If you’ve ever stared at a misbehaving Intune device and asked yourself “which policies, profiles and apps are actually targeting this thing?”, you know how clunky the admin portal can be. Learning to pull the assignments of a device via PowerShell solves exactly that problem: given a Microsoft Entra ID device ID, the script returns every Intune assignment that resolves to it, joining direct device groups, dynamic device groups and user-based assignments through the device’s primary user. It’s the kind of script you’ll keep in your toolbox forever — handy when troubleshooting “why is this policy showing up?” tickets, indispensable when migrating tenants, and a great building block for larger automation.
Via the Intune admin center in the device overview you can see all assignments of a certain device. In the service release 2206 even the function to see the group members of a device was included. But if you want to create automations it is helpful to be able to query this information with PowerShell. I have created a script at the request of a user in the community which returns this information to you, so you can read the assignments of a device via PowerShell in seconds instead of clicking through blade after blade.
Table of contents
Why query the assignments of a device via PowerShell
The graphical view in the Intune admin center is fine for a quick look at a single machine, but it does not scale. The moment you need to audit dozens of devices, export results to a CSV, or feed the data into a remediation pipeline, the portal becomes a bottleneck. Reading the assignments of a device via PowerShell turns a tedious manual task into a repeatable, scriptable operation. You get a clean object back that you can filter, sort, and pass down the line — exactly what you want when you are building real automation around Microsoft Intune.
There is also a troubleshooting angle. When a configuration profile or app shows up unexpectedly on a client, the first question is always “where does this come from?”. Resolving the assignments of a device via PowerShell answers that question with hard data: it walks the device’s group memberships, expands dynamic groups, and follows the primary user relationship so that user-targeted policies are not silently missed. That last part is the piece most homemade scripts forget.
How do I get the script
You can find the script in my Github repository. In addition, I have also published the script in the PowerShell Gallery, so retrieving the assignments of a device via PowerShell is just one install command away. Here you can download the script with the following command.
Install-Script -Name Get-AllDeviceAssignmentsThe script authenticates against Microsoft Graph, so make sure the signed-in account has permission to read devices, groups and the various Intune resource types. If you are new to the Graph PowerShell SDK, the official Microsoft Learn documentation walks through connecting and consenting to the required scopes. Once you are connected, gathering the assignments of a device via PowerShell is as simple as passing the device ID to the script.
What does the script deliver
When you run it, the tool collects the assignments of a device via PowerShell and groups the output into four clear sections so the result is easy to read at a glance. Each section is described below with a screenshot of the real output.
General device information
First the script prints the core facts about the device — name, operating system, ownership, the Entra ID object and the primary user. This context matters, because the primary user is the link the script follows when it resolves user-targeted policies as part of the assignments of a device via PowerShell.
Group memberships
Next come the group memberships, including both static and dynamic groups. Expanding these correctly is the heart of resolving the assignments of a device via PowerShell, because almost every Intune assignment is ultimately tied to a group.
Configuration profiles
The configuration profiles section lists every settings catalog, device configuration and compliance policy that lands on the machine. If you have ever opened a ticket asking why a setting is enforced, this is the part of the assignments of a device via PowerShell output you will live in.
Applications
Finally the applications section shows the required, available and uninstall app assignments. Together with the previous blocks it gives you a complete picture, which is the whole point of pulling the assignments of a device via PowerShell in the first place.
Wrapping up
Whether you are troubleshooting a noisy ticket queue, validating a migration, or wiring up a bigger automation, being able to enumerate the assignments of a device via PowerShell saves real time and removes guesswork. Grab the script from the gallery, run it against a test device, and adapt the output to your own reporting. If you build something useful on top of it, I’d love to hear about it — and you can find more Intune automation ideas across the rest of jannikreinhard.com.
[…] https://jannikreinhard.com/2023/01/29/get-assignments-of-an-device-via-powershell/ […]
Thanks for that – can it work with “nested groups” as it isn’t picking up all the assignments for my tenant. For example, device is a member of “Staff 121 Devices” and then this is a member of “All Intune Devices”. There are some apps and profiles delivered to the “top level” group.
Hey Darren, this should work because i filter for devices not for groups. Can you try it out and give me feedback if it not work.