Backup and Restore your Microsoft Intune configuration with PowerShell!

Backup and Restore your Microsoft Intune configuration with PowerShell!

Today, I would like to share the release of my
MSGraphFunctions and IntuneBackupAndRestore PowerShell Modules on the PowerShell Gallery with you!

Even more, in this blog post, I will walk you through on how to get started backing up and restoring your Microsoft Intune configuration.

Features

First of all, new features will be added to the IntuneBackupAndRestore module on a regular basis. Be sure to check out what Intune configurations are supported for backup and restore actions on GitHub!

List of features on time of writing this post

Prerequisites

Start by installing the required PowerShell Modules.

Open up a PowerShell prompt (as Administrator) and install the MSGraphFunctions and IntuneBackupAndRestore PowerShell Modules, which I have released on the PowerShell Gallery.

Note: These modules require that you have either the AzureAD or AzureADPreview module installed. Furthermore, the IntuneBackupAndRestore module is dependent on the MSGraphFunctions module.

Now import the modules and you are good to go!

Connect to Microsoft Graph

First of all, the MSGraphFunctions PowerShell Module contains two functions to Connect to Microsoft Graph. One using Delegated permissions (Connect-Graph) and one using Application permissions (Connect-GraphApplication).

Because application permissions are insufficient for the Intune backup & restore actions, we will be using delegated permissions.

Connect-Graph leverages the application ID of the default “Microsoft Intune PowerShell” application in AzureAD by default, so you don’t need to create your own application.

Now, let’s get authenticated with Microsoft Graph!

If all went well, you will now be successfully connected to Microsoft Graph using delegated permissions!

Backing up Intune configuration

Now that you have connected to Microsoft Graph, it’s time to backup that Intune configuration!

As a result, your Intune configuration will be backed up to json files in the specified path. Looking for the PowerShell Script Content of uploaded scripts? It’s there as well!

Comparing backup files

Before heading on to restoring your Intune configuration from backup, I would like to show you a helper function that identifies changes between backup files.

In this scenario, I have backed up my Intune configuration before making any changes. I then changed a Device Configuration profile, setting some values for the Xbox Service, as shown in the screenshots below.

Old settings
New settings

Now, If I take another backup, I am able to compare the differences between the files using the Compare-IntuneBackupFile cmdlet.

Comparing Intune Backup Files

As you can see in the image above, the previous and current values of the settings are displayed. Also the lastModifiedDateTime and version number of the Device Configuration profile are displayed.

Restoring Intune configuration

For restoring the Intune configuration, there’s a few options you can take.

  1. Restore the full Intune configuration with or without assignments;
    1. For a partial restore, move the json files that you don’t wish to restore to another directory then the given path.
  2. Restore a subset of the Intune configuration using the individual cmdlets.

Note: Restoring configurations will not overwrite existing configurations, but creates new ones. Restoring assignments may overwrite existing assignments.

Wrapping up!

You can use this PowerShell module to backup an Intune configuration in one tenant and restore it in another tenant. Yet, assignments cannot be restored in another tenant out-of-the-box, as references to Object IDs from Azure AD Groups cannot be translated one to one across tenants.

Finally, if you experience any bugs or have any features requests, feel free to create an issue on the corresponding GitHub projects. I’d be happy to answer any questions on my blog too!

22 thoughts on “Backup and Restore your Microsoft Intune configuration with PowerShell!

  1. Great stuff! We found some configuration profiles in our environment that had / in the name, which the script does not like. Assuming \ would have same issue but have not tested. Luckily not many, so we can adjust on our end – but figured I would pass along the info:

    Backing Up – Device Configuration: iOS – Policy/Test – Non-Standard
    Out-File : Could not find a part of the path ‘C:\users\blah\Documents\Intune\IntuneBackup\Device Configurations\iOS – Policy\Test – Non-Standard.json’.
    At C:\Program
    Files\WindowsPowerShell\Modules\IntuneBackupAndRestore\1.1.0\Public\Invoke-IntuneBackupDeviceConfiguration.ps1:32
    char:49
    + … rtTo-Json | Out-File -FilePath “$path\Device Configurations\$($device …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OpenError: (:) [Out-File], DirectoryNotFoundException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

    1. Hi Josh,

      Thanks for using the module and let me know about this issue. Of course, Windows does not accept file names with those characters! I will investigate later and see if I’ll add it as a Known Issue or come up with a workaround to replace invalid characters.

      Regards,

      John

  2. Hi John,

    I am trying to use these scripts however i am running into an issue where the tenant does not seem to have an app name Microsoft Intune Powershell. I get the following exception on line 61 of the Connect-Graph cmdlet:

    System.AggregateException: One or more errors occurred. —> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS65001: The user or administrator has not consented to use the application with ID ‘d1ddf0e4-d672-4dae-b554-9d5bdfd93547’ named ‘Microsoft Intune PowerShell’. Send an interactive authorization request for this user and resource.

    Although the error seems to imply insufficient permisssions the entire app is unavailable in the tenant I am working with. I checked in a different tenant as well and there the app was not present either.

    Any suggestion on how to work around this? Maybe manually add the app?

    1. Hi Jelle!

      Good question! The “Microsoft Intune PowerShell” application has a “Well-known identifier” that is created automatically by Microsoft. My scripts use non-interactive authentication which does not trigger the application creation, it expects the application to already be present. Might add a switch to force interactive authentication to my MSGraphFunctions module later, to trigger the application creation.

