How to Effectively Manage Microsoft Intune Application Assignments with PowerShell and the Microsoft Graph API

In large-scale Microsoft Intune deployments, you’ll typically find both production and development tenants. For effective application testing, you’ll need to assign your applications to test groups of devices or users. Performing this process manually can be time-consuming and repetitive. To simplify the mass addition of a group for application deployment, you can leverage the Intune PowerShell SDK.  

Connecting to Intune PowerShell  

Download the Intune PowerShell SDK and follow the configuration steps in the “Getting started” section of the documentation. As of this writing, high-level steps for configuration are: 

  • Install the Microsoft.Graph.Intune module. The module can be installed in a few different ways, but the easiest method is from the PowerShell Gallery via:
Install-Module -Name Microsoft.Graph.Intune
Code language: PowerShell (powershell)
  • Perform admin consent for the module. After installation, you’ll be prompted to consent to the tools to access your Azure and Intune environments. You’ll need an account with the appropriate roles to approve consent. 
  • Run the Connect-MSGraph command. When connecting, you’ll be prompted for Intune administrator credentials. 

Scripting Application Assignments 

Next, you’ll need to retrieve a list of all Intune applications. If Win32 applications are part of your desired pool, you’ll need to connect to the MSGraph beta schema: 

Update-MSGraphEnvironment-SchemaVersion beta -Quiet
Code language: PowerShell (powershell)

To retrieve all applications: 

$AllApps = Get-DeviceAppManagement_MobileApps
Code language: PowerShell (powershell)

Next, define the group you want to apply: 

$GrouptoAssign = Get-Groups-filter"displayName eq 'New-Device-Group'"
Code language: PowerShell (powershell)

Once you have all the applications, you need to limit the scope of which applications you’ll be updating. In the lab environment, applications are assigned to groups of collections. 

$GroupScope = Get-Groups-filter"displayName eq 'Existing-Device-Group'"
Code language: PowerShell (powershell)

The following code searches for a known group ID that will be the target modification pool. If you want to deploy to all applications, you can remove the if statement from the snippet. 

foreach($Appin$AllApps){     Get-DeviceAppManagement_MobileApps_Assignments-mobileappid$App.mobileAppId | foreach{         if($ -eq$GroupScope.groupid){             New-DeviceAppManagement_MobileApps_Assignments-mobileAppId$App.mobileAppId -intent$_.intent -target (New-DeviceAndAppManagementAssignmentTargetObject-groupAssignmentTarget-groupId$GrouptoAssign.groupId)         }     } }
Code language: PowerShell (powershell)

Similarly, if you need to remove a group from a set of applications, you can find the group that needs to be removed: 

$GroupScope = Get-Groups-filter"displayName eq 'Existing-Device-Group'"
Code language: PowerShell (powershell)

Next, cycle through all the applications and remove that group: 

foreach($Appin$AllApps){     Get-DeviceAppManagement_MobileApps_Assignments-mobileappid$App.mobileAppId | foreach{         if($ -eq$GroupScope.groupid){             Remove-DeviceAppManagement_MobileApps_Assignments-mobileAppId$App.mobileAppId -mobileAppAssignmentId$         }     } }
Code language: PowerShell (powershell)

Note that the new group will retain the same “intent” as the referenced group (e.g., Required). 

Automate More Tasks 

The Microsoft Graph API and the Intune PowerShell SDK can be daunting to navigate. The number of tasks you can complete with the Graph API is growing almost daily. Managing application assignments with the Graph API is just one example. The Graph API is also a foundation for automating more tasks with Intune and Microsoft 365.  

Need help with your Intune deployment or using the Microsoft Graph API? Contact the experts at Ravenswood Technology today! 


Get Started With LDAP Security

You may recall that in March 2020 Microsoft was planning to configure a couple of Lightweight Directory Access Protocol (LDAP) security settings on behalf of

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.