Intune Backups – Part 1: Intune Environment

For the next couple of posts I’m going to cover something close to the hearts of us all, backups!

Picture the scene, someone has accidentally deleted a reasonably complex Intune policy (worse still, it’s a Custom one) and it’s critical at that.

Now, obviously at this point we all fall back to the manual backup taken before making any changes, or the very thorough documentation we have and continually update, but just in case there has been a total outage to wherever these files are stored, wouldn’t it be great to have an automated backup!

For this I will be using the excellent Intune Backup and Restore module from John Seerdon and PowerShell within an Azure Automation account to make it completely infrastructure free!

First, let’s create the Azure Automation Account:

Search for Azure Automation in your Azure Portal and create the account:

Once that’s complete we want to deploy the required modules to it

In PowerShell Gallery select these two modules and deploy to Azure Automation:

https://www.powershellgallery.com/packages/Microsoft.Graph.Intune/6.1907.1.0

https://www.powershellgallery.com/packages/IntuneBackupAndRestore/3.2.0

Once deployed, we can reference them in our backup script.

We’re also going to need an Azure Storage blob to save the files in:

Add a container and note the name, we’ll need that later

Next up, we need an AAD App Registration we can use to grab the backups

In Azure AD, create a new app registration:

Give it read-only permissions to all of the Device Management options under MS Graph

Update 07/09/2022 – Thanks to Trevor in the comments for spotting this one. You will also need:

DeviceManagementConfiguration.ReadWrite.All

You’ll note it’s still missing permissions so you now need to click the Grant Admin Consent button

Finally create a Secret and save that, the App ID and the Tenant details to use in the script

We also need to give this account access to upload to the Azure Storage Account Container via IAM within the storage account:

Plus Reader to get the Storage Account details

Grab the storage account key, you’ll need this later

Now, back to the Azure Automation Account and click Runbook

Create a new Runbook

Enter the Powershell code below (or grab from here) (update the fields as required for your environment)

<#PSScriptInfo
.VERSION 1.0.1
.GUID 62e6e98b-8580-4c72-b9a4-05c7793a8532
.AUTHOR AndrewTaylor
.DESCRIPTION Automates Backup of Intune Environment
.COMPANYNAME
.COPYRIGHT GPL
.TAGS intune endpoint MEM environment
.LICENSEURI https://github.com/andrew-s-taylor/public/blob/main/LICENSE
.PROJECTURI https://github.com/andrew-s-taylor/public
.ICONURI
.EXTERNALMODULEDEPENDENCIES microsoft.graph.intune, intunebackupandrestore
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
.PRIVATEDATA
#>
<# 

.DESCRIPTION 
Automates Backup of Intune Environment via Intune Backup and Restore module with AAD App Registration, Azure Blob and Azure Automation Account

#> 

import-module intunebackupandrestore

##############################################################################################################################################
##### UPDATE THESE VALUES #################################################################################################################
##############################################################################################################################################
## Your Azure Tenant Name
$tenant = "<YOUR TENANT NAME>"

##Your Azure Tenant ID
$tenantid = "<YOUR TENANT ID>"

##Your App Registration Details
$clientId = "<YOUR CLIENT ID>"
$clientSecret = "<YOUR CLIENT SECRET>"

##Your Storage Account Details
$storagegroup = "<YOUR STORAGE RESOURCE GROUP>"
$storageaccount = "<YOUR STORAGE ACCOUNT>"
$storagecontainer = "<YOUR STORAGE CONTAINER>"
$storagekey = "<YOUR STORAGE KEY>"



##############################################################################################################################################
##### DO NOT EDIT BELOW THIS LINE #############################################################################################################
##############################################################################################################################################
$authority = "https://login.windows.net/$tenant"

## Connect to MS Graph
Update-MSGraphEnvironment -AppId $clientId -Quiet
Update-MSGraphEnvironment -AuthUrl $authority -Quiet
Update-MSGraphEnvironment -SchemaVersion “Beta” -Quiet
Connect-MSGraph -ClientSecret $ClientSecret -Quiet

##Get Date
$date = get-date -format "dd_MM_yyy"

##Create temp folder
$tempFolder = New-Item -Type Directory -Force -Path "$env:TEMP\IntuneBackup$date"

##Backup Locally
Start-IntuneBackup `
		-Path $tempFolder
		
##Connect to AZURE
$azurePassword = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($clientID , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $tenantid -ServicePrincipal

##Convert Storage Account to lowercase (just in case)

$storageaccount = $storageaccount.ToLower()

##Upload to Azure Blob
$files = "$env:TEMP\IntuneBackup$date" 
$context = New-AzStorageContext -StorageAccountName $storageaccount -StorageAccountKey $storagekey
Get-ChildItem -Path $files -File -Recurse | Set-AzStorageBlobContent -Container $storagecontainer -Context $context

Click Test Pane to make sure it’s worked

Now we need to publish it once it’s tested ok

Now we can add a schedule to run it weekly

That’s it, your basic weekly/daily/hourly backup is configured and will go direct to the Azure Storage Blob

If you want to get really clever, we can trigger a backup when a setting is changed within Intune using Event Hub. Follow my previous instructions here to create the event hub and link it to Intune and then use this logic app instead:

Select Event Hub as the trigger and use the connection string created before

For the action, find Azure Automation and set it to Create Job, then populate the details:

Then if any changes are made in Intune, you’ll see your Automation Job activate:

As always, comments are most welcome

Posted in AzureIntune