Sometimes when working with an Intune environment, I find myself needing to assign all of the policies, apps etc. to a new Azure AD Group (new UAT group, changing from All Users etc.)
Currently, this is a VERY manual process, clicking on each in the web portal and then assigning, but thanks to PowerShell and Microsoft Graph (and a touch of JSON), now it’s possible.
Introducing the Bulk Assignment GUI Tool
As with all scripts, it is available on Github here and also on PowerShell Gallery
Install-Script -Name bulk-assign-intuneI’m not going to run through the whole code here, but to run through what it does:
First up it installs the Azure AD Preview and Intune Graph PowerShell modules in the current user context
Then it will bring a prompt to connect to Azure AD and grab all of the AAD groups to populate the group drop-down
Once the GUI loads, you can pick what you want to assign and to which group.
On clicking Assign, it gets the ID of the AAD group, loops through everything in the selected categories and assign to the selected group.
For Windows, iOS and Android apps, it will assign the applications as Available to avoid having potentially hundreds of apps auto-installing!
For MacOS, Available isn’t an option so this will mark as required so be extra careful with these
Hope this is of some use, happy assigning!!
Thanks for the tool but at this stage it’s no use for me and I work with Windows and IOS and not having the option to assign groups as REQUIRED is a setback. I never use AVAILABLE. A wish for this tool is to have a dropdown list to select the type of assignment.
Hi Mike,
Thanks for the feedback! I have updated the script now to give a drop-down for the assigned intent so you can select Available or Required
Andrew
This doesn’t seem to populate any fields for the AADGroup dropdown? I am reluctant to press “Assign” with any options as this doesn’t feel right.
Can you check if it authenticated against AzureAD ok?
Hi,
nice tool!
Unfortunately it doesnt show all Azure AD Groups?
I have a Group name Structure “ABC-DEF-GHIJK (LMNO)” and it wont shop up.
I’ve just released an update, can you try that please?
Thanks for quick response!
No didnt show up ๐ maybe its because Groups are limited to 99? We have over 1000 AD Groups.
If i enter the group name manually it always says
Get-MgGroup : Unsupported or invalid query filter clause specified for property ‘displayName’ of resource ‘Group’.
[…]
No Target Group Id specified, specify a valid Target Group Id
Ah, it could be. I’ve added “-All” to the Get-MGGroup command so can you see if that supports more than 100?
Otherwise I’ll look at allowing free text in the field
Hi,
now all groups are shown, thanks!
Yes, maybe a free text field would be helpful.
But now I get another error after press “Assign”
Shell:
Getting Applications
No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment
Are you assigning applications or just everything else?
I’ve spotted the problem, I can’t spell! Try again now
Thank you very much!
Works as expected now and saved us lot of time ๐
Hello Andrew,
when we assign our group to ios apps, they are stored as user license, but we need them to be as device license. Do you know what we need to adjust?
Regards,
Florian
Hi Florian,
If it’s VPP apps, you need to add settings into the JSON in the Add-ApplicationAssignment function (I would probably create another function for it):
Function Add-ApplicationAssignmentVPPiOS() {
<# .SYNOPSIS This function is used to add an application assignment using the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and adds a application assignment .EXAMPLE Add-ApplicationAssignmentVPPiOS -ApplicationId $ApplicationId -TargetGroupId $TargetGroupId -InstallIntent $InstallIntent Adds an application assignment in Intune .NOTES NAME: Add-ApplicationAssignmentVPPiOS #>
[cmdletbinding()]
param
(
$ApplicationId,
$TargetGroupId,
$InstallIntent
)
$graphApiVersion = “Beta”
$Resource = “deviceAppManagement/mobileApps/$ApplicationId/assign”
try {
if (!$ApplicationId) {
write-host “No Application Id specified, specify a valid Application Id” -f Red
break
}
if (!$TargetGroupId) {
write-host “No Target Group Id specified, specify a valid Target Group Id” -f Red
break
}
if (!$InstallIntent) {
write-host “No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment” -f Red
break
}
$JSON = @”
{
“mobileAppAssignments”: [
{
“@odata.type”: “#microsoft.graph.mobileAppAssignment”,
“settings”: {
“@odata.type”: “#microsoft.graph.iosVppAppAssignmentSettings”,
“isRemovable”: true,
“uninstallOnDeviceRemoval”: false,
“useDeviceLicensing”: true,
“vpnConfigurationId”: null
},
“target”: {
“@odata.type”: “#microsoft.graph.groupAssignmentTarget”,
“groupId”: “$TargetGroupId”
},
“intent”: “$InstallIntent”
}
]
}
“@
$uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)”
Invoke-MgGraphRequest -Uri $uri -Method Post -Body $JSON -ContentType “application/json”
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host “Response content:`n$responseBody” -f Red
Write-Error “Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)”
write-host
break
}
}
Then change this to use the new function:
if ($ios.checked -eq $True) {
##Assign iOS apps
foreach ($iosapp in $iosapps) {
Add-ApplicationAssignment -ApplicationId $iosapp.id -TargetGroupId $intunegrp.Id -InstallIntent $assignmenttype
Write-Host “Assigned $($intunegrp.DisplayName) to $($iosapp.displayName)/$($iosapp.id)” -ForegroundColor Green
}
Add-Type -AssemblyName PresentationCore, PresentationFramework
$msgBody = “iOS Apps Assigned”
[System.Windows.MessageBox]::Show($msgBody)
}
I hope this helps