microsoft
/
Intune-DeviceAdmins
зеркало из https://github.com/microsoft/Intune-DeviceAdmins.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

add four powershell scripts

This commit is contained in:
Claudia Zhou 2024-04-05 16:21:45 -07:00
Родитель 9b6868fac0
Коммит 54bcd9e427
4 изменённых файлов: 1614 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

294
IntunepoliciesExportImport/CompliancePolicyImportFromJSON.ps1 Normal file
Просмотреть файл

@ -0,0 +1,294 @@
function Get-AuthToken {
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Import-Module AzureAD
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Test-JSON(){
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
Function Add-DeviceCompliancePolicy(){
<#
.SYNOPSIS
This function is used to add a device compliance policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device compliance policy
.EXAMPLE
Add-DeviceCompliancePolicy -JSON $JSON
Adds an iOS device compliance policy in Intune
.NOTES
NAME: Add-DeviceCompliancePolicy
#>
[cmdletbinding()]
param
(
$JSON
)
$graphApiVersion = "beta"
$Resource = "deviceManagement/deviceCompliancePolicies"
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the iOS Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
write-host $uri -ForegroundColor Yellow
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken)
{
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0)
{
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq "")
{
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
$ImportPath = Read-Host -Prompt "Please specify a folder path to a JSON file to import data from e.g. C:\IntuneOutput\Policies"
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
$Jsonfiles = Get-ChildItem -Path $ImportPath
if($Jsonfiles -eq $null){
Write-Host "Import folder for JSON file is empty..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
foreach ( $jsonfile in $Jsonfiles)
{
$ImportPath1 = $ImportPath +"\" + $jsonfile
$JSON_Data = gc "$ImportPath1"
# Excluding entries that are not required - id,createdDateTime,lastModifiedDateTime,version
$JSON_Convert = $JSON_Data | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty id,createdDateTime,lastModifiedDateTime,version
$DisplayName = $JSON_Convert.displayName
$JSON_Output = $JSON_Convert | ConvertTo-Json -Depth 5
# Adding Scheduled Actions Rule to JSON
$scheduledActionsForRule = '"scheduledActionsForRule":[{"ruleName":"PasswordRequired","scheduledActionConfigurations":[{"actionType":"block","gracePeriodHours":0,"notificationTemplateId":"","notificationMessageCCList":[]}]}]'
$JSON_Output = $JSON_Output.trimend("}")
$JSON_Output = $JSON_Output.TrimEnd() + "," + "`r`n"
# Joining the JSON together
$JSON_Output = $JSON_Output + $scheduledActionsForRule + "`r`n" + "}"
write-host
write-host "Compliance Policy '$DisplayName' Found..." -ForegroundColor Yellow
write-host
$JSON_Output
write-host
Write-Host "Adding Compliance Policy '$DisplayName'" -ForegroundColor Yellow
Add-DeviceCompliancePolicy -JSON $JSON_Output
}

