
.GUID 729ebf90-26fe-4795-92dc-ca8f570cdd22
.AUTHOR AndrewTaylor
.DESCRIPTION Builds an Intune environment using intunebackupandrestore
.TAGS intune endpoint MEM environment
.EXTERNALMODULEDEPENDENCIES microsoft.graph.intune intunebackupandrestore

  Builds an Intune Environment
Builds an Intune environment using intunebackupandrestore
None required
Within Azure
  Version: 2.1
  Author: Andrew Taylor
  Twitter: @AndrewTaylor_2
  Creation Date: 21/08/2021
  Purpose/Change: Initial script development

$version = "2.1"
###### Install Modules ######
Write-Host "Installing Intune modules if required (current user scope)"

#Install MS Graph if not available
if (Get-Module -ListAvailable -Name Microsoft.Graph.Intune) {
    Write-Host "Microsoft Graph Already Installed"
else {
    try {
        Install-Module -Name Microsoft.Graph.Intune -Scope CurrentUser -Repository PSGallery -Force 
    catch [Exception] {

#Install MS Intune Backup and Restore if not available
if (Get-Module -ListAvailable -Name IntuneBackupAndRestore) {
    Write-Host "Intune Backup and Restore Already Installed"
else {
    try {
        Install-Module -Name IntuneBackupAndRestore -Scope CurrentUser -Repository PSGallery -Force 
    catch [Exception] {

Write-Host "Installing AzureAD Preview modules if required (current user scope)"

#Install AZ Module if not available
if (Get-Module -ListAvailable -Name AzureADPreview) {
    Write-Host "AZ Ad Preview Module Already Installed"
else {
    try {
        Install-Module -Name AzureADPreview -Scope CurrentUser -Repository PSGallery -Force -AllowClobber 
    catch [Exception] {

#Importing Modules
Import-Module IntuneBackupAndRestore
Import-Module Microsoft.Graph.Intune

#Group creation needs preview module so we need to remove non-preview first
# Unload the AzureAD module (or continue if it's already unloaded)
Remove-Module AzureAD -ErrorAction SilentlyContinue
# Load the AzureADPreview module
Import-Module AzureADPreview

###### Add Functions ######

function Get-AuthToken {

    This function is used to authenticate with the Graph API REST interface
    The function authenticate with the Graph API Interface with the tenant name
    Authenticates you with the Graph API interface
    NAME: Get-AuthToken

    $userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
    $tenant = $userUpn.Host
    Write-Host "Checking for AzureAD module..."
        $AadModule = Get-Module -Name "AzureAD" -ListAvailable
        if ($AadModule -eq $null) {
            Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
            $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
        if ($AadModule -eq $null) {
            write-host "AzureAD Powershell module not installed..." -f Red
            write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
            write-host "Script can't continue..." -f Red
    # Getting path to ActiveDirectory Assemblies
    # If the module count is greater than 1 find the latest version
        if($AadModule.count -gt 1){
            $Latest_Version = ($AadModule | select version | Sort-Object)[-1]
            $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
                # Checking if there are multiple versions of the same module found
                if($AadModule.count -gt 1){
                $aadModule = $AadModule | select -Unique
            $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
            $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
        else {
            $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
            $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
    [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
    [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
    $clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
    $redirectUri = "urn:ietf:wg:oauth:2.0:oob"
    $resourceAppIdURI = ""
    $authority = "$Tenant"
        try {
        $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
        # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
        $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
        $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
        $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
            # If the accesstoken is valid then create the authentication header
            # Creating header for Authorization token
            $authHeader = @{
                'Authorization'="Bearer " + $authResult.AccessToken
            return $authHeader
            else {
            Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        catch {
        write-host $_.Exception.Message -f Red
        write-host $_.Exception.ItemName -f Red
    Function Get-DeviceConfigurationPolicy(){
    This function is used to get device configuration policies from the Graph API REST interface
    The function connects to the Graph API Interface and gets any device configuration policies
    Returns any device configuration policies configured in Intune
    NAME: Get-DeviceConfigurationPolicy

    $graphApiVersion = "beta"
    $DCP_resource = "deviceManagement/deviceConfigurations"
        try {
            $uri = "$graphApiVersion/$($DCP_resource)?`$filter=displayName eq '$name'"
            (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value
            else {
            $uri = "$graphApiVersion/$($DCP_resource)"
            (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
        catch {
        $ex = $_.Exception
        $errorResponse = $ex.Response.GetResponseStream()
        $reader = New-Object System.IO.StreamReader($errorResponse)
        $reader.BaseStream.Position = 0
        $responseBody = $reader.ReadToEnd();
        Write-Host "Response content:`n$responseBody" -f Red
        Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"

