Bulk Assigning Apps and Policies in Intune

Sometimes when working with an Intune environment, I find myself needing to assign all of the policies, apps etc. to a new Azure AD Group (new UAT group, changing from All Users etc.)

Currently, this is a VERY manual process, clicking on each in the web portal and then assigning, but thanks to PowerShell and Microsoft Graph (and a touch of JSON), now it’s possible.

Introducing the Bulk Assignment GUI Tool

As with all scripts, it is available on Github here and also on PowerShell Gallery

Install-Script -Name bulk-assign-intune

I’m not going to run through the whole code here, but to run through what it does:

First up it installs the Azure AD Preview and Intune Graph PowerShell modules in the current user context

Then it will bring a prompt to connect to Azure AD and grab all of the AAD groups to populate the group drop-down

Once the GUI loads, you can pick what you want to assign and to which group.

On clicking Assign, it gets the ID of the AAD group, loops through everything in the selected categories and assign to the selected group.

For Windows, iOS and Android apps, it will assign the applications as Available to avoid having potentially hundreds of apps auto-installing!

For MacOS, Available isn’t an option so this will mark as required so be extra careful with these

Hope this is of some use, happy assigning!!

23 thoughts on “Bulk Assigning Apps and Policies in Intune”

  1. Thanks for the tool but at this stage it’s no use for me and I work with Windows and IOS and not having the option to assign groups as REQUIRED is a setback. I never use AVAILABLE. A wish for this tool is to have a dropdown list to select the type of assignment.

  2. Hi,

    nice tool!
    Unfortunately it doesnt show all Azure AD Groups?
    I have a Group name Structure “ABC-DEF-GHIJK (LMNO)” and it wont shop up.

  3. Thanks for quick response!

    No didnt show up ๐Ÿ™ maybe its because Groups are limited to 99? We have over 1000 AD Groups.
    If i enter the group name manually it always says

    Get-MgGroup : Unsupported or invalid query filter clause specified for property ‘displayName’ of resource ‘Group’.
    No Target Group Id specified, specify a valid Target Group Id

  4. Hi,

    now all groups are shown, thanks!
    Yes, maybe a free text field would be helpful.

    But now I get another error after press “Assign”

    Getting Applications
    No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment

  5. Hello Andrew,

    when we assign our group to ios apps, they are stored as user license, but we need them to be as device license. Do you know what we need to adjust?


    • Hi Florian,

      If it’s VPP apps, you need to add settings into the JSON in the Add-ApplicationAssignment function (I would probably create another function for it):

      Function Add-ApplicationAssignmentVPPiOS() {
      <# .SYNOPSIS This function is used to add an application assignment using the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and adds a application assignment .EXAMPLE Add-ApplicationAssignmentVPPiOS -ApplicationId $ApplicationId -TargetGroupId $TargetGroupId -InstallIntent $InstallIntent Adds an application assignment in Intune .NOTES NAME: Add-ApplicationAssignmentVPPiOS #>

      $graphApiVersion = “Beta”
      $Resource = “deviceAppManagement/mobileApps/$ApplicationId/assign”
      try {

      if (!$ApplicationId) {
      write-host “No Application Id specified, specify a valid Application Id” -f Red
      if (!$TargetGroupId) {
      write-host “No Target Group Id specified, specify a valid Target Group Id” -f Red

      if (!$InstallIntent) {
      write-host “No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment” -f Red
      $JSON = @”
      “mobileAppAssignments”: [
      “@odata.type”: “#microsoft.graph.mobileAppAssignment”,
      “settings”: {
      “@odata.type”: “#microsoft.graph.iosVppAppAssignmentSettings”,
      “isRemovable”: true,
      “uninstallOnDeviceRemoval”: false,
      “useDeviceLicensing”: true,
      “vpnConfigurationId”: null
      “target”: {
      “@odata.type”: “#microsoft.graph.groupAssignmentTarget”,
      “groupId”: “$TargetGroupId”
      “intent”: “$InstallIntent”
      $uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)”
      Invoke-MgGraphRequest -Uri $uri -Method Post -Body $JSON -ContentType “application/json”
      catch {
      $ex = $_.Exception
      $errorResponse = $ex.Response.GetResponseStream()
      $reader = New-Object System.IO.StreamReader($errorResponse)
      $reader.BaseStream.Position = 0
      $responseBody = $reader.ReadToEnd();
      Write-Host “Response content:`n$responseBody” -f Red
      Write-Error “Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)”

      Then change this to use the new function:
      if ($ios.checked -eq $True) {
      ##Assign iOS apps

      foreach ($iosapp in $iosapps) {
      Add-ApplicationAssignment -ApplicationId $iosapp.id -TargetGroupId $intunegrp.Id -InstallIntent $assignmenttype
      Write-Host “Assigned $($intunegrp.DisplayName) to $($iosapp.displayName)/$($iosapp.id)” -ForegroundColor Green

      Add-Type -AssemblyName PresentationCore, PresentationFramework
      $msgBody = “iOS Apps Assigned”

      I hope this helps

  6. Very useful script, thanks.
    I assigned iOS apps but then realised they were user not device! So used your tip above to amend the script but now when running again to reassign correctly, I get “Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
    which I think relates to where the app already has an assignment of that type e.g. “available”? or maybe where it’s trying to overwrite with group of the same name?
    Any thoughts on how I can resolve this?

  7. I’m getting error responses when attempting to assign applications to any group on intune. Is there an issue with assigning Android Enterprise applications maybe? The script was able to bulk assign iOS apps.

    It did assign one app from managed google play, but it is a web app.

    I get the following error. I’m wondering if I made some weird rookie mistake.

    Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
    At C:\Users\matthew.bostic\Documents\PowerShell\Scripts\bulk-assign-intune.ps1:3113 char:9
    + $errorResponse = $ex.Response.GetResponseStream()
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound

  8. One more thing, is there not a way for this to apple to AE apps where we can just make them available? That can be done manually for “All Users”, otherwise we are looking at making all of the apps download automatically. With other MDMs this has created a huge issue with Google Services.

    If this won’t work, it definitely defeats the purpose of this script for me, but I may be going about this the wrong way. I’m at the very beginning with Intune.

  9. I just realized, the term I meant was “Managed Google Play store app”, not Android Enterprise app.

    When the script goes through those applications, it errors out, except for Web Apps.

    • Ah, in that case, edit the script and find the add-applicationassignment function (should be around line 2998) and replace the JSON with this:
      “mobileAppAssignments”: [
      “@odata.type”: “#microsoft.graph.mobileAppAssignment”,
      “intent”: “Available”,
      “settings”: {
      “@odata.type”: “#microsoft.graph.androidManagedStoreAppAssignmentSettings”,
      “androidManagedStoreAppTrackIds”: [],
      “autoUpdateMode”: “default”
      “target”: {
      “@odata.type”: “#microsoft.graph.allLicensedUsersAssignmentTarget”


Leave a Comment