PowerShell Gallery:

Install-Script -Name Get-AllAadGroupAssignments

5 thoughts on “List all Intune assignments of an Azure AD Group

  1. Hi Jannik! Thank you for creating this!

    I have a couple of comments. The first is that i had to change line 29 and 30 to this to make the script run:
    Add-Type -Path $adal
    Add-Type -Path $adalforms

    Otherwise it would just throw exceptions, and not log me in.

    The second thing is that it seems your script only returns the first 100 groups in your ‘Get-GraphCall’ function when you populate $groups on line 156. I think you’ll need to do a ‘do while’-loop on the .nextlink from the Invoke-RestMethod to get a complete result in an enviroment with more than 100 groups.

    Other than that, great script, and thank you again for providing this! It’s gonna be awsome! :o)

    Like

    • Hey @Trond Kristiansen many thanks for your feedback.
      When I run the script I don’t get the exception but anyway I changed it then hopefully it runs stable for everyone.
      Regarding the limitation of 100 groups this I have fixed it now all groups are fetched.
      Sorry for the bug and thanks for the feedback.

      Like

  3. Great script but I think it is missing some areas:
    – Endpoint Security items like Security Baseline, Antivirus, Encryption, etc.
    – Settings Catalogs
    – Update rings
    – Feature updates

    Like

Comments are closed.