Sometimes when working with an Intune environment, I find myself needing to assign all of the policies, apps etc. to a new Azure AD Group (new UAT group, changing from All Users etc.)
Currently, this is a VERY manual process, clicking on each in the web portal and then assigning, but thanks to PowerShell and Microsoft Graph (and a touch of JSON), now it’s possible.
Introducing the Bulk Assignment GUI Tool
As with all scripts, it is available on Github here and also on PowerShell Gallery
Install-Script -Name bulk-assign-intuneI’m not going to run through the whole code here, but to run through what it does:
First up it installs the Azure AD Preview and Intune Graph PowerShell modules in the current user context
Then it will bring a prompt to connect to Azure AD and grab all of the AAD groups to populate the group drop-down
Once the GUI loads, you can pick what you want to assign and to which group.
On clicking Assign, it gets the ID of the AAD group, loops through everything in the selected categories and assign to the selected group.
For Windows, iOS and Android apps, it will assign the applications as Available to avoid having potentially hundreds of apps auto-installing!
For MacOS, Available isn’t an option so this will mark as required so be extra careful with these
Hope this is of some use, happy assigning!!
Thanks for the tool but at this stage it’s no use for me and I work with Windows and IOS and not having the option to assign groups as REQUIRED is a setback. I never use AVAILABLE. A wish for this tool is to have a dropdown list to select the type of assignment.
Hi Mike,
Thanks for the feedback! I have updated the script now to give a drop-down for the assigned intent so you can select Available or Required
Andrew
This doesn’t seem to populate any fields for the AADGroup dropdown? I am reluctant to press “Assign” with any options as this doesn’t feel right.
Can you check if it authenticated against AzureAD ok?
Hi,
nice tool!
Unfortunately it doesnt show all Azure AD Groups?
I have a Group name Structure “ABC-DEF-GHIJK (LMNO)” and it wont shop up.
I’ve just released an update, can you try that please?
Thanks for quick response!
No didnt show up ๐ maybe its because Groups are limited to 99? We have over 1000 AD Groups.
If i enter the group name manually it always says
Get-MgGroup : Unsupported or invalid query filter clause specified for property ‘displayName’ of resource ‘Group’.
[…]
No Target Group Id specified, specify a valid Target Group Id
Ah, it could be. I’ve added “-All” to the Get-MGGroup command so can you see if that supports more than 100?
Otherwise I’ll look at allowing free text in the field
Hi,
now all groups are shown, thanks!
Yes, maybe a free text field would be helpful.
But now I get another error after press “Assign”
Shell:
Getting Applications
No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment
Are you assigning applications or just everything else?
I’ve spotted the problem, I can’t spell! Try again now
Thank you very much!
Works as expected now and saved us lot of time ๐
Hello Andrew,
when we assign our group to ios apps, they are stored as user license, but we need them to be as device license. Do you know what we need to adjust?
