Sometimes when working with an Intune environment, I find myself needing to assign all of the policies, apps etc. to a new Entra ID Group (new UAT group, changing from All Users etc.)
Currently, this is a VERY manual process, clicking on each in the web portal and then assigning, but thanks to PowerShell and Microsoft Graph (and a touch of JSON), now it’s possible.
Introducing the Bulk Assignment GUI Tool
As with all scripts, it is available on Github here and also on PowerShell Gallery
Install-Script -Name bulk-assign-intune
I’m not going to run through the whole code here, but to run through what it does:
First up it installs the Intune Graph PowerShell modules in the current user context
Then it will bring a prompt to connect to Entra ID and grab all of the Entra groups to populate the group drop-down
Once the GUI loads, you can pick what you want to assign and to which group.
On clicking Assign, it gets the ID of the Entra group, loops through everything in the selected categories and assign to the selected group.
For Windows, iOS and Android apps, it will assign the applications as Available to avoid having potentially hundreds of apps auto-installing!
For MacOS, Available isn’t an option so this will mark as required so be extra careful with these
Hope this is of some use, happy assigning!!
Excellent, thank you for that. Just what I needed. With a few tweaks, I was able to do everything I was after in this particular situation where I had lots of different stuff to assign to a few groups. Saved lots of time, thanks again! 🙂
Hi Andrew,
Love the idea with the script. I’m looking for a way to bulk add a Group to the Uninstall intent of iOS VPP. The idea is that I could have one Entra Group that I use to remove any and all installed apps from an iOS device before changing that devices assignment and re-installing only needed apps for it’s new purpose.
I tried modifying the script myself to add the Uninstall intent but it’s not working. I get a multiple of responses in the log.
Sometimes the reported response is “Assigned IOS_Clear to [AppID]” except when I check the app in Intune the IOS_Clear group was not added to the Uninstall.
Other times the response is “Application already has an assignment” which I presume is because it has a Group already in the Required or Available intent though I’m trying to add to the Uninstall intent.
The last response I get sometimes is the “Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named ‘GetResponseStream'” error.
Hi,
Here is one for just iOS VPP apps which might be worth trying:
https://github.com/andrew-s-taylor/public/blob/main/Powershell%20Scripts/Intune/bulk-assign-vpp-apps-only.ps1
If they already have assignments, you will need to change the code a bit so it grabs the existing ones and then adds to it. I probably have some example code in another script if you need it
Thank you for this. I ran this to add a test user group to all the apps and noticed: 1. all existing assignments were removed and replaced with the test group. 2. assignments were done for all the apps including the previously un-assigned ones. It would be nice to have an option to not replace existing assignments and not assign to apps that are already not-assigned. Cheers.
I’ll see if I can work these changes into a future version
Thank you!
Very useful tool! Keep it up!
As an improvement i believe that will be useful to have a list selection for policies , applications etc. and not only categories.
Best regards,
Alexandros
Thank you. Will definitely keep this in mind for a future release!
Sry – it catched the old file. It does work now – thank you 🙂
For me it’s ok now – if it would notice existing assignments it has been perfect but there just a few.
Unfortunately not :/
Assigning Adobe Acrobat Reader: Edit PDF
Invoke-MgGraphRequest: C:\Scripts\bulk-assign-vpp-apps-only.ps1:171
Line |
171 | Invoke-MgGraphRequest -Uri $url -Method POST -Body $json -ContentType …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| POST https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/2d497954-3541-4538-8d1b-f4877c41af54/assign
| HTTP/1.1 400 Bad Request Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security:
| max-age=31536000 request-id: 604b1879-7f87-4a63-ad45-8c224f7b9bca client-request-id:
| 65b1ab6d-f495-4498-a745-c0974078cebc x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”Germany West
| Central”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”005″,”RoleInstance”:”FR3PEPF000002DC”}} Date: Thu, 05 Oct 2023
| 20:55:09 GMT Content-Type: application/json Content-Encoding: gzip
| {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”IsRemovable setting is only
| supported for Required intent. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 –
| Activity ID: 65b1ab6d-f495-4498-a745-c0974078cebc – Url:
| https://fef.msub03.manage.microsoft.com/AppLifecycle_2309/StatelessAppMetadataFEService/deviceAppManagement/mobileApps('2d497954-3541-4538-8d1b-f4877c41af54‘)/microsoft.management.services.api.assign?api-version=5023-08-07\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-10-05T20:55:09″,”request-id”:”604b1879-7f87-4a63-ad45-8c224f7b9bca”,”client-request-id”:”65b1ab6d-f495-4498-a745-c0974078cebc”}}}
Is that definitely the latest version? The error is for a field which has been removed
To mitigate the issue I removed and re-added the VPP Token from intune to get all assignments deleted again. I adjusted line 154 “intent”: “Required”, to “intent”: “Available”, but this throws errors.