        Function Get-DeviceConfigurationPolicySC(){
            This function is used to get device configuration policies from the Graph API REST interface - SETTINGS CATALOG
            The function connects to the Graph API Interface and gets any device configuration policies
            Returns any device configuration policies configured in Intune
            NAME: Get-DeviceConfigurationPolicySC

            $graphApiVersion = "beta"
            $DCP_resource = "deviceManagement/configurationPolicies"
                try {
                    $uri = "$graphApiVersion/$($DCP_resource)?`$filter=name eq '$name'"
                    (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value
                    else {
                    $uri = "$graphApiVersion/$($DCP_resource)"
                    (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
                catch {
                $ex = $_.Exception
                $errorResponse = $ex.Response.GetResponseStream()
                $reader = New-Object System.IO.StreamReader($errorResponse)
                $reader.BaseStream.Position = 0
                $responseBody = $reader.ReadToEnd();
                Write-Host "Response content:`n$responseBody" -f Red
                Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"

            Function Get-AutoPilotProfile(){
                This function is used to get device configuration policies from the Graph API REST interface - AUTPILOT
                The function connects to the Graph API Interface and gets any device configuration policies
                Returns any device configuration policies configured in Intune
                NAME: Get-AutoPilotProfile

                $graphApiVersion = "beta"
                $DCP_resource = "deviceManagement/windowsAutopilotDeploymentProfiles"
                    try {
                        $uri = "$graphApiVersion/$($DCP_resource)?`$filter=displayName eq '$name'"
                        (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).value
                        else {
                        $uri = "$graphApiVersion/$($DCP_resource)"
                        (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
                    catch {
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Host "Response content:`n$responseBody" -f Red
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
    Function Get-DeviceConfigurationPolicyAssignment(){
    This function is used to get device configuration policy assignment from the Graph API REST interface
    The function connects to the Graph API Interface and gets a device configuration policy assignment
    Get-DeviceConfigurationPolicyAssignment $id guid
    Returns any device configuration policy assignment configured in Intune
    NAME: Get-DeviceConfigurationPolicyAssignment

        [Parameter(Mandatory=$true,HelpMessage="Enter id (guid) for the Device Configuration Policy you want to check assignment")]
    $graphApiVersion = "Beta"
    $DCP_resource = "deviceManagement/deviceConfigurations"
        try {
        $uri = "$graphApiVersion/$($DCP_resource)/$id/groupAssignments"
        (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
        catch {
        $ex = $_.Exception
        $errorResponse = $ex.Response.GetResponseStream()
        $reader = New-Object System.IO.StreamReader($errorResponse)
        $reader.BaseStream.Position = 0
        $responseBody = $reader.ReadToEnd();
        Write-Host "Response content:`n$responseBody" -f Red
        Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"

    Function Get-DeviceConfigurationPolicyAssignmentSC(){
        This function is used to get device configuration policy assignment from the Graph API REST interface - SETTINGS CATALOG Version
        The function connects to the Graph API Interface and gets a device configuration policy assignment
        Get-DeviceConfigurationPolicyAssignmentSC $id guid
        Returns any device configuration policy assignment configured in Intune
        NAME: Get-DeviceConfigurationPolicyAssignmentSC

            [Parameter(Mandatory=$true,HelpMessage="Enter id (guid) for the Device Configuration Policy you want to check assignment")]
        $graphApiVersion = "Beta"
        $DCP_resource = "deviceManagement/configurationPolicies"
            try {
            $uri = "$graphApiVersion/$($DCP_resource)/$id/Assignments"
            (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
            catch {
            $ex = $_.Exception
            $errorResponse = $ex.Response.GetResponseStream()
            $reader = New-Object System.IO.StreamReader($errorResponse)
            $reader.BaseStream.Position = 0
            $responseBody = $reader.ReadToEnd();
            Write-Host "Response content:`n$responseBody" -f Red
            Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"

    Function Get-AutoPilotProfileAssignments(){
        This function is used to get AutoPilot Profile assignment from the Graph API REST interface
        The function connects to the Graph API Interface and gets an Autopilot profile assignment
        Get-AutoPilotProfileAssignments $id guid
        Returns any autopilot profile assignment configured in Intune
        NAME: Get-AutoPilotProfileAssignments

