Tomas Kracmar
e13d14edcb
Core enhancements: - Expanded default export/import scope to ~45 object types including DeviceManagementIntents - Added -AllPages pagination support across Graph queries for large tenants - Invoke-GraphRequest now throws on 4xx/5xx instead of silently returning null - Added macOS Keychain fallback for secret retrieval in headless auth flow - Added NameSearchPattern/NameReplacePattern mutation support through export/import forms New toolkit scripts: - Bulk-AppAssignment.ps1: bulk-assign apps to groups/All Users/All Devices - Bulk-AssignmentManager.ps1: add/remove assignments for any policy type with correct @odata.type - Backup-Restore-Assignments.ps1: JSON backup with cross-tenant group resolution - Export-AssignmentsToCsv.ps1: CSV/Markdown documentation output - Bulk-RenamePolicies.ps1: regex search/replace and prefix mutations - Bulk-DeviceOperations.ps1: delete/retire/wipe/lock/sync with -WhatIf safeguards - Start-IntuneManagementTui.ps1: interactive terminal UI for headless operations - Create-IntuneManagementApp.ps1: helper for app registration setup Updated existing scripts: - Export-Policies.ps1 / Import-Policies.ps1: wired mutation params through - Start-HeadlessIntune.ps1: integrated TUI and new parameter forwarding
113 lines
4.1 KiB
PowerShell
113 lines
4.1 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Creates a Microsoft Entra app registration for headless Intune export/import.
|
|
.DESCRIPTION
|
|
Uses the Microsoft Graph PowerShell SDK to create an app, add required Graph
|
|
permissions, generate a client secret, and output the values needed for
|
|
AppOnly authentication.
|
|
|
|
Requires: Microsoft.Graph.Authentication, Microsoft.Graph.Applications
|
|
Install if missing: Install-Module Microsoft.Graph -Scope CurrentUser
|
|
#>
|
|
[CmdletBinding()]
|
|
param(
|
|
[string]$DisplayName = "IntuneManagement-Headless",
|
|
|
|
[ValidateSet("Export","Import","Both")]
|
|
[string]$PermissionLevel = "Both"
|
|
)
|
|
|
|
$requiredModules = @("Microsoft.Graph.Authentication", "Microsoft.Graph.Applications")
|
|
foreach ($mod in $requiredModules) {
|
|
if (-not (Get-Module $mod -ListAvailable)) {
|
|
throw "Module '$mod' is not installed. Run: Install-Module Microsoft.Graph -Scope CurrentUser"
|
|
}
|
|
}
|
|
|
|
Import-Module Microsoft.Graph.Authentication -Force
|
|
Import-Module Microsoft.Graph.Applications -Force
|
|
|
|
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Cyan
|
|
Write-Host "A browser window will open for authentication." -ForegroundColor Cyan
|
|
Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" -NoWelcome
|
|
|
|
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
|
|
if (-not $graphSp) {
|
|
throw "Could not retrieve Microsoft Graph service principal."
|
|
}
|
|
|
|
$exportRoles = @(
|
|
"DeviceManagementApps.Read.All",
|
|
"DeviceManagementConfiguration.Read.All",
|
|
"DeviceManagementManagedDevices.Read.All",
|
|
"DeviceManagementScripts.Read.All",
|
|
"DeviceManagementServiceConfig.Read.All",
|
|
"Group.Read.All",
|
|
"Organization.Read.All"
|
|
)
|
|
|
|
$importRoles = @(
|
|
"DeviceManagementApps.ReadWrite.All",
|
|
"DeviceManagementConfiguration.ReadWrite.All",
|
|
"DeviceManagementManagedDevices.ReadWrite.All",
|
|
"DeviceManagementScripts.ReadWrite.All",
|
|
"DeviceManagementServiceConfig.ReadWrite.All",
|
|
"Group.ReadWrite.All",
|
|
"Organization.Read.All"
|
|
)
|
|
|
|
$roles = switch ($PermissionLevel) {
|
|
"Export" { $exportRoles }
|
|
"Import" { $importRoles }
|
|
"Both" { ($exportRoles + $importRoles) | Select-Object -Unique }
|
|
}
|
|
|
|
$resourceAccess = @()
|
|
foreach ($roleName in $roles) {
|
|
$appRole = $graphSp.AppRoles | Where-Object { $_.Value -eq $roleName } | Select-Object -First 1
|
|
if (-not $appRole) {
|
|
Write-Warning "Could not find app role: $roleName"
|
|
continue
|
|
}
|
|
$resourceAccess += @{
|
|
id = $appRole.Id
|
|
type = "Role"
|
|
}
|
|
}
|
|
|
|
$appParams = @{
|
|
DisplayName = $DisplayName
|
|
SignInAudience = "AzureADMyOrg"
|
|
RequiredResourceAccess = @(@{
|
|
resourceAppId = "00000003-0000-0000-c000-000000000000"
|
|
resourceAccess = $resourceAccess
|
|
})
|
|
}
|
|
|
|
Write-Host "Creating application '$DisplayName'..." -ForegroundColor Cyan
|
|
$app = New-MgApplication @appParams
|
|
|
|
Write-Host "Creating service principal..." -ForegroundColor Cyan
|
|
$sp = New-MgServicePrincipal -AppId $app.AppId
|
|
|
|
Write-Host "Adding client secret..." -ForegroundColor Cyan
|
|
$passwordCred = @{
|
|
displayName = "IntuneManagementSecret"
|
|
endDateTime = (Get-Date).AddYears(1)
|
|
}
|
|
$secret = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential $passwordCred
|
|
|
|
Write-Host "`n=============================================================" -ForegroundColor Green
|
|
Write-Host "App Registration created successfully!" -ForegroundColor Green
|
|
Write-Host "=============================================================" -ForegroundColor Green
|
|
Write-Host "TenantId : $(Get-MgContext | Select-Object -ExpandProperty TenantId)"
|
|
Write-Host "AppId : $($app.AppId)"
|
|
Write-Host "Secret : $($secret.SecretText)"
|
|
Write-Host "=============================================================" -ForegroundColor Green
|
|
Write-Host "IMPORTANT: Go to the Entra portal > API Permissions and click" -ForegroundColor Yellow
|
|
Write-Host " 'Grant admin consent for <tenant>' before using" -ForegroundColor Yellow
|
|
Write-Host " the app for Export or Import." -ForegroundColor Yellow
|
|
Write-Host "=============================================================" -ForegroundColor Green
|
|
|
|
Disconnect-MgGraph | Out-Null
|