Try the updated one now, I’ve switched it to Available
Celebrated to early – it put all Apps on “required” instead on “available” which could become a pain now….
This worked like a charm 🙂
Thank you so much.
It fetch up all the applications successfully and also notice when an assignment already exist but stucks always at line 944. In the beginning it shows a issue already at Line 1735. Unfortunately my coding skills to poor to troubleshoot :/
Getting Applications
InvalidOperation: C:\temp\scripts\bulk-assign-intune-vpp.ps1:1735
Line |
1735 | … if (($intents.intent.contains(“required”)) -or ($assignedgrou …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.
InvalidOperation: C:\temp\scripts\bulk-assign-intune-vpp.ps1:944
Line |
944 | $errorResponse = $ex.Response.GetResponseStream()
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
| ‘GetResponseStream’.
Assigned All Users to Adobe Acrobat Reader: Edit PDF/cfd21bb9-1709-4d84-a7ef-2bf3e8dff0e6
InvalidOperation: C:\temp\scripts\bulk-assign-intune-vpp.ps1:944
Line |
944 | $errorResponse = $ex.Response.GetResponseStream()
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
| ‘GetResponseStream’.
Assigned All Users to Rail Map Lite/a0215496-0945-4645-aefa-262ccea2c161
Application already has an assignment
InvalidOperation: C:\temp\scripts\bulk-assign-intune-vpp.ps1:944
Line |
944 | $errorResponse = $ex.Response.GetResponseStream()
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
| ‘GetResponseStream’.
See if this works:
https://github.com/andrew-s-taylor/public/blob/main/Powershell%20Scripts/Intune/bulk-assign-vpp-apps-only.ps1
Thanks for the prompt answer – unfortunately it shows the same error:
Line |
944 | $errorResponse = $ex.Response.GetResponseStream()
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
| ‘GetResponseStream’.
You might need to step through and see what’s happening, I’ve just tested it in my tenant and it seems to be working as expected
Ok I have no clue 😀
Can you give me little guidance what I have to do?
Change line 931-934 from this:
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "$TargetGroupId"
},
To this:
"target": {
"@odata.type": "#microsoft.graph.allLicensedUsersAssignmentTarget"
},
No I did nothing extra – just ran the script.
I guess I can find how to amend the JSON file in the comments?
I tried to use the “bulk-assign-intune-vpp.ps1” to assign apps to “All Users” as available.
During processing it gives follwoing error:
Line |
945 | $errorResponse = $ex.Response.GetResponseStream()
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
| ‘GetResponseStream’.
Did you amend the JSON for All Users? It won’t work with a group ID
Hi Andrew,
I know it’s a bulk add but can I assign one group and one application at a time if needed?
Thanks
Greg
Hi Greg,
Not with this script, but you could add an out-gridview at certain points to select which application to assign
I could see that the assignment ID is just the groupid plus a numerical value for the assignment intent, so originally I tried to just set that but it wouldn’t work. At the moment I don’t see another way but to pull the existing assignments down.
I sent you a message with the script. I’m sure there’s better ways to dynamically create json code, etc. It’s really more of a ‘how-to’ that I put together late at night.