            [Parameter(Mandatory=$true,HelpMessage="Enter id (guid) for the Autopilot Profile you want to check assignment")]
        $graphApiVersion = "Beta"
        $DCP_resource = "deviceManagement/windowsAutopilotDeploymentProfiles"
            try {
            $uri = "$graphApiVersion/$($DCP_resource)/$id/Assignments"
            (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
            catch {
            $ex = $_.Exception
            $errorResponse = $ex.Response.GetResponseStream()
            $reader = New-Object System.IO.StreamReader($errorResponse)
            $reader.BaseStream.Position = 0
            $responseBody = $reader.ReadToEnd();
            Write-Host "Response content:`n$responseBody" -f Red
            Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
    Function Add-DeviceConfigurationPolicyAssignment(){
    This function is used to add a device configuration policy assignment using the Graph API REST interface
    The function connects to the Graph API Interface and adds a device configuration policy assignment
    Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
    Adds a device configuration policy assignment in Intune
    NAME: Add-DeviceConfigurationPolicyAssignment

    $graphApiVersion = "Beta"
    $Resource = "deviceManagement/deviceConfigurations/$ConfigurationPolicyId/assign"
        try {
                write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
                write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
            # Checking if there are Assignments already configured in the Policy
            $DCPA = Get-DeviceConfigurationPolicyAssignment -id $ConfigurationPolicyId
            $TargetGroups = @()
            if(@($DCPA).count -ge 1){
                if($DCPA.targetGroupId -contains $TargetGroupId){
                Write-Host "Group with Id '$TargetGroupId' already assigned to Policy..." -ForegroundColor Red
                # Looping through previously configured assignements
                $DCPA | foreach {
                $TargetGroup = New-Object -TypeName psobject
                    if($_.excludeGroup -eq $true){
                        $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                    else {
                        $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.groupAssignmentTarget'
                $TargetGroup | Add-Member -MemberType NoteProperty -Name 'groupId' -Value $_.targetGroupId
                $Target = New-Object -TypeName psobject
                $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                $TargetGroups += $Target
                # Adding new group to psobject
                $TargetGroup = New-Object -TypeName psobject
                    if($AssignmentType -eq "Excluded"){
                        $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                    elseif($AssignmentType -eq "Included") {
                        $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.groupAssignmentTarget'
                $TargetGroup | Add-Member -MemberType NoteProperty -Name 'groupId' -Value "$TargetGroupId"
                $Target = New-Object -TypeName psobject
                $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                $TargetGroups += $Target
            else {
                # No assignments configured creating new JSON object of group assigned
                $TargetGroup = New-Object -TypeName psobject
                    if($AssignmentType -eq "Excluded"){
                        $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                    elseif($AssignmentType -eq "Included") {
                        $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.groupAssignmentTarget'
                $TargetGroup | Add-Member -MemberType NoteProperty -Name 'groupId' -Value "$TargetGroupId"
                $Target = New-Object -TypeName psobject
                $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                $TargetGroups = $Target
        # Creating JSON object to pass to Graph
        $Output = New-Object -TypeName psobject
        $Output | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($TargetGroups)
        $JSON = $Output | ConvertTo-Json -Depth 3
        # POST to Graph Service
        $uri = "$graphApiVersion/$($Resource)"
        Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
        catch {
        $ex = $_.Exception
        $errorResponse = $ex.Response.GetResponseStream()
        $reader = New-Object System.IO.StreamReader($errorResponse)
        $reader.BaseStream.Position = 0
        $responseBody = $reader.ReadToEnd();
        Write-Host "Response content:`n$responseBody" -f Red
        Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"

    Function Add-DeviceConfigurationPolicyAssignmentSC(){
        This function is used to add a device configuration policy assignment using the Graph API REST interface Settings Catalog
        The function connects to the Graph API Interface and adds a device configuration policy assignment
        Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
        Adds a device configuration policy assignment in Intune
        NAME: Add-DeviceConfigurationPolicyAssignment

