Version 3 Beta 1 - Complete re-write
This commit is contained in:
Micke
106
README.md
106
README.md
@@ -1,78 +1,96 @@
|
||||
# IntuneManagement with PowerShell and WPF UI
|
||||
|
||||
This PowerShell scripts are using Intune PowerShell module, Microsoft Graph APIs and AzureRM PowerShell module to manage objects in Intune and Azure. The scripts has a simple WPF UI and it supports operations like Export, Import, Copy and Download.
|
||||
These PowerShell scripts are using Microsoft Authentication Library (MSAL), Microsoft Graph APIs and Azure Management APIs to manage objects in Intune and Azure. The scripts has a simple WPF UI and it supports operations like Export, Import, Copy and Download.
|
||||
|
||||
This makes it easy to backup or clone a complete Intune environment. The scripts will export and import assignments and support import/export between environments. The scripts will create a migration table during export and use that for importing in other environments. It will create groups if they are missing in the environment for import.
|
||||
This makes it easy to backup or clone a complete Intune environment. The scripts can export and import objects including assignments and support import/export between tenants. The scripts will create a migration table during export and use that for importing assignments in other environments. It will create missing groups in the target environment during import. Group information like name, description and type will be imported based on the exported group e.g. dynamic groups are supported. There will be one json file for each group in the export folder.
|
||||
|
||||
The script also support dependencies e.g. an App Protection is depending on an App, Policy Sets are depending on Compliance Policies, objects has Scope Tags etc. Dependency support requires exported json files and that the dependency objects are imported in the environment. The script uses the exported json files to get the Id and name's of the exported object and uses that information and updates Id's before import an object from a json file. The Bulk Import form shows the import order of the objects. The objects with the lowest order number will be imported first.
|
||||
|
||||
|
||||
|
||||
**Note:** The base PowerShell script is only a host for extensions. It is only used as a framework for basic UI, logging etc. The functionality is located in the extension modules which makes it easy to add/remove features.
|
||||
This PowerShell application is based on the foundation modules CloudAPIPowerShellManagement and Core. These modules manages UI, settings, logging etc. The functionality for the application is located in the extension modules. This makes it easy to add/remove features, views etc. Additional features will be added...
|
||||
|
||||
**Security note:** Since the scripts are not signed, a warning might be display when running it and files might be blocked. The script will unblock all files. This is to avoid issues that it fails to load the MSAL library etc. If there are any security concerns, the PowerShell code can be reviewed. The DLL files are downloaded from Microsoft repositories, see links below. These files can be downloaded and replaced. The DLL files *CAN* be removed but MSAL is a pre-requisite for login. The script will try to find the DLL in the Az or MSAL.PS module if not found in the script root directory. DLL files are included to reduce dependencies.
|
||||
|
||||
## Change log
|
||||
**Version 2**
|
||||
See [Change Log](ReleaseNotes.md) for more information
|
||||
|
||||
**Breaking changes**
|
||||
* Removed support for AzureRM
|
||||
## Authentication
|
||||
See [MSAL Info](MSALInfo.md) for more information about authentication
|
||||
|
||||
**New features**
|
||||
* Support for Az module for Azure objects (Conditional access, Company Branding and MDM/MAM settings)
|
||||
* Reload - Reloads all modules
|
||||
|
||||
**Fixes**
|
||||
* Allow more than 9 Conditional Access policies. Issue [#5](https://github.com/Micke-K/IntuneManagement/issues/5)
|
||||
* Include WIP policies. Issue [#7](https://github.com/Micke-K/IntuneManagement/issues/7)
|
||||
* Import is not working. Issue [#6](https://github.com/Micke-K/IntuneManagement/issues/6) and [#4](https://github.com/Micke-K/IntuneManagement/issues/4)
|
||||
* Intune module can now be install with scope user. Issue [#8](https://github.com/Micke-K/IntuneManagement/issues/8)
|
||||
|
||||
## Intune objects
|
||||
* Administrative Templates
|
||||
* App Protection/Configuration policies
|
||||
## Supported Intune objects
|
||||
* App Configurations
|
||||
* App Protection
|
||||
* Applications
|
||||
* Apple Enrolment Types - NOT fully tested
|
||||
* Autopilot profiles
|
||||
* Baseline Security profiles
|
||||
* Compliance policies
|
||||
* Configuration Items
|
||||
* Enrollment Status Page profiles
|
||||
* Intune Branding (Company Portal)
|
||||
* PowerShell scripts (Supports download of PowerShell script)
|
||||
* Terms and Conditions
|
||||
|
||||
**Note:** The Intune PowerShell module are using the BETA version of the Graph API which might change at any time.
|
||||
|
||||
## Azure objects
|
||||
* Conditional Access
|
||||
* Company Branding
|
||||
* MDM/MAM app settings
|
||||
* Device Configuration (Administrative Templates, Configuration Policies, Android OEM Config, Settings Catalog)
|
||||
* Endpoint Security (Account Protection, Disk Encryption, Firewall, Security Baselines etc.)
|
||||
* Enrollment Restrictions
|
||||
* Enrollment Status Page profiles
|
||||
* Feature Updates
|
||||
* Intune Branding (Company Portal)
|
||||
* Locations
|
||||
* Named Locations
|
||||
* Policy Sets
|
||||
* Role Definitions
|
||||
* Scope Tags
|
||||
* Scripts (Supports download of PowerShell script)
|
||||
* Terms and Conditions
|
||||
* Update Policies
|
||||
|
||||
**Note:** Azure objects are not using the Microsoft Graph API. They are using undocumented APIs which might not be supported and change at any time.