Hey Andrew,
Thanks for your efforts on this script. I needed exactly this to get some Apple VPP and Android Managed Google Play apps deployed in bulk.
The only thing that I found was a problem was that the assign method would wipe any existing assignments for an app. I could see you put a failsafe on the VPP apps that it would simply not allow it. I’m not an elegant coder, but for Android and VPP I was able to add some code to pull down any existing assignments, then re-apply those assignments along with the new one so that everything existing remained there.
Happy to share this with you.
Thanks!
Glad you got it working ok, assignments are a pain, it would be nice if there was the option to add rather than having to amend.
Happy to share your copy 🙂
Or rather, only those that have been approved.
iOS or Android?
If it’s Apple VPP apps, try this one:
https://github.com/andrew-s-taylor/public/blob/main/Powershell%20Scripts/Intune/bulk-assign-intune-vpp.ps1
I really want to assign managed store apps and ONLY managed store apps en-masse across the selected device group, is this possible?
Since the latest update I just get stuck at
Installing Microsoft Graph modules if required (current user scope)
not working i am getting an error when the script tries to assign the apps
Getting Applications
Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named ‘GetResponseStream’.
At C:\Users\YacovMor\OneDrive – Solutech\Scripts\Assign Bulk Intune.ps1:3144 char:9
+ $errorResponse = $ex.Response.GetResponseStream()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
What kind of apps are you trying to assign?
I just realized, the term I meant was “Managed Google Play store app”, not Android Enterprise app.
When the script goes through those applications, it errors out, except for Web Apps.
Ah, in that case, edit the script and find the add-applicationassignment function (should be around line 2998) and replace the JSON with this:
{
“mobileAppAssignments”: [
{
“@odata.type”: “#microsoft.graph.mobileAppAssignment”,
“intent”: “Available”,
“settings”: {
“@odata.type”: “#microsoft.graph.androidManagedStoreAppAssignmentSettings”,
“androidManagedStoreAppTrackIds”: [],
“autoUpdateMode”: “default”
},
“target”: {
“@odata.type”: “#microsoft.graph.allLicensedUsersAssignmentTarget”
}
}
]
}
One more thing, is there not a way for this to apple to AE apps where we can just make them available? That can be done manually for “All Users”, otherwise we are looking at making all of the apps download automatically. With other MDMs this has created a huge issue with Google Services.
If this won’t work, it definitely defeats the purpose of this script for me, but I may be going about this the wrong way. I’m at the very beginning with Intune.
Is it definitely Android Enterprise apps you are looking at? In my tenant I can’t make them available at all, it’s required or uninstall only.
Thank you for your quick response.
That would in fact be the issue then.
I’m getting error responses when attempting to assign applications to any group on intune. Is there an issue with assigning Android Enterprise applications maybe? The script was able to bulk assign iOS apps.
It did assign one app from managed google play, but it is a web app.
I get the following error. I’m wondering if I made some weird rookie mistake.
Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
‘GetResponseStream’.
At C:\Users\matthew.bostic\Documents\PowerShell\Scripts\bulk-assign-intune.ps1:3113 char:9
+ $errorResponse = $ex.Response.GetResponseStream()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
Hi,
What assignment intent are you setting? Android Enterprise apps can only do Required so if you’re selecting Available, that will cause an error
Very useful script, thanks.
I assigned iOS apps but then realised they were user not device! So used your tip above to amend the script but now when running again to reassign correctly, I get “Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
‘GetResponseStream’.”
which I think relates to where the app already has an assignment of that type e.g. “available”? or maybe where it’s trying to overwrite with group of the same name?
Any thoughts on how I can resolve this?
Can you contact me via the form on here and I’ll grab a copy of what you’ve done so far and see what I can do
Thanks
Hello Andrew,
when we assign our group to ios apps, they are stored as user license, but we need them to be as device license. Do you know what we need to adjust?