        $graphApiVersion = "Beta"
        $Resource = "deviceManagement/configurationPolicies/$ConfigurationPolicyId/assign"
            try {
                    write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
                    write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
                # Checking if there are Assignments already configured in the Policy
                $DCPA = Get-DeviceConfigurationPolicyAssignmentSC -id $ConfigurationPolicyId
                $TargetGroups = @()
                if(@($DCPA).count -ge 1){
                    if($DCPA.targetGroupId -contains $TargetGroupId){
                    Write-Host "Group with Id '$TargetGroupId' already assigned to Policy..." -ForegroundColor Red
                    # Looping through previously configured assignements
                    $DCPA | foreach {
                    $TargetGroup = New-Object -TypeName psobject
                        if($_.excludeGroup -eq $true){
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                        else {
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.groupAssignmentTarget'
                    $TargetGroup | Add-Member -MemberType NoteProperty -Name 'groupId' -Value $_.targetGroupId
                    $Target = New-Object -TypeName psobject
                    $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                    $TargetGroups += $Target
                    # Adding new group to psobject
                    $TargetGroup = New-Object -TypeName psobject
                        if($AssignmentType -eq "Excluded"){
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                        elseif($AssignmentType -eq "Included") {
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.groupAssignmentTarget'
                    $TargetGroup | Add-Member -MemberType NoteProperty -Name 'groupId' -Value "$TargetGroupId"
                    $Target = New-Object -TypeName psobject
                    $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                    $TargetGroups += $Target
                else {
                    # No assignments configured creating new JSON object of group assigned
                    $TargetGroup = New-Object -TypeName psobject
                        if($AssignmentType -eq "Excluded"){
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                        elseif($AssignmentType -eq "Included") {
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.groupAssignmentTarget'
                    $TargetGroup | Add-Member -MemberType NoteProperty -Name 'groupId' -Value "$TargetGroupId"
                    $Target = New-Object -TypeName psobject
                    $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                    $TargetGroups = $Target
            # Creating JSON object to pass to Graph
            $Output = New-Object -TypeName psobject
            $Output | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($TargetGroups)
            $JSON = $Output | ConvertTo-Json -Depth 3
            # POST to Graph Service
            $uri = "$graphApiVersion/$($Resource)"
            Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
            catch {
            $ex = $_.Exception
            $errorResponse = $ex.Response.GetResponseStream()
            $reader = New-Object System.IO.StreamReader($errorResponse)
            $reader.BaseStream.Position = 0
            $responseBody = $reader.ReadToEnd();
            Write-Host "Response content:`n$responseBody" -f Red
            Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"

    Function Add-AutoPilotProfileAssignment(){
        This function is used to add an autopilot profile assignment using the Graph API REST interface
        The function connects to the Graph API Interface and adds an autopilot profile assignment
        Add-AutoPilotProfileAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
        Adds a device configuration policy assignment in Intune
        NAME: Add-AutoPilotProfileAssignment

        $graphApiVersion = "Beta"
        $Resource = "deviceManagement/windowsAutopilotDeploymentProfiles/$ConfigurationPolicyId/assignments"
            try {
                    write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
                    write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
                # Checking if there are Assignments already configured in the Policy
                $DCPA = Get-AutoPilotProfileAssignments -id $ConfigurationPolicyId
                $TargetGroups = @()
                if(@($DCPA).count -ge 1){
                    if($DCPA.targetGroupId -contains $TargetGroupId){
                    Write-Host "Group with Id '$TargetGroupId' already assigned to Policy..." -ForegroundColor Red
                    # Looping through previously configured assignements
                    $DCPA | foreach {
                    $TargetGroup = New-Object -TypeName psobject
                        if($_.excludeGroup -eq $true){
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                        else {
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.groupAssignmentTarget'
                    $TargetGroup | Add-Member -MemberType NoteProperty -Name 'groupId' -Value $_.targetGroupId
                    $Target = New-Object -TypeName psobject
                    $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                    $TargetGroups += $Target
                    # Adding new group to psobject
                    $TargetGroup = New-Object -TypeName psobject
                        if($AssignmentType -eq "Excluded"){
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                        elseif($AssignmentType -eq "Included") {
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.groupAssignmentTarget'
                    $TargetGroup | Add-Member -MemberType NoteProperty -Name 'groupId' -Value "$TargetGroupId"
                    $Target = New-Object -TypeName psobject
                    $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                    $TargetGroups += $Target
                else {
                    # No assignments configured creating new JSON object of group assigned
                    $TargetGroup = New-Object -TypeName psobject
                        if($AssignmentType -eq "Excluded"){
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.exclusionGroupAssignmentTarget'
                        elseif($AssignmentType -eq "Included") {
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.deviceAndAppManagementAssignmentTarget'
                            $TargetGroup | Add-Member -MemberType NoteProperty -Name 'deviceAndAppManagementAssignmentFilterType' -Value 'include'
                    $TargetGroup | Add-Member -MemberType NoteProperty -Name 'deviceAndAppManagementAssignmentFilterId' -Value "$TargetGroupId"
                    $Target = New-Object -TypeName psobject
                    $Target | Add-Member -MemberType NoteProperty -Name '@odata.type' -Value '#microsoft.graph.windowsAutopilotDeploymentProfileAssignment'
                    $Target | Add-Member -MemberType NoteProperty -Name 'target' -Value $TargetGroup
                    $Target | Add-Member -MemberType NoteProperty -Name 'sourceId' -Value $TargetGroupId
                    $Target | Add-Member -MemberType NoteProperty -Name 'source' -Value "direct"
                    $TargetGroups = $Target
            # Creating JSON object to pass to Graph
            $Output = New-Object -TypeName psobject
            $Output | Add-Member -MemberType NoteProperty -Name 'assignments' -Value @($TargetGroups)
            $JSON = $Output | ConvertTo-Json -Depth 4
            # POST to Graph Service
            $uri = "$graphApiVersion/$($Resource)"
            Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
            catch {
            $ex = $_.Exception
            $errorResponse = $ex.Response.GetResponseStream()
            $reader = New-Object System.IO.StreamReader($errorResponse)
            $reader.BaseStream.Position = 0
            $responseBody = $reader.ReadToEnd();
            Write-Host "Response content:`n$responseBody" -f Red
            Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"

