I’ll be the first to admin, my dev tenant goes between two stages, messy or a disaster. When creating new scripts (especially my copy policy script), I’ll be testing them and end up with duplicate policies, faulty policies or if I have a runaway script, potentially many many duplicate applications.
Every now and then it reaches the point where it needs cleaning up to be manageable. I could go through the GUI, but that’s a lot of clicking about between menus to find everything.
Using my copy script as a very rough base, here is my new script to bulk delete items.
As usual, it’s available on github here
And PSGallery
Install-Script -Name bulk-delete-intuneWhen you run the script, it will go and loop through your environment and give a popup screen with a list of:
- Policies (ADMX, Settings Catalog, Device Restrictions etc.)
- Security Policies
- Applications
- Compliance Policies
- Conditional Access Policies
- Proactive Remediations
- Azure AD Groups (not on-prem synchronised ones)
- Autopilot Profile
- Autopilot ESP
As you can see, the fourth column shows what each item is in case you have used the same name twice.
This has full support for multiple selection using arrays so Ctrl or Shift-click to select multiple
Then simply click OK and it will loop through and delete anything selected
Obviously be careful with this and if you don’t have any sort of backups in place, for anything other than a dev tenant, I would advise sorting those first (guide here)
Happy deleting!
Gettings this error….:
| ConditionalAccessPolicy with id 5c31c8cb-b5cb-46f4-a4f8-3dd5b7d4dd2b does not exist in the directory. Status:
| 404 (NotFound) ErrorCode: ResourceNotFound Date: 2024-06-30T15:17:15 Headers: Cache-Control :
| no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000
| request-id : 8faba555-8f2b-49fd-8626-fa5d7896b89c client-request-id :
| 0e9e1d5a-2d8a-4ae7-ba9c-2bc61e159fcd x-ms-ags-diagnostic : {“ServerInfo”:{“DataCenter”:”Norway
| East”,”Slice”:”E”,”Ring”:”2″,”ScaleUnit”:”001″,”RoleInstance”:”OSL2EPF00000167″}} Date
| : Sun, 30 Jun 2024 15:17:15 GMT
Tried running the script locally and installed from PSgallery – same error 🙁
I need to add some logic for CA policies. It will delete everything, but you’ll also get that error for each policy
Thanks Andrew, I’m using this in my test environment to quickly cleanup config.
I also got the “Get-MgIdentityConditionalAccessPolicy : You cannot perform the requested operation, required scopes are missing in the…”
I found that explicitly changing the graph version to beta in your function fixed the issue for me.
Thank you, are you using V1 or V2 of the Graph SDK?
I’m using version 2
Oh, and I changed these lines for the app protection policy removal to work:
# $Resource = “deviceAppManagement/managedAppPoliciesandroid”
$Resource = “deviceAppManagement/managedAppPolicies”
# $Resource = “deviceAppManagement/managedAppPoliciesios”
$Resource = “deviceAppManagement/managedAppPolicies”
I force installed 2.0.5 and re-ran bulk-delete-intune however I’m still getting the scopes error. I’ve confirmed I’m super admin.
When you authenticated, did it prompt for the additional scopes?
Hey there, getting an error when using bulk delete script. Any ideas as to how to fix? Thanks.
It’s a Settings Catalog
aef2a0cc-3956-4d67-87f8-8f1a092a6315
Get-MgIdentityConditionalAccessPolicy : You cannot perform the requested operation, required scopes are missing in the
token.
Status: 403 (Forbidden)
ErrorCode: AccessDenied
Date: 2024-02-16T00:45:39
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 0fe7837f-cdb3-483b-8c92-992e33bc3096
client-request-id : d2067ce9-4bc9-4edc-80f2-59d591abd228
x-ms-ags-diagnostic : {“ServerInfo”:{“DataCenter”:”West
US”,”Slice”:”E”,”Ring”:”4″,”ScaleUnit”:”001″,”RoleInstance”:”BY1PEPF0000669B”}}
Cache-Control : no-cache
Date : Fri, 16 Feb 2024 00:45:39 GMT
At C:\Program Files\WindowsPowerShell\Scripts\bulk-delete-intune.ps1:244 char:17
+ … Get-MgIdentityConditionalAccessPolicy -ConditionalAccessP …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ ConditionalAc… , Headers = }:f__AnonymousType22`4) [Get-MgIden
tityC…ccessPolicy_Get], Exception
+ FullyQualifiedErrorId : AccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgIdentityConditionalAccessPolicy_Get
I have just updated the scopes, can you try the latest version please?
Does running this require a specific Microsoft SKU/license?
No, it shouldn’t do