335
IntunepoliciesExportImport/CompliancepolicyExport.ps1 Normal file
Просмотреть файл

@ -0,0 +1,335 @@
Function GenerateFilePath
{
$currentdate = get-date -uformat "%Y-%m-%d_%H.%M.%S"
$LogFilePath = ([Environment]::CurrentDirectory=(Get-Location -PSProvider FileSystem).ProviderPath) + "\IntuneCompliancePolicyExport_SH_" + $currentdate
$FileExists = Test-Path $LogFilePath
if ($FileExists -eq $False){New-Item $LogFilePath -type directory}
}
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Import-Module AzureAD
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "XXXXXXXXXXXXXXXXX" #Microsoft Intune Powershell clientID
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try
{
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Get-DeviceCompliancePolicy(){
[cmdletbinding()]
param
(
[switch]$Android,
[switch]$iOS,
[switch]$Win10
)
$graphApiVersion = "beta"
$Resource = "deviceManagement/deviceCompliancePolicies"
try {
$Count_Params = 0
if($Android.IsPresent){ $Count_Params++ }
if($iOS.IsPresent){ $Count_Params++ }
if($Win10.IsPresent){ $Count_Params++ }
if($Count_Params -gt 1){
write-host "Multiple parameters set, specify a single parameter -Android -iOS or -Win10 against the function" -f Red
}
elseif($Android){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'@odata.type').contains("android") }
}
elseif($iOS){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'@odata.type').contains("ios") }
}
elseif($Win10){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'@odata.type').contains("windows10CompliancePolicy") }
}
else {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Export-JSONData(){
<#
.SYNOPSIS
This function is used to export JSON data returned from Graph
.DESCRIPTION
This function is used to export JSON data returned from Graph
.EXAMPLE
Export-JSONData -JSON $JSON
Export the JSON inputted on the function
.NOTES
NAME: Export-JSONData
#>
param (
$JSON,
$ExportPath
)
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON..." -f Red
}
elseif(!$ExportPath){
write-host "No export path parameter set, please provide a path to export the file" -f Red
}
elseif(!(Test-Path $ExportPath)){
write-host "$ExportPath doesn't exist, can't export JSON Data" -f Red
}
else {
$JSON1 = ConvertTo-Json $JSON -Depth 5
$JSON_Convert = $JSON1 | ConvertFrom-Json
$displayName = $JSON_Convert.displayName
# Updating display name to follow file naming conventions - https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx
$DisplayName = $DisplayName -replace '\<|\>|:|"|/|\\|\||\?|\*', "_"
$Properties = ($JSON_Convert | Get-Member | ? { $_.MemberType -eq "NoteProperty" }).Name
$FileName_CSV = "$DisplayName" + ".csv"
$FileName_JSON = "$DisplayName" + ".json"
$Object = New-Object System.Object
foreach($Property in $Properties){
$Object | Add-Member -MemberType NoteProperty -Name $Property -Value $JSON_Convert.$Property
}
write-host "Export Path:" "$ExportPath"
#$Object | Export-Csv -LiteralPath "$ExportPath\$FileName_CSV" -Delimiter "," -NoTypeInformation -Append #export CSV file
$JSON1 | Set-Content -LiteralPath "$ExportPath\$FileName_JSON"
write-host "CSV created in $ExportPath\$FileName_CSV..." -f cyan
write-host "JSON created in $ExportPath\$FileName_JSON..." -f cyan
}
}
catch {
$_.Exception
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
$ExportPath = GenerateFilePath
$CPs = Get-DeviceCompliancePolicy
foreach($CP in $CPs){
write-host "Device Compliance Policy:"$CP.displayName -f Yellow
Export-JSONData -JSON $CP -ExportPath "$ExportPath"
Write-Host
}