###### Launch Form ######

<# This form was created using a free online gui designer for PowerShell

Add-Type -AssemblyName System.Windows.Forms

$CreateIntuneEnv                 = New-Object system.Windows.Forms.Form
$CreateIntuneEnv.ClientSize      = New-Object System.Drawing.Point(397,379)
$CreateIntuneEnv.text            = "Create Intune Environment Version $version"
$CreateIntuneEnv.TopMost         = $false
$CreateIntuneEnv.BackColor       = [System.Drawing.ColorTranslator]::FromHtml("#ffffff")

$Label1                          = New-Object system.Windows.Forms.Label
$Label1.text                     = "Created by Andrew Taylor ("
$Label1.AutoSize                 = $true
$Label1.width                    = 25
$Label1.height                   = 10
$Label1.location                 = New-Object System.Drawing.Point(4,348)
$Label1.Font                     = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$Label2                          = New-Object system.Windows.Forms.Label
$Label2.text                     = "Client Name"
$Label2.AutoSize                 = $true
$Label2.width                    = 25
$Label2.height                   = 10
$Label2.location                 = New-Object System.Drawing.Point(10,22)
$Label2.Font                     = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$Label3                          = New-Object system.Windows.Forms.Label
$Label3.text                     = "Tenant ID"
$Label3.AutoSize                 = $true
$Label3.width                    = 25
$Label3.height                   = 10
$Label3.location                 = New-Object System.Drawing.Point(10,66)
$Label3.Font                     = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$Label4                          = New-Object system.Windows.Forms.Label
$Label4.text                     = "HomePage"
$Label4.AutoSize                 = $true
$Label4.width                    = 25
$Label4.height                   = 10
$Label4.location                 = New-Object System.Drawing.Point(10,109)
$Label4.Font                     = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$Label5                          = New-Object system.Windows.Forms.Label
$Label5.text                     = "Background URL"
$Label5.AutoSize                 = $true
$Label5.width                    = 25
$Label5.height                   = 10
$Label5.location                 = New-Object System.Drawing.Point(10,156)
$Label5.Font                     = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$Label6                          = New-Object system.Windows.Forms.Label
$Label6.text                     = "Background Filename"
$Label6.AutoSize                 = $true
$Label6.width                    = 25
$Label6.height                   = 40
$Label6.location                 = New-Object System.Drawing.Point(10,215)
$Label6.Font                     = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$clientname                      = New-Object system.Windows.Forms.TextBox
$clientname.multiline            = $false
$clientname.width                = 200
$clientname.height               = 20
$clientname.location             = New-Object System.Drawing.Point(151,22)
$clientname.Font                 = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$tenantid                        = New-Object system.Windows.Forms.TextBox
$tenantid.multiline              = $false
$tenantid.width                  = 200
$tenantid.height                 = 20
$tenantid.location               = New-Object System.Drawing.Point(151,66)
$tenantid.Font                   = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$homepage                        = New-Object system.Windows.Forms.TextBox
$homepage.multiline              = $false
$homepage.width                  = 200
$homepage.height                 = 20
$homepage.location               = New-Object System.Drawing.Point(151,109)
$homepage.Font                   = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$bgurl                           = New-Object system.Windows.Forms.TextBox
$bgurl.multiline                 = $false
$bgurl.width                     = 200
$bgurl.height                    = 20
$bgurl.location                  = New-Object System.Drawing.Point(151,156)
$bgurl.Font                      = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$bgname                          = New-Object system.Windows.Forms.TextBox
$bgname.multiline                = $false
$bgname.width                    = 200
$bgname.height                   = 20
$bgname.location                 = New-Object System.Drawing.Point(151,215)
$bgname.Font                     = New-Object System.Drawing.Font('Microsoft Sans Serif',10)

