Bulk Assigning Apps and Policies in Intune

Sometimes when working with an Intune environment, I find myself needing to assign all of the policies, apps etc. to a new Azure AD Group (new UAT group, changing from All Users etc.)

Currently, this is a VERY manual process, clicking on each in the web portal and then assigning, but thanks to PowerShell and Microsoft Graph (and a touch of JSON), now it’s possible.

Introducing the Bulk Assignment GUI Tool

As with all scripts, it is available on Github here and also on PowerShell Gallery

Install-Script -Name bulk-assign-intune

I’m not going to run through the whole code here, but to run through what it does:

First up it installs the Azure AD Preview and Intune Graph PowerShell modules in the current user context

Then it will bring a prompt to connect to Azure AD and grab all of the AAD groups to populate the group drop-down

Once the GUI loads, you can pick what you want to assign and to which group.

On clicking Assign, it gets the ID of the AAD group, loops through everything in the selected categories and assign to the selected group.

For Windows, iOS and Android apps, it will assign the applications as Available to avoid having potentially hundreds of apps auto-installing!

For MacOS, Available isn’t an option so this will mark as required so be extra careful with these

Hope this is of some use, happy assigning!!

14 thoughts on “Bulk Assigning Apps and Policies in Intune”

  1. Thanks for the tool but at this stage it’s no use for me and I work with Windows and IOS and not having the option to assign groups as REQUIRED is a setback. I never use AVAILABLE. A wish for this tool is to have a dropdown list to select the type of assignment.

    Reply
  2. Hi,

    nice tool!
    Unfortunately it doesnt show all Azure AD Groups?
    I have a Group name Structure “ABC-DEF-GHIJK (LMNO)” and it wont shop up.

    Reply
  3. Thanks for quick response!

    No didnt show up ๐Ÿ™ maybe its because Groups are limited to 99? We have over 1000 AD Groups.
    If i enter the group name manually it always says

    Get-MgGroup : Unsupported or invalid query filter clause specified for property ‘displayName’ of resource ‘Group’.
    […]
    No Target Group Id specified, specify a valid Target Group Id

    Reply
  4. Hi,

    now all groups are shown, thanks!
    Yes, maybe a free text field would be helpful.

    But now I get another error after press “Assign”

    Shell:
    Getting Applications
    No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment

    Reply
  5. Hello Andrew,

    when we assign our group to ios apps, they are stored as user license, but we need them to be as device license. Do you know what we need to adjust?

    Regards,
    Florian

    Reply
    • Hi Florian,

      If it’s VPP apps, you need to add settings into the JSON in the Add-ApplicationAssignment function (I would probably create another function for it):

      Function Add-ApplicationAssignmentVPPiOS() {
      <# .SYNOPSIS This function is used to add an application assignment using the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and adds a application assignment .EXAMPLE Add-ApplicationAssignmentVPPiOS -ApplicationId $ApplicationId -TargetGroupId $TargetGroupId -InstallIntent $InstallIntent Adds an application assignment in Intune .NOTES NAME: Add-ApplicationAssignmentVPPiOS #>

      [cmdletbinding()]
      param
      (
      $ApplicationId,
      $TargetGroupId,
      $InstallIntent
      )
      $graphApiVersion = “Beta”
      $Resource = “deviceAppManagement/mobileApps/$ApplicationId/assign”
      try {

      if (!$ApplicationId) {
      write-host “No Application Id specified, specify a valid Application Id” -f Red
      break
      }
      if (!$TargetGroupId) {
      write-host “No Target Group Id specified, specify a valid Target Group Id” -f Red
      break
      }

      if (!$InstallIntent) {
      write-host “No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment” -f Red
      break
      }
      $JSON = @”
      {
      “mobileAppAssignments”: [
      {
      “@odata.type”: “#microsoft.graph.mobileAppAssignment”,
      “settings”: {
      “@odata.type”: “#microsoft.graph.iosVppAppAssignmentSettings”,
      “isRemovable”: true,
      “uninstallOnDeviceRemoval”: false,
      “useDeviceLicensing”: true,
      “vpnConfigurationId”: null
      },
      “target”: {
      “@odata.type”: “#microsoft.graph.groupAssignmentTarget”,
      “groupId”: “$TargetGroupId”
      },
      “intent”: “$InstallIntent”
      }
      ]
      }
      “@
      $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)”
      Invoke-MgGraphRequest -Uri $uri -Method Post -Body $JSON -ContentType “application/json”
      }
      catch {
      $ex = $_.Exception
      $errorResponse = $ex.Response.GetResponseStream()
      $reader = New-Object System.IO.StreamReader($errorResponse)
      $reader.BaseStream.Position = 0
      $reader.DiscardBufferedData()
      $responseBody = $reader.ReadToEnd();
      Write-Host “Response content:`n$responseBody” -f Red
      Write-Error “Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)”
      write-host
      break
      }
      }

      Then change this to use the new function:
      if ($ios.checked -eq $True) {
      ##Assign iOS apps

      foreach ($iosapp in $iosapps) {
      Add-ApplicationAssignment -ApplicationId $iosapp.id -TargetGroupId $intunegrp.Id -InstallIntent $assignmenttype
      Write-Host “Assigned $($intunegrp.DisplayName) to $($iosapp.displayName)/$($iosapp.id)” -ForegroundColor Green

      }
      Add-Type -AssemblyName PresentationCore, PresentationFramework
      $msgBody = “iOS Apps Assigned”
      [System.Windows.MessageBox]::Show($msgBody)
      }

      I hope this helps

      Reply

Leave a Comment