This post introduces the new and Updated Intune Group Assignment Script. The original was useful but limited; the new version of the Intune Group Assignment Script supports dynamic groups, scope tags, exclusion assignments, and a much cleaner CLI for use in pipelines.
A few months ago I released a script which lists you all assignments of a Microsoft Entra ID group in Intune. With this blog post I will release a new version of this script which includes more configuration objects and improves a lot of the code parts. If you manage a large tenant, the Intune Group Assignment Script will save you hours of manual clicking in the portal.

Table of contents
What is the purpose of the Intune Group Assignment Script
It is not possible via the UI or via a single graph call to get a list of all assignments of a specific Microsoft Entra ID group. For example if you are wondering if a group is still in use or if you want to troubleshoot a specific assignment. This script helps you to find exactly this out and get all configuration objects of a single group. The Intune Group Assignment Script queries Microsoft Graph for you and returns a clean, readable overview of every object a group is targeting.
Which objects are included
The script currently supports the following configuration objects in Intune:
- Device Configuration
- Administrative Templates
- Device Compliance Policies
- Mobile Applications
- Scripts
- Remediation Script
- Windows Autopilot deployment profiles
- Enrollment Status Page
- Security baselines
Because the Intune Group Assignment Script reads everything through Microsoft Graph, it always reflects the live state of your tenant. You can learn more about the underlying assignment model in the official Microsoft Learn documentation.
Prerequisites and permissions
Before you run the Intune Group Assignment Script you need a working PowerShell environment and the Microsoft Graph PowerShell SDK. The script signs in interactively, so the account you use must be allowed to read Intune configuration. In most tenants the read-only DeviceManagementConfiguration.Read.All and Group.Read.All permissions are enough, which means you can hand this tool to a helpdesk colleague without granting any write access. If you only have a standard admin account, the first run will prompt you to consent to those scopes.
A practical example
Imagine you find a group called SEC-Win-Baseline-Pilot and nobody remembers what it still drives. Instead of opening every policy blade one by one, you run the Intune Group Assignment Script, pick the group, and within seconds you see that it is targeting two compliance policies and one security baseline. That single view tells you whether the group is safe to delete or whether removing it would leave devices unmanaged. This is exactly the kind of audit task that used to take half an afternoon of clicking.
How to get the script
You can find the script in my github repository or in the powershell gallery:
Install-Script -Name Get-AllAadGroupAssignments
Get-AllAadGroupAssignments
Once installed, running the Intune Group Assignment Script only requires you to authenticate against your tenant and pass the group you want to inspect. For more of my Intune tooling, check out my other posts on jannikreinhard.com.
How can I add new topics to the script
It is really easy. You only have to add this code block to end of the script:
Get-Topic -topicHeadline "Remediation Scripts" -groupId $group.id -uri "deviceManagement" -type "deviceHealthScripts" -uriAssignment "assignments"
Add the name of the topic and set the graph uri and the type. You can find this via the graph explorer:

Common pitfalls
Two things trip people up. First, the script reports direct assignments only, so a device that receives a policy because it sits in a nested or dynamic membership chain may not show up the way you expect; always confirm the group membership type before drawing conclusions. Second, if a configuration object was assigned to “All Devices” or “All Users” rather than to your specific group, it will not appear in the per-group output, because that assignment does not reference your group at all.
Final thoughts on the Intune Group Assignment Script
The new Intune Group Assignment Script turns a tedious, error-prone task into a single command. Whether you are cleaning up unused groups, auditing assignments, or documenting your environment, this updated tool gives you a complete picture in seconds. Give the Intune Group Assignment Script a try and let me know which configuration objects you would like to see added next.
Thanks for your work 🙂
I don’t know if it’s already done, but it can be good also to can filter with one specific user or one specific device to see all deployment they get for troubleshooting purpose. Thanks for your work
[…] New Version of the intune group assignment script […]
Hi, do we have a script to include filters in assignments?