$build                           = New-Object system.Windows.Forms.Button
$build.text                      = "Build"
$build.width                     = 153
$build.height                    = 72
$build.location                  = New-Object System.Drawing.Point(113,257)
$build.Font                      = New-Object System.Drawing.Font('Microsoft Sans Serif',19)

$Label7                          = New-Object system.Windows.Forms.Label
$Label7.text                     = " (inc extension)"
$Label7.AutoSize                 = $true
$Label7.width                    = 25
$Label7.height                   = 10
$Label7.location                 = New-Object System.Drawing.Point(29,231)
$Label7.Font                     = New-Object System.Drawing.Font('Microsoft Sans Serif',10)



    $clientnameout = $clientname.Text
    $tenantidout = $tenantid.Text
    $homepageout = $homepage.Text
    $bloburl = $bgurl.Text
    $backgroundfilename = $bgname.Text

###### Deploy ######

###### Group Creation ######
#Connect to Azure AD

#Create Azure AD Groups

#AutoPilot Group
$autopilotgrp = New-AzureADMSGroup -DisplayName "Autopilot-Devices" -Description "Dynamic group for Autopilot Devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.devicePhysicalIDs -any (_ -contains ""[ZTDid]""))" -MembershipRuleProcessingState "On"

#Pilot Group
$pilotgrp = New-AzureADMSGroup -DisplayName "Intune-Pilot-Users" -Description "Assigned group for Pilot Users" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True

#Preview Group
$previewgrp = New-AzureADMSGroup -DisplayName "Intune-Preview-Users" -Description "Assigned group for Preview Users" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True

#VIP Group
$vipgrp = New-AzureADMSGroup -DisplayName "Intune-VIP-Users" -Description "Assigned group for VIP Users" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True

#Notify complete
Add-Type -AssemblyName PresentationCore,PresentationFramework
$msgBody = "Autopilot AAD Group Created, moving on to Intune Deployment"

##Connect to Intune

###### Create Dir ######

#Create path for files
$DirectoryToCreate = "c:\temp"
if (-not (Test-Path -LiteralPath $DirectoryToCreate)) {
    try {
        New-Item -Path $DirectoryToCreate -ItemType Directory -ErrorAction Stop | Out-Null #-Force
    catch {
        Write-Error -Message "Unable to create directory '$DirectoryToCreate'. Error was: $_" -ErrorAction Stop
    "Successfully created directory '$DirectoryToCreate'."

else {
    "Directory already existed"

$random = Get-Random -Maximum 1000 
$random = $random.ToString()
$date =get-date -format yyMMddmmss
$date = $date.ToString()
$path2 = $random + "-"  + $date
$path = "c:\temp\" + $path2 + "\"

New-Item -ItemType Directory -Path $path

$pathvar = [PSCustomObject]@{value=$path}

Write-Host "Directory Created"

#Set Paths
    $url = ""
    $pathaz = "c:\temp\" + $path2 + "\Intune-Config"
    $output = "c:\temp\" + $path2 + "\"

###### Extract ######
#Download Files
Invoke-WebRequest -Uri $url -OutFile $output -Method Get

#Unzip them
Expand-Archive $output -DestinationPath $path -Force

#Remove Zip file downloaded
remove-item $output -Force

#Notify complete
Add-Type -AssemblyName PresentationCore,PresentationFramework
$msgBody = "Files saves to $path"

###### Edit Scripts ######

##Device Script
$devicescript = $path + "\Intune-Config-main\Device Management Scripts\Script Content\Device Config.ps1"

#Update Client Name
(Get-Content -path $devicescript -Raw ) `
-replace '<CLIENTREPLACENAME>',$clientnameout | Set-Content -Path $devicescript

#Update O365 Tenant
(Get-Content -path $devicescript -Raw ) `
-replace '<CLIENTTENANT>',$tenantidout | Set-Content -Path $devicescript

#Update Client Homepage
(Get-Content -path $devicescript -Raw ) `
-replace '<CLIENTHOMEPAGE>',$homepageout | Set-Content -Path $devicescript

#Update Background location
(Get-Content -path $devicescript -Raw ) `
-replace '<BACKGROUNDBLOBURL>',$bloburl | Set-Content -Path $devicescript

#Update Background Name
(Get-Content -path $devicescript -Raw ) `
-replace '<BACKGROUNDFILENAME>',$backgroundfilename | Set-Content -Path $devicescript