Regards,
Florian
Hi Florian,
If it’s VPP apps, you need to add settings into the JSON in the Add-ApplicationAssignment function (I would probably create another function for it):
Function Add-ApplicationAssignmentVPPiOS() {
<# .SYNOPSIS This function is used to add an application assignment using the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and adds a application assignment .EXAMPLE Add-ApplicationAssignmentVPPiOS -ApplicationId $ApplicationId -TargetGroupId $TargetGroupId -InstallIntent $InstallIntent Adds an application assignment in Intune .NOTES NAME: Add-ApplicationAssignmentVPPiOS #>
[cmdletbinding()]
param
(
$ApplicationId,
$TargetGroupId,
$InstallIntent
)
$graphApiVersion = “Beta”
$Resource = “deviceAppManagement/mobileApps/$ApplicationId/assign”
try {
if (!$ApplicationId) {
write-host “No Application Id specified, specify a valid Application Id” -f Red
break
}
if (!$TargetGroupId) {
write-host “No Target Group Id specified, specify a valid Target Group Id” -f Red
break
}
if (!$InstallIntent) {
write-host “No Install Intent specified, specify a valid Install Intent – available, notApplicable, required, uninstall, availableWithoutEnrollment” -f Red
break
}
$JSON = @”
{
“mobileAppAssignments”: [
{
“@odata.type”: “#microsoft.graph.mobileAppAssignment”,
“settings”: {
“@odata.type”: “#microsoft.graph.iosVppAppAssignmentSettings”,
“isRemovable”: true,
“uninstallOnDeviceRemoval”: false,
“useDeviceLicensing”: true,
“vpnConfigurationId”: null
},
“target”: {
“@odata.type”: “#microsoft.graph.groupAssignmentTarget”,
“groupId”: “$TargetGroupId”
},
“intent”: “$InstallIntent”
}
]
}
“@
$uri = “https://graph.microsoft.com/$graphApiVersion/$($Resource)”
Invoke-MgGraphRequest -Uri $uri -Method Post -Body $JSON -ContentType “application/json”
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host “Response content:`n$responseBody” -f Red
Write-Error “Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)”
write-host
break
}
}
Then change this to use the new function:
if ($ios.checked -eq $True) {
##Assign iOS apps
foreach ($iosapp in $iosapps) {
Add-ApplicationAssignment -ApplicationId $iosapp.id -TargetGroupId $intunegrp.Id -InstallIntent $assignmenttype
Write-Host “Assigned $($intunegrp.DisplayName) to $($iosapp.displayName)/$($iosapp.id)” -ForegroundColor Green
}
Add-Type -AssemblyName PresentationCore, PresentationFramework
$msgBody = “iOS Apps Assigned”
[System.Windows.MessageBox]::Show($msgBody)
}
I hope this helps
Very useful script, thanks.
I assigned iOS apps but then realised they were user not device! So used your tip above to amend the script but now when running again to reassign correctly, I get “Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
‘GetResponseStream’.”
which I think relates to where the app already has an assignment of that type e.g. “available”? or maybe where it’s trying to overwrite with group of the same name?
Any thoughts on how I can resolve this?
Can you contact me via the form on here and I’ll grab a copy of what you’ve done so far and see what I can do
Thanks
I’m getting error responses when attempting to assign applications to any group on intune. Is there an issue with assigning Android Enterprise applications maybe? The script was able to bulk assign iOS apps.
It did assign one app from managed google play, but it is a web app.
I get the following error. I’m wondering if I made some weird rookie mistake.
Method invocation failed because [System.Net.Http.HttpResponseMessage] does not contain a method named
‘GetResponseStream’.
At C:\Users\matthew.bostic\Documents\PowerShell\Scripts\bulk-assign-intune.ps1:3113 char:9
+ $errorResponse = $ex.Response.GetResponseStream()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
Hi,
What assignment intent are you setting? Android Enterprise apps can only do Required so if you’re selecting Available, that will cause an error
Thank you for your quick response.
That would in fact be the issue then.
One more thing, is there not a way for this to apple to AE apps where we can just make them available? That can be done manually for “All Users”, otherwise we are looking at making all of the apps download automatically. With other MDMs this has created a huge issue with Google Services.
If this won’t work, it definitely defeats the purpose of this script for me, but I may be going about this the wrong way. I’m at the very beginning with Intune.
Is it definitely Android Enterprise apps you are looking at? In my tenant I can’t make them available at all, it’s required or uninstall only.
I just realized, the term I meant was “Managed Google Play store app”, not Android Enterprise app.
When the script goes through those applications, it errors out, except for Web Apps.
Ah, in that case, edit the script and find the add-applicationassignment function (should be around line 2998) and replace the JSON with this:
{
“mobileAppAssignments”: [
{
“@odata.type”: “#microsoft.graph.mobileAppAssignment”,
“intent”: “Available”,
“settings”: {
“@odata.type”: “#microsoft.graph.androidManagedStoreAppAssignmentSettings”,
“androidManagedStoreAppTrackIds”: [],
“autoUpdateMode”: “default”
},
“target”: {
“@odata.type”: “#microsoft.graph.allLicensedUsersAssignmentTarget”
}
}
]
}