664
IntunepoliciesExportImport/ConfigurationPolicyExport.ps1 Normal file
Просмотреть файл

@ -0,0 +1,664 @@
Function GenerateFilePath
{
$currentdate = get-date -uformat "%Y-%m-%d_%H.%M.%S"
$LogFilePath = ([Environment]::CurrentDirectory=(Get-Location -PSProvider FileSystem).ProviderPath) + "\IntuneConfigPolicyExport" + $currentdate
$FileExists = Test-Path $LogFilePath
if ($FileExists -eq $False){New-Item $LogFilePath -type directory}
#$LogFilePath = $LogFilePath + "\"
#Return $LogFilePath
}
function Get-AuthToken {
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Import-Module AzureAD
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "XXXXXXXXXXXXXXXXXXXX" #Microsoft Intune Powershell clientID GUID.
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Get-DeviceConfigurationPolicyDcv1(){
[cmdletbinding()]
$graphApiVersion = "beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
<#Function Get-SettingsCatalogPolicy(){
<#
.SYNOPSIS
This function is used to get Settings Catalog policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Settings Catalog policies
.EXAMPLE
Get-SettingsCatalogPolicy
Returns any Settings Catalog policies configured in Intune
Get-SettingsCatalogPolicy -Platform windows10
Returns any Windows 10 Settings Catalog policies configured in Intune
Get-SettingsCatalogPolicy -Platform macOS
Returns any MacOS Settings Catalog policies configured in Intune
.NOTES
NAME: Get-SettingsCatalogPolicy
#>
<#[cmdletbinding()]
param
(
[parameter(Mandatory=$false)]
[ValidateSet("windows10","macOS","ios","Android")]
[ValidateNotNullOrEmpty()]
[string]$Platform
)
$graphApiVersion = "beta"
if($Platform){
#$Resource = "deviceManagement/configurationPolicies?`$filter=platforms has '$Platform' and technologies has 'mdm'"
$Resource = "deviceManagement/configurationPolicies"
}
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
#>
####################################################
<# apps protection policies#>
Function Get-DeviceAppPolicies(){
[cmdletbinding()]
$graphApiVersion = "beta"
$DCP_resource = "deviceAppManagement/managedAppPolicies"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
#############################################################
Function Get-DeviceACPpolicies(){
[cmdletbinding()]
$graphApiVersion = "beta"
$DCP_resource1 = "deviceAppManagement/MobileAppConfigurations"
$DCP_resource2 = "deviceAppManagement/targetedManagedAppConfigurations"
$allACPItems = @()
try {
#platform based ACP policies
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource1)"
$items1 = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
#non-platform based ACP policies
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource2)"
$items2 = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
$allACPItems = $items1 + $items2
#$allACPItems = $items1
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
return $allACPItems
}
##############################################################
Function Get-SettingsCatalogPolicySettings(){
<#
.SYNOPSIS
This function is used to get Settings Catalog policy Settings from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Settings Catalog policy Settings
.EXAMPLE
Get-SettingsCatalogPolicySettings -policyid policyid
Returns any Settings Catalog policy Settings configured in Intune
.NOTES
NAME: Get-SettingsCatalogPolicySettings
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
$policyid
)
$graphApiVersion = "beta"
$Resource = "deviceManagement/configurationPolicies('$policyid')/settings?`$expand=settingDefinitions"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
$Response = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get)
$AllResponses = $Response.value
$ResponseNextLink = $Response."@odata.nextLink"
while ($ResponseNextLink -ne $null){
$Response = (Invoke-RestMethod -Uri $ResponseNextLink -Headers $authToken -Method Get)
$ResponseNextLink = $Response."@odata.nextLink"
$AllResponses += $Response.value
}
return $AllResponses
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
#################################################################
Function Get-DeviceConfigurationPolicyDCV2(){
[cmdletbinding()]
$graphApiVersion = "beta"
$DCP_resource = "deviceManagement/configurationPolicies"
$allItems = @()
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
#(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
#handle page Odata query page issu
$items = Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get
if ($items.'@odata.nextLink') {
do {
$items = Invoke-RestMethod -Uri $items.'@odata.nextLink' -Headers $authToken -Method Get
$allItems += $items.value
} until (!($items.'@odata.nextLink'))
}
return $allItems
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Export-JSONData(){