##User Script
$userscript = $path + "\Intune-Config-main\Device Management Scripts\Script Content\User-Config.ps1"
(Get-Content -path $userscript -Raw ) `
-replace '<BACKGROUNDFILENAME>',$backgroundfilename | Set-Content -Path $userscript

Start-IntuneRestoreConfig -Path $pathaz

###### MS Graph Implementations ######

#Assign Policies to Groups

#Authenticate for MS Graph
#region Authentication


# Checking if authToken exists before running authentication

    # Setting DateTime to Universal time to work in all timezones
    $DateTime = (Get-Date).ToUniversalTime()

    # If the authToken exists checking when it expires
    $TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes

        if($TokenExpires -le 0){

        write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow

            # Defining User Principal Name if not present

            if($User -eq $null -or $User -eq ""){

            $User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"


        $global:authToken = Get-AuthToken -User $User


# Authentication doesn't exist, calling Get-AuthToken function

else {

    if($User -eq $null -or $User -eq ""){

    $User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"


# Getting the authorization token
$global:authToken = Get-AuthToken -User $User



###### Create Autpilot Profile ######

$graphApiVersion = "beta"
$Resource = "deviceManagement/windowsAutopilotDeploymentProfiles"
$uri = "$graphApiVersion/$Resource"

$profilename = "Autopilot Profile"
$json = @"
    "@odata.type": "#microsoft.graph.azureADWindowsAutopilotDeploymentProfile",
    "displayName": "$profilename",
    "description": "OOBE Autopilot Profile",
    "language": "en-GB",
    "extractHardwareHash": true,
    "deviceNameTemplate": "%SERIAL%",
    "deviceType": "windowsPc",
    "enableWhiteGlove": true,
    "outOfBoxExperienceSettings": {
        "hidePrivacySettings": true,
        "hideEULA": true,
        "userType": "standard",
        "deviceUsageType": "singleUser",
        "skipKeyboardSelectionPage": false,
        "hideEscapeLink": true
    "enrollmentStatusScreenSettings": {
        "@odata.type": "microsoft.graph.windowsEnrollmentStatusScreenSettings",
        "hideInstallationProgress": false,
        "allowDeviceUseBeforeProfileAndAppInstallComplete": true,
        "blockDeviceSetupRetryByUser": true,
        "allowLogCollectionOnInstallFailure": true,
        "installProgressTimeoutInMinutes": 120,
        "allowDeviceUseOnInstallFailure": true


    Write-Verbose "POST $uri`n$json"

    try {
        Invoke-MSGraphRequest -Url $uri -HttpMethod POST -Content $json
    catch {
        Write-Error $_.Exception 


###### Create Enrollment Status Page ######

$graphApiVersion = "beta"
$Resource = "deviceManagement/deviceEnrollmentConfigurations"
$uri = "$graphApiVersion/$Resource"
$json = @"
        "@odata.type": "#microsoft.graph.windows10EnrollmentCompletionPageConfiguration",
        "displayName": "AutoPilot Enrollment",
        "description": "Custom Enrollment Status",
        "showInstallationProgress": true,
        "blockDeviceSetupRetryByUser": false,
        "allowDeviceResetOnInstallFailure": false,
        "allowLogCollectionOnInstallFailure": true,
        "customErrorMessage": "Enter your custom error here",
        "installProgressTimeoutInMinutes": 120,
        "allowDeviceUseOnInstallFailure": true

Write-Verbose "POST $uri`n$json"

try {
    $enrollment = Invoke-MSGraphRequest -Url $uri -HttpMethod Post -Content $json
catch {
    Write-Error $_.Exception 

##Assign it
        # Defining Variables

        $id = $
        #Remove extra text from the ID
        #$id2 = $id3.split('_')
        #$id = $id2[0]

        $groupid = $       
        $graphApiVersion = "beta"
        $Resource = "deviceManagement/deviceEnrollmentConfigurations"        
        $uri = "$graphApiVersion/$Resource/$id/assign"        

$json = @"
        "enrollmentConfigurationAssignments": [
                "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "groupId": "$groupid"

        Write-Verbose "POST $uri`n$json"

        try {
            Invoke-MSGraphRequest -Url $uri -HttpMethod Post -Content $json
        catch {
            Write-Error $_.Exception 


###### Assign Autopilot Profile ######

        # Defining Variables
        $ap1 = Get-AutoPilotProfile -name $profilename
$id = $
        $graphApiVersion = "beta"
        $Resource = "deviceManagement/windowsAutopilotDeploymentProfiles"        
        $uri = "$graphApiVersion/$Resource/$id/assignments"        