|
||||
|
||||
## Prerequisites
|
||||
**Note:** The scripts are using the BETA version of the Graph API which might change at any time.
|
||||
|
||||
## Azure Management APIs
|
||||
* Tenants for the current user
|
||||
|
||||
**Note:** Azure Management APIs are undocumented APIs which might not be supported and they might change at any time.
|
||||
|
||||
## Pre-requisites
|
||||
* .Net 4.7
|
||||
* Intune PowerShell Module
|
||||
* Install by running 'Install-Module -Name Microsoft.Graph.Intune'
|
||||
* Az PowerShell Module
|
||||
* Install by running 'Install-Module -Name Az -AllowClobber'
|
||||
* Permissions in Azure to manage objects in Intune and Azure
|
||||
* PowerShell 5.1
|
||||
* MSAL
|
||||
* Microsoft.Identity.Client.dll version 4.29.0.0 is included in this version
|
||||
* License and permissions in Azure to manage objects in Intune and Azure
|
||||
|
||||
## References
|
||||
* [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/api/overview?toc=./ref/toc.json&view=graph-rest-beta)
|
||||
* [Microsoft Intune PowerShell Module](https://github.com/microsoft/Intune-PowerShell-SDK)
|
||||
* [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client/) (MSAL download)
|
||||
* [MSAL.PS Module](https://github.com/AzureAD/MSAL.PS)
|
||||
* [Az PowerShellModule](https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az)
|
||||
* [Microsoft Intune PowerShell Module](https://github.com/microsoft/Intune-PowerShell-SDK)
|
||||
* [Microsoft.WindowsAPICodePack](https://www.nuget.org/packages/Microsoft-WindowsAPICodePack-Core) and [Microsoft.WindowsAPICodePack.Shell](https://www.nuget.org/packages/Microsoft-WindowsAPICodePack-Shell) for Browse Folder dialogs
|
||||
|
||||
## Acknowledgments
|
||||
The app enryption and upload is based on [PowerShell Intune Examples](https://github.com/microsoftgraph/powershell-intune-samples)
|
||||
The app encryption and upload is based on [Graph PowerShell Intune Examples](https://github.com/microsoftgraph/powershell-intune-samples)
|
||||
Some MSAL functionalities are based on [MSAL.PS Module](https://github.com/AzureAD/MSAL.PS)
|
||||
|
||||
## Known Issues
|
||||
The scripts are using two separate PowerShell modules for accessing Intune and Azure. This can cause multiple logins since they are authenticating to two different apps in azure and the authentication token for Intune PowerShell module have no permissions on the Azure objects.
|
||||
|
||||
The support for import/export between environments is limited. Only groups in assignments are supported in this version. Additional objects like users, locations, notifications etc. will not be migrated and might cause the import to fail.
|
||||
Device Configuration and App Configuration objects are split up in different object types. They are using different Graph APIs and each object type in the menu uses one API. This is also why all Endpoint Security objects are of the same object type. They use the same API but are separated based on the Baseline Template Id they us.
|
||||
|
||||
The script will create a group if it is missing in the destination environment. It will create a security group with manual assigned members. This might not always be the desired case e.g. original group was synched from AD or it was a dynamic group.
|
||||
Android Store Apps are **not** imported. The create method is documented in Microsoft Graph but it's not working. Looks like these apps must be synched from Google Play.
|
||||
|
||||
Using multiple tenants support causes multiple logins/consent prompts the first time if 'Microsoft Graph PowerShell' is used. Querying the API for tenant list uses a different scope that is not included by default in the 'Microsoft Graph PowerShell' app.
|
||||
|
||||
Using multiple tenants support *might* cause and endless loop in the login screen and cause duplicate accounts in token cache. Actual cause is not found yet but it happens on rare occasions and it looks like it happens when a guest account is used. Workaround: Cancel the login, restart the script, logout and restart the script again.
|
||||
|
||||
When multi tenant settings is Enabled/Disabled, the Profile Info is not updated until the account is changed or app is restarted. Profile Info popup is built after logon.
|
||||
|
||||
The list applications API might not list an imported app immediately after the import. Click Refresh to reload the application objects.
|
||||
|
||||
When using the filter box to search for items, the checkbox must be clicked twice to select an item.
|
||||
|
||||
Logout will only clear the token from cache and not from the browser e.g. if login is triggered after a logout, the user will still be listed in the 'Select user' dialog.
|
||||
|
||||
## TIP
|
||||
|
||||
Download [Microsoft.WindowsAPICodePack](https://www.nuget.org/packages/WindowsAPICodePack-Core) and [Microsoft.WindowsAPICodePack.Shell](https://www.nuget.org/packages/WindowsAPICodePack-Shell) and copy the DLLs into the script folder to get a nicer folder dialog.
|
||||
Check the log file for errors. The UI might not show errors why login failed etc. The log uses the Endpoint Configuration Manager (SCCM) format and it is best viewed with CMTrace. An old version can be downloaded [here](https://www.microsoft.com/en-us/download/confirmation.aspx?id=50012).
|
||||
|
||||
## License
|
||||
|
||||
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details
|
||||
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
|
||||
Reference in New Issue
Block a user