param (
$JSON,
$ExportPath
)
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON..." -f Red
}
elseif(!$ExportPath){
write-host "No export path parameter set, please provide a path to export the file" -f Red
}
elseif(!(Test-Path $ExportPath)){
write-host "$ExportPath doesn't exist, can't export JSON Data" -f Red
}
else {
$JSON1 = ConvertTo-Json $JSON -Depth 99
$JSON_Convert = $JSON1 | ConvertFrom-Json
if( $JSON_Convert.displayName) { $displayName = $JSON_Convert.displayName } #for DCV1
if( $JSON_Convert.Name) { $displayName = $JSON_Convert.Name } #for DCV2
# Updating display name to follow file naming conventions - https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx
$DisplayName = $DisplayName -replace '\<|\>|:|"|/|\\|\||\?|\*', "_"
$Properties = ($JSON_Convert | Get-Member | ? { $_.MemberType -eq "NoteProperty" }).Name
$FileName_CSV = "$DisplayName" + ".csv"
$FileName_JSON = "$DisplayName" + ".json"
$Object = New-Object System.Object
foreach($Property in $Properties){
$Object | Add-Member -MemberType NoteProperty -Name $Property -Value $JSON_Convert.$Property
}
write-host "Export Path:" "$ExportPath"
# $Object | Export-Csv -LiteralPath "$ExportPath\$FileName_CSV" -Delimiter "," -NoTypeInformation -Append # save as CSV
$JSON1 | Set-Content -LiteralPath "$ExportPath\$FileName_JSON"
#write-host "CSV created in $ExportPath\$FileName_CSV..." -f cyan
write-host "JSON created in $ExportPath\$FileName_JSON..." -f cyan
}
}
catch {
$_.Exception
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
$ExportPath = GenerateFilePath
write-host $ExportPath -ForegroundColor Green
####################################################
#Retrive DCV1 configuration policies
#$DCPs = Get-DeviceConfigurationPolicyDcv1
if($DCPs)
{
foreach($DCP in $DCPs){
write-host "DCV1 Device Configuration Policy:"$DCP.displayName -f Yellow
Export-JSONData -JSON $DCP -ExportPath "$ExportPath"
Write-Host
}
}
#Retrive apps protection policies
$APPS = Get-DeviceAppPolicies
if($APPS)
{
$ExportAPP = "$ExportPath" + "\MAM_APP"
$FileExists = Test-Path $ExportAPP
if ($FileExists -eq $False) { New-Item $ExportAPP -type directory}
foreach($APP in $APPs){
write-host "Device Apps Protection Policy:"$APP.displayName -f Yellow
Export-JSONData -JSON $APP -ExportPath "$ExportAPP"
Write-Host
}
}
#Retrive apps configuration policies
$ACPs = Get-DeviceACPpolicies
if($ACPs)
{
$ExportACP = "$ExportPath" + "\MAM_ACP"
$FileExists = Test-Path $ExportACP
if ($FileExists -eq $False) { New-Item $ExportACP -type directory}
foreach($ACP in $ACPs){
write-host "Device Apps Configuration Policy:"$ACP.displayName -f Yellow
Export-JSONData -JSON $ACP -ExportPath $ExportACP
Write-Host
}
}
######################################################################
#Retrive DCV2 configuration policies
#$Policies = Get-DeviceConfigurationPolicyDCV2
if($Policies){
foreach($policy in $Policies){
Write-Host $policy.name -ForegroundColor Yellow
$AllSettingsInstances = @()
$policyid = $policy.id
$Policy_Technologies = $policy.technologies
$Policy_Platforms = $Policy.platforms
$Policy_Name = $Policy.name
$Policy_Description = $policy.description
$PolicyBody = New-Object -TypeName PSObject
Add-Member -InputObject $PolicyBody -MemberType 'NoteProperty' -Name 'name' -Value "$Policy_Name"
Add-Member -InputObject $PolicyBody -MemberType 'NoteProperty' -Name 'description' -Value "$Policy_Description"
Add-Member -InputObject $PolicyBody -MemberType 'NoteProperty' -Name 'platforms' -Value "$Policy_Platforms"
Add-Member -InputObject $PolicyBody -MemberType 'NoteProperty' -Name 'technologies' -Value "$Policy_Technologies"
# Checking if policy has a templateId associated
if($policy.templateReference.templateId){
Write-Host "Found template reference" -f Cyan
$templateId = $policy.templateReference.templateId
$PolicyTemplateReference = New-Object -TypeName PSObject
Add-Member -InputObject $PolicyTemplateReference -MemberType 'NoteProperty' -Name 'templateId' -Value $templateId
Add-Member -InputObject $PolicyBody -MemberType 'NoteProperty' -Name 'templateReference' -Value $PolicyTemplateReference
}
$SettingInstances = Get-SettingsCatalogPolicySettings -policyid $policyid
$Instances = $SettingInstances.settingInstance
foreach($object in $Instances){
$Instance = New-Object -TypeName PSObject
Add-Member -InputObject $Instance -MemberType 'NoteProperty' -Name 'settingInstance' -Value $object
$AllSettingsInstances += $Instance
}
Add-Member -InputObject $PolicyBody -MemberType 'NoteProperty' -Name 'settings' -Value @($AllSettingsInstances)
Export-JSONData -JSON $PolicyBody -ExportPath "$ExportPath"
Write-Host
}
}
else {
Write-Host "No Settings Catalog policies found..." -ForegroundColor Red
Write-Host
}