$groupid = $

        $full_assignment_id = $id + "_" + $groupid + "_0" 

$json = @"
    "id": "$full_assignment_id",
    "target": {
        "@odata.type": "#microsoft.graph.groupAssignmentTarget",
        "groupId": "$groupid"

        Write-Verbose "POST $uri`n$json"

        try {
            Invoke-MSGraphRequest -Url $uri -HttpMethod Post -Content $json
        catch {
            Write-Error $_.Exception 


###### Assign Windows Update Rings ######

#Assign Windows Update Rings
#Pilot Ring
$PolicyName = "Pilot Ring"

$DCP = Get-DeviceConfigurationPolicy -name "$PolicyName"


    $Assignment = Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Included
    Write-Host "Assigned '$pilotgrp.Name' to $($DCP.displayName)/$($" -ForegroundColor Green


else {

    Write-Host "Can't find Device Configuration Policy with name '$PolicyName'..." -ForegroundColor Red


#Preview Ring
$PolicyName = "Preview Ring"

$DCP = Get-DeviceConfigurationPolicy -name "$PolicyName"


    $Assignment = Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Included
    Write-Host "Assigned '$previewgrp' to $($DCP.displayName)/$($" -ForegroundColor Green


else {

    Write-Host "Can't find Device Configuration Policy with name '$PolicyName'..." -ForegroundColor Red


#VIP Ring
$PolicyName = "VIP Channel"

$DCP = Get-DeviceConfigurationPolicy -name "$PolicyName"


    $Assignment = Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Included
    Write-Host "Assigned '$vipgrp' to $($DCP.displayName)/$($" -ForegroundColor Green


else {

    Write-Host "Can't find Device Configuration Policy with name '$PolicyName'..." -ForegroundColor Red


#Broad Ring
$PolicyName = "Broad Ring"

$DCP = Get-DeviceConfigurationPolicy -name "$PolicyName"


    $Assignment = Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Excluded
    $Assignment = Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Excluded
    $Assignment = Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Excluded
    Write-Host "Assigned exclusion groups to $($DCP.displayName)/$($" -ForegroundColor Green


else {

    Write-Host "Can't find Device Configuration Policy with name '$PolicyName'..." -ForegroundColor Red


###### Assign Office Update Rings ######

#Assign Office Update Rings

#Pilot Ring
$PolicyName = "Office-PilotRing"

$DCP = Get-DeviceConfigurationPolicySC -name "$PolicyName"


    $Assignment = Add-DeviceConfigurationPolicyAssignmentSC -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Included
    Write-Host "Assigned '$pilotgrp' to $($DCP.displayName)/$($" -ForegroundColor Green


else {

    Write-Host "Can't find Device Configuration Policy with name '$PolicyName'..." -ForegroundColor Red


#Preview Ring
$PolicyName = "Office-PreviewRing"

$DCP = Get-DeviceConfigurationPolicySC -name "$PolicyName"


    $Assignment = Add-DeviceConfigurationPolicyAssignmentSC -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Included
    Write-Host "Assigned '$previewgrp' to $($DCP.displayName)/$($" -ForegroundColor Green


else {

    Write-Host "Can't find Device Configuration Policy with name '$PolicyName'..." -ForegroundColor Red


#VIP Ring
$PolicyName = "Office-VIPRing"

$DCP = Get-DeviceConfigurationPolicySC -name "$PolicyName"


    $Assignment = Add-DeviceConfigurationPolicyAssignmentSC -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Included
    Write-Host "Assigned '$vipgrp' to $($DCP.displayName)/$($" -ForegroundColor Green


else {

    Write-Host "Can't find Device Configuration Policy with name '$PolicyName'..." -ForegroundColor Red


#Broad Ring
$PolicyName = "Office-BroadRing"

$DCP = Get-DeviceConfigurationPolicySC -name "$PolicyName"


    $Assignment = Add-DeviceConfigurationPolicyAssignmentSC -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Excluded
    $Assignment = Add-DeviceConfigurationPolicyAssignmentSc -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Excluded
    $Assignment = Add-DeviceConfigurationPolicyAssignmentSC -ConfigurationPolicyId $ -TargetGroupId $ -AssignmentType Excluded
    Write-Host "Assigned all exclusion groups to $($DCP.displayName)/$($" -ForegroundColor Green


else {

    Write-Host "Can't find Device Configuration Policy with name '$PolicyName'..." -ForegroundColor Red

###### DONE ######
Add-Type -AssemblyName PresentationCore,PresentationFramework
$msgBody = "Environment Built"