Regards,
Florian
Hi Florian,
If it’s VPP apps, you need to add settings into the JSON in the Add-ApplicationAssignment function (I would probably create another function for it):
Function Add-ApplicationAssignmentVPPiOS() {
<# .SYNOPSIS This function is used to add an application assignment using the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and adds a application assignment .EXAMPLE Add-ApplicationAssignmentVPPiOS -ApplicationId $ApplicationId -TargetGroupId $TargetGroupId -InstallIntent $InstallIntent Adds an application assignment in Intune .NOTES NAME: Add-ApplicationAssignmentVPPiOS #>
[cmdletbinding()]
param
(
$ApplicationId,
$TargetGroupId,
$InstallIntent
)
$graphApiVersion = “Beta”
$Resource = “deviceAppManagement/mobileApps/$ApplicationId/assign”
try {
if (!$ApplicationId) {
write-host “No Application Id specified, specify a valid Application Id” -f Red
break
}
if (!$TargetGroupId) {
write-host “No Target Group Id specified, specify a valid Target Group Id” -f Red
break
}
if (!$InstallIntent) {
write-host “No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment” -f Red
break
}
$JSON = @”
{
“mobileAppAssignments”: [
{
“@odata.type”: “#microsoft.graph.mobileAppAssignment”,
“settings”: {
“@odata.type”: “#microsoft.graph.iosVppAppAssignmentSettings”,
“isRemovable”: true,
“uninstallOnDeviceRemoval”: false,
“useDeviceLicensing”: true,
“vpnConfigurationId”: null
},
“target”: {
“@odata.type”: “#microsoft.graph.groupAssignmentTarget”,
“groupId”: “$TargetGroupId”
},
“intent”: “$InstallIntent”
}
]
}
“@
$uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)”
Invoke-MgGraphRequest -Uri $uri -Method Post -Body $JSON -ContentType “application/json”
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host “Response content:`n$responseBody” -f Red
Write-Error “Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)”
write-host
break
}
}
Then change this to use the new function:
if ($ios.checked -eq $True) {
##Assign iOS apps
foreach ($iosapp in $iosapps) {
Add-ApplicationAssignment -ApplicationId $iosapp.id -TargetGroupId $intunegrp.Id -InstallIntent $assignmenttype
Write-Host “Assigned $($intunegrp.DisplayName) to $($iosapp.displayName)/$($iosapp.id)” -ForegroundColor Green
}
Add-Type -AssemblyName PresentationCore, PresentationFramework
$msgBody = “iOS Apps Assigned”
[System.Windows.MessageBox]::Show($msgBody)
}
I hope this helps
Thank you very much!
Works as expected now and saved us lot of time 😉
Hi,
now all groups are shown, thanks!
Yes, maybe a free text field would be helpful.
But now I get another error after press “Assign”
Shell:
Getting Applications
No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment
Are you assigning applications or just everything else?
I’ve spotted the problem, I can’t spell! Try again now
Thanks for quick response!
No didnt show up 🙁 maybe its because Groups are limited to 99? We have over 1000 AD Groups.
If i enter the group name manually it always says
Get-MgGroup : Unsupported or invalid query filter clause specified for property ‘displayName’ of resource ‘Group’.
[…]
No Target Group Id specified, specify a valid Target Group Id
Ah, it could be. I’ve added “-All” to the Get-MGGroup command so can you see if that supports more than 100?
Otherwise I’ll look at allowing free text in the field
Hi,
nice tool!
Unfortunately it doesnt show all Azure AD Groups?
I have a Group name Structure “ABC-DEF-GHIJK (LMNO)” and it wont shop up.
I’ve just released an update, can you try that please?
This doesn’t seem to populate any fields for the AADGroup dropdown? I am reluctant to press “Assign” with any options as this doesn’t feel right.
Can you check if it authenticated against AzureAD ok?
Thanks for the tool but at this stage it’s no use for me and I work with Windows and IOS and not having the option to assign groups as REQUIRED is a setback. I never use AVAILABLE. A wish for this tool is to have a dropdown list to select the type of assignment.
Hi Mike,
Thanks for the feedback! I have updated the script now to give a drop-down for the assigned intent so you can select Available or Required
Andrew