Functions/Get-IntuneDeviceConfigurationPolicyAssignmentReport.ps1
|
function Get-IntuneDeviceConfigurationPolicyAssignmentReport { [CmdletBinding()] param ( [Parameter()] [ValidateSet("Windows", "iOS", "Android")] [string] $OS ) $ConfigTypes = @{} $ConfigTypes.Windows = @( "#microsoft.graph.windowsUpdateForBusinessConfiguration" "#microsoft.graph.windows10CustomConfiguration" "#microsoft.graph.windows10GeneralConfiguration" "#microsoft.graph.windowsDeliveryOptimizationConfiguration" "#microsoft.graph.windows10EasEmailProfileConfiguration" "#microsoft.graph.windows10EndpointProtectionConfiguration" "#microsoft.graph.sharedPCConfiguration" "#microsoft.graph.windows81TrustedRootCertificate" "#microsoft.graph.windowsWifiConfiguration" ) $ConfigTypes.Android = @( "#microsoft.graph.androidDeviceOwnerWiFiConfiguration" "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" ) $ConfigTypes.iOS = @( "#microsoft.graph.iosWiFiConfiguration" "#microsoft.graph.iosGeneralDeviceConfiguration" ) $AssignmentFilters = (Invoke-GraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/assignmentFilters").value # $Configs = Get-IntuneDeviceConfigurationPolicy $Configs = (Invoke-GraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations").value $Configs | Add-Member -MemberType NoteProperty -Name "type" -Value "deviceConfigurations" # $Configs | ft if ((!$OS) -or ($OS -eq "Windows")) { $GpConfigs = (Invoke-GraphRequest -Uri "https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations").value $GpConfigs | Add-Member -MemberType NoteProperty -Name "type" -Value "groupPolicyConfigurations" $configurationPolicies = (Invoke-GraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies").value $configurationPolicies | Add-Member -MemberType NoteProperty -Name "type" -Value "configurationPolicies" $intents = (Invoke-GraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/intents").value $intents | Add-Member -MemberType NoteProperty -Name "type" -Value "intents" } if ($OS) { $Configs = $Configs | Where-Object { ($ConfigTypes[$OS] -contains $_."@odata.type") } } $ConfigAssignments = @() $i = 0 foreach ($c in $Configs) { $i++ if ($Configs.count) { # Write-Progress -Activity "Processing policies" -CurrentOperation "$($c.displayName) ($($i) / $($Configs.count))" -PercentComplete ( ($i / ($Configs.count) * 100) ) } # Get-IntuneDeviceConfigurationPolicyAssignment -deviceConfigurationId $c.id | ForEach-Object { (Invoke-GraphRequest -Uri "https://graph.microsoft.com/Beta/deviceManagement/deviceConfigurations/$($c.id)/assignments").value | ForEach-Object { $Properties = [ordered]@{ ConfigId = $c.id type = $_.target.'@odata.type' AadGroup = $_.target.groupId FilterId = $_.target.deviceAndAppManagementAssignmentFilterId FilterType = $_.target.deviceAndAppManagementAssignmentFilterType } $ConfigAssignments += New-Object -TypeName psobject -Property $Properties } } if ($GpConfigs) { $i = 0 foreach ($gpc in $GpConfigs) { $i++ if ($GpConfigs.count) { # Write-Progress -Activity "Processing policies" -CurrentOperation "$($gpc.displayName) ($($i) / $($GpConfigs.count))" -PercentComplete ( ($i / ($GpConfigs.count) * 100) ) } (Invoke-GraphRequest -Uri "https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/$($gpc.id)/assignments").value | ForEach-Object { $Properties = [ordered]@{ ConfigId = $gpc.id type = $_.target.'