      If the application is missing in your (new) tenant, I’d suggest to install the Intune-PowerShell-SDK (Install-Module -Name Microsoft.Graph.Intune) and connect to Microsoft Graph once with the “Connect-MSGraph -AdminConsent” cmdlet. I believe this is one of several ways to trigger the creation of the Enterprise Application.

      Please let me know if the solution provided is working for you!

        1. You’re welcome! FYI: I have also updated the MSGraphFunctions module now to support the automated creation of the “Microsoft Intune PowerShell” Enterprise Application and added support for accounts with Multi-Factor Auth enabled by default!

  3. I got this error message:
    Connect-Graph : Authorization Access Token is null, please re-run authentication…
    At line:4 char:1
    + Connect-Graph -Credential $Credential
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Connect-Graph

  4. Hi, I’m getting this error when execute Start-IntuneRestoreAssignments (The configurations are restoring fine):

    MacOS Test – Successfully restored Device Compliance Policy Android Enterprise – Test – Successfully restored Device Configuration
    Invoke-IntuneRestoreGroupPolicyAssignment : The term ‘Invoke-IntuneRestoreGroupPolicyAssignment’ is not recognized as
    the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
    included, verify that the path is correct and try again.
    At C:\Program
    Files\WindowsPowerShell\Modules\IntuneBackupAndRestore\1.3.1\Public\Start-IntuneRestoreAssignments.ps1:36 char:5
    + Invoke-IntuneRestoreGroupPolicyAssignment -Path $path -RestoreByI …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Invoke-IntuneRe…olicyAssignment:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    1. Hi Jean,

      Thank you for reporting the issue. I have been able to reproduce and fix the issue in the v1.3.2 release of the IntuneBackupAndRestore PowerShell Module (Update-Module -Name IntuneBackupAndRestore).

      I’d be happy to hear if the issue is resolved for you.

      Regards,

      John

  5. Hello Jean
    thank you for the great script it works ,-) I have a question is it also possible to save / restore Home
    Deployment profiles? located here?

    Microsoft Intune->
    ->Device enrollment – Windows enrollment
    ->Windows Autopilot deployment profiles

    thx a lot
    Marcel

  6. Hi John,

    I’m stuck right at the first part. The modules install correctly but I cannot call Connect-Graph it just says it is not recognized as the name of a cmdlet.

    Can you help?

    1. Hi Joshua,

      After installing the PowerShell Module you may need to import it with Import-Module MSGraphFunctions cmdlet.

      When the PowerShell Module is imported in your PowerShell session, you should be able to run the Connect-Graph cmdlet.

      Regards,

      John

  7. Hi John,
    i have a question regarding permission that i hope you could answer.
    when using Delegated permissions to connect to Microsoft Graph, what is the minimum rights a user needs for doing the backup and restore.
    the reason im asking, is because i thinking of setting up services account that will run on a task scheduler.

    1. Hi Jacko,

      Depending on what items you want to backup or restore require different permissions. I’d suggest to assign the “Intune administrators” directory role for a service account. You can add a custom Intune RBAC role, know that it will need to permissions for the items that you are trying to backup or restore.

      Regards,

      John

  8. Hi,

    Thanks for this it works great for me but I’m trying to get it running under a service account for a scheduled task. What rights do I need to give the account for it to work?
    Getting this after giving the account intune admin rights

    Successfully connected to Microsoft Graph! (Tenant ID: 856f90cd-2278-4194-82cd-f13fab22965a)
    Get-GraphClientApp : Request to https://graph.microsoft.com/beta/deviceAppManagement/mobileApps?$top=999 failed with HTTP Status Unauthorized Unauthorized.
    Response content:
    {
    “error”: {
    “code”: “UnknownError”,
    “message”: “{\”ErrorCode\”:\”Forbidden\”,\”Message\”:\”{\\r\\n \\\”_version\\\”: 3,\\r\\n \\\”Message\\\”: \\\”An error has occurred – Operation ID (for customer
    support): 00000000-0000-0000-0000-000000000000 – Activity ID: b1a7fac2-d74f-455b-85f8-d08a9176e706 – Url:
    https://fef.msub03.manage.microsoft.com/AppLifecycle/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5019-05-23&$top=999\\\”,\\r\\n
    \\\”CustomApiErrorPhrase\\\”: \\\”\\\”,\\r\\n \\\”RetryAfter\\\”: null,\\r\\n \\\”ErrorSourceService\\\”: \\\”\\\”,\\r\\n \\\”HttpHeaders\\\”:
    \\\”{\\\\\\\”WWW-Authenticate\\\\\\\”:\\\\\\\”Bearer realm=\\\\\\\\\\\\\\\”urn:intune:service,9225b241-44e1-44a8-8bfe-c10e39177505,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7\\
    \\\\\\\\\\\\\”\\\\\\\”}\\\”\\r\\n}\”,\”Target\”:null,\”Details\”:null,\”InnerError\”:null,\”InstanceAnnotations\”:[]}”,
    “innerError”: {
    “request-id”: “b1a7fac2-d74f-455b-85f8-d08a9176e706”,
    “date”: “2019-07-12T09:46:48”
    }
    }
    }
    At C:\Program Files\WindowsPowerShell\Modules\IntuneBackupAndRestore\1.3.2\Public\Invoke-IntuneBackupClientAppAssignment.ps1:28 char:19
    + $clientApps = Get-GraphClientApp
    + ~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-GraphClientApp

    1. Hi Michael,

      Not sure where it went wrong there. I just created a test user and added it the the “Intune administrators” directory role, and was successfully able to run the Get-GraphClientApp cmdlet. There are some docs that users with this role or RBAC roles require a license, though.

      Regards,

      John

Leave a Reply

Your email address will not be published. Required fields are marked *