321
IntunepoliciesExportImport/ConfigurationimportfromJSON.PS1 Normal file
Просмотреть файл

@ -0,0 +1,321 @@
function Get-AuthToken {
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
write-host $tenant
Import-Module AzureAD
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
write-host $authContext
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicy(){
[cmdletbinding()]
param
(
$JSON,
$DCP_resource_end
)
$graphApiVersion = "beta"
$DCP_resource = $DCP_resource_end
Write-host $json -f blue
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the Device Configuration Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
write-host $DCP_resource -f Yellow
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
# Invoke-RestMethod -useBasicParsing -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON(){
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
$ImportPath = Read-Host -Prompt "Please specify a folder path to a JSON files to import data from e.g. C:\IntuneOutput\Policies"
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
$Jsonfiles = Get-ChildItem -Path $ImportPath
if($Jsonfiles -eq $null){
Write-Host "Import folder for JSON file is empty..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
foreach ( $jsonfile in $Jsonfiles)
{
$ImportPath1 = $ImportPath +"\" + $jsonfile
$JSON_Data = gc "$ImportPath1"
# Excluding entries that are not required - id,createdDateTime,lastModifiedDateTime,version
$JSON_Convert = $JSON_Data | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty id,createdDateTime,lastModifiedDateTime,version,supportsScopeTags
if($JSON_Convert.'@odata.type' -ne $null)
{
$OdataString = $JSON_Convert.'@odata.type'.ToLower()
write-host $OdataString -ForegroundColor Green
if($OdataString.Contains("protectionpolicy") -or $OdataString.Contains("managedappprotection") -or $OdataString.Contains("targetedmanagedappconfiguration"))
{
$DCP_resource_end = "deviceAppManagement/ManagedAppPolicies"
$DisplayName = $JSON_Convert.displayName
}
elseif($OdataString.Contains("appconfiguration"))
{
$DCP_resource_end = "deviceAppManagement/MobileAppConfigurations"
$DisplayName = $JSON_Convert.displayName
}
elseif($JSON_Convert.displayName)
{
$DCP_resource_end = "deviceManagement/deviceConfigurations"
$DisplayName = $JSON_Convert.displayName
}
elseif($JSON_Convert.Name)
{
$DCP_resource_end = "deviceManagement/configurationPolicies"
$DisplayName = $JSON_Convert.Name
}
}
else {
#$DCP_resource_end = "deviceAppManagement/MobileAppConfigurations"
$DCP_resource_end = "deviceAppManagement/TargetedManagedAppConfigurations"
$DisplayName = $JSON_Convert.displayName
}
$JSON_Output = $JSON_Convert | ConvertTo-Json -Depth 99
write-host
write-host "Device Configuration Policy '$DisplayName' Found..." -ForegroundColor Yellow
write-host
#$JSON_Output
write-host
Write-Host "Adding Device Configuration Policy '$DisplayName'" -ForegroundColor Yellow
Add-DeviceConfigurationPolicy -JSON $JSON_Output $DCP_resource_end
}