@odata.type' AadGroup = $_.target.groupId FilterId = $_.target.deviceAndAppManagementAssignmentFilterId FilterType = $_.target.deviceAndAppManagementAssignmentFilterType } $ConfigAssignments += New-Object -TypeName psobject -Property $Properties } } } $Configs += $GpConfigs if ($configurationPolicies) { $i = 0 foreach ($cp in $configurationPolicies) { $i++ if ($configurationPolicies.count) { # Write-Progress -Activity "Processing policies" -CurrentOperation "$($cp.displayName) ($($i) / $($configurationPolicies.count))" -PercentComplete ( ($i / ($configurationPolicies.count) * 100) ) } (Invoke-GraphRequest -Uri "https://graph.microsoft.com/Beta/deviceManagement/configurationPolicies/$($cp.id)/assignments").value | ForEach-Object { $Properties = [ordered]@{ ConfigId = $cp.id type = $_.target.'@odata.type' AadGroup = $_.target.groupId FilterId = $_.target.deviceAndAppManagementAssignmentFilterId FilterType = $_.target.deviceAndAppManagementAssignmentFilterType } $ConfigAssignments += New-Object -TypeName psobject -Property $Properties } } } $Configs += $configurationPolicies if ($intents) { $i = 0 foreach ($in in $intents) { $i++ if ($intents.count) { # Write-Progress -Activity "Processing policies" -CurrentOperation "$($in.displayName) ($($i) / $($intents.count))" -PercentComplete ( ($i / ($intents.count) * 100) ) } (Invoke-GraphRequest -Uri "https://graph.microsoft.com/Beta/deviceManagement/intents/$($in.id)/assignments").value | ForEach-Object { $Properties = [ordered]@{ ConfigId = $in.id type = $_.target.'@odata.type' AadGroup = $_.target.groupId FilterId = $_.target.deviceAndAppManagementAssignmentFilterId FilterType = $_.target.deviceAndAppManagementAssignmentFilterType } $ConfigAssignments += New-Object -TypeName psobject -Property $Properties } } } $Configs += $intents # $ConfigAssignments | Where-Object ConfigId -EQ "24e70924-bf35-45c4-9e73-005a5a148a03" $AadGroups = @() $ConfigAssignments.AadGroup | Select-Object -Unique | ForEach-Object { try { # $AadGroups += Get-AzureADGroup -ObjectId $_ -ea 0 $AadGroups += Get-MgGroup -GroupId $_ -ea 0 } catch { } } $AadGroups = $AadGroups | Sort-Object DisplayName $Output = @() $i = 0 foreach ($c in $Configs) { if ($c.'@odata.type') { $type = $c.'@odata.type' } else { $type = $c.type } if ($c.displayName) { $ConfigName = $c.displayName } elseif ($c.name) { $ConfigName = $c.name } $Properties = [ordered]@{ ConfigName = $ConfigName ConfigId = $c.id Type = $type AllUsers = $null AllDevices = $null } foreach ($ag in $AadGroups) { $Properties.Add($ag.DisplayName, $null) } $ConfigAssignment = $ConfigAssignments | Where-Object ConfigId -EQ $c.id foreach ($ca in $ConfigAssignment) { if ($ca.AadGroup) { if ($ca.type -eq "#microsoft.graph.exclusionGroupAssignmentTarget") { $AssignmentType = "excluded" } elseif ($ca.type -eq "#microsoft.graph.groupAssignmentTarget") { $AssignmentType = "included" } if ($ca.FilterId) { $ThisFilter = $AssignmentFilters | Where-Object id -EQ $ca.FilterId $FilterTxt = " (Filter: $($ca.FilterType): $($ThisFilter.displayName))" } else { Clear-Variable FilterTxt -ea 0 } $TargetGroup = $AadGroups | Where-Object Id -EQ $ca.AadGroup if ($TargetGroup) { $Properties[$TargetGroup.DisplayName] = "$($AssignmentType)$($FilterTxt)" } } else { if ($ca.type -eq "#microsoft.graph.allLicensedUsersAssignmentTarget") { $Properties["AllUsers"] = "included$($FilterTxt)" } if ($ca.type -eq "#microsoft.graph.allDevicesAssignmentTarget") { $Properties["AllDevices"] = "included$($FilterTxt)" } } } $Output += New-Object -TypeName psobject -Property $Properties } $Output = $Output | Sort-Object ConfigName return $Output } |