Get-AllAadGroupAssignments

2.0

Get-AllAadGroupAssignments.ps1

                                
<#PSScriptInfo

.VERSION 2.0

.GUID a74f64cf-dbd4-45fe-a8f4-c43e23394d45

.AUTHOR Jannik Reinhard

.COMPANYNAME

.COPYRIGHT

.TAGS

.LICENSEURI

.PROJECTURI https://github.com/JayRHa/Intune-Scripts/blob/main/Get-AllAadGroupAssignments/Get-AllAadGroupAssignments.ps1

.ICONURI

.EXTERNALMODULEDEPENDENCIES 

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

.PRIVATEDATA

#>

<# 

.DESCRIPTION 

 Get all intune assignments from an aad group

.INPUTS

 None required

.OUTPUTS

 Assignmments of an specific AAD Group

.NOTES

 Author: Jannik Reinhard (jannikreinhard.com)

 Twitter: @jannik_reinhard

 Release notes:

  Version 1.0: Init

  Version 2.0: Rewrite

#> 

Param()

function Write-Entry{

    param(

        [Parameter(Mandatory)]$topic,

        [Parameter(Mandatory)]$value

    )

    Write-Host "$($topic): " -ForegroundColor White -NoNewline

    Write-Host $value -ForegroundColor Yellow

}

function Get-GraphCallCustom {

    param(

        [Parameter(Mandatory)]$endpoint,

        $value=$true

    )

    $uri = "https://graph.microsoft.com/beta/$endpoint"

    if($value -eq $true){

        return (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value

    }else{

        return Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject

    }

}

function Get-GroupPerName{

    param(

        [Parameter(Mandatory)]$groupName

    )

    if($groupName -eq "All users"){

        return [PSCustomObject]@{

            id               = 'acacacac-9df4-4c7d-9d50-4ef0226f57a9'

            createdDateTime  = '00/00/0000'

            displayName      = 'All users (System group)'

        }

    }

    if($groupName -eq "All devices"){

        return [PSCustomObject]@{

            id               = 'adadadad-808e-44e2-905a-0b7873a8a531'

            createdDateTime  = '00/00/0000'

            displayName      = 'All devices (System group)'

        }

    }

    return Get-GraphCallCustom -endpoint ('groups?$filter=displayName eq ' + "'$groupName'")

}

function Get-GroupAssignments{

    param(

        [Parameter(Mandatory)]

        $groupId,

        [Parameter(Mandatory)]

        $uri,

        [Parameter(Mandatory)]

        $uriAssignment,

        [Parameter(Mandatory)]

        $type

        )

    #Device Configuration

    $configurations = (Get-GraphCallCustom -endpoint "$uri/$type")

    $hasAssignment = $false

    foreach ($configuration in $configurations){

        $assignmentsInfo = (Get-GraphCallCustom -endpoint ("$uri/$type/" + $configuration.id + "/$uriAssignment") -value $false)

        if($uriAssignment -eq "groupAssignments"){$assignments = $assignmentsInfo.value}

        elseif($uriAssignment -eq "assignments"){$assignments = $assignmentsInfo.value.target }

        foreach($assignment in $assignments){

            # Include

            if($uriAssignment -eq "groupAssignments" -and $assignment.targetGroupId -eq $groupId -and (-not $assignment.excludeGroup)){

                Write-Host "+" $configuration.displayName

                $hasAssignment = $true

            }elseif($uriAssignment -eq "assignments" -and $assignment.groupId -eq $groupId -and $assignment.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget'){

                Write-Host "+" $configuration.displayName

                $hasAssignment = $true

            }elseif($uriAssignment -eq "assignments" -and $groupId -eq "acacacac-9df4-4c7d-9d50-4ef0226f57a9" -and $assignment.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget'){

                Write-Host "+" $configuration.displayName

                $hasAssignment = $true

            }elseif($uriAssignment -eq "assignments" -and $groupId -eq "adadadad-808e-44e2-905a-0b7873a8a531" -and $assignment.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget'){

                Write-Host "+" $configuration.displayName

                $hasAssignment = $true

            }

            # Exclude 

            if($uriAssignment -eq "groupAssignments" -and $assignment.targetGroupId -eq $groupId -and $assignment.excludeGroup){

                Write-Host "-" $configuration.displayName

                $hasAssignment = $true

            }elseif($uriAssignment -eq "assignments" -and $assignment.groupId -eq $groupId -and $assignment.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget'){

                Write-Host "-" $configuration.displayName

                $hasAssignment = $true

            }

        }

    }

    return $hasAssignment

}

#################################################################################################

###################################### Install Modules###########################################

#################################################################################################

if (Get-Module -ListAvailable -Name Microsoft.Graph) {

    Write-Information "Microsoft Graph already installed"

} else {

    try {

        Install-Module -Name Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force 

    }catch{

        $_.message 

        exit

    }

}

Import-Module microsoft.graph.authentication  

#########################################################################################################

############################################ Start ######################################################

#########################################################################################################

$countListGroups = 20

#Auth

$graph = Connect-MgGraph

$group = $null

# Get an check aad group

while ($null -eq $group) {

    Write-Host "------------------------------"

    $aadGroupName = Read-Host "Enter the name of the AAD Group "

    $group = Get-GroupPerName -groupName $aadGroupName

    if($null -eq $group) {Write-Host "Group not found. Try again" -ForegroundColor Red}

    if($null -eq $group) {Write-Host "Open the Azure AD Portal to see all group: https://portal.azure.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/AllGroups" -ForegroundColor Red}

    Write-Host "------------------------------"

}

Write-Host "------------------------------"

Write-Host "Group Info" -ForegroundColor Yellow

Write-Host "------------------------------"

Write-Entry -topic "Group name" -value $group.displayName

Write-Entry -topic "Group Id" -value $group.id

Write-Entry -topic "Created" -value $group.createdDateTime

Write-Host "------------------------------"

# Device Configuration

Write-Host "Device Configuration" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceManagement" -type "deviceConfigurations" -uriAssignment "groupAssignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"

# Administrative templates

Write-Host "Administrative Templates" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceManagement" -type "groupPolicyConfigurations" -uriAssignment "assignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"

# Device Compliance Policies

Write-Host "Device Compliance Policies" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceManagement" -type "deviceCompliancePolicies" -uriAssignment "assignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"

# Apps

Write-Host "Mobile Applications" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceappmanagement" -type "mobileApps" -uriAssignment "assignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"

# Scripts

Write-Host "Scripts" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceManagement" -type "deviceManagementScripts" -uriAssignment "assignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"

# Scripts

Write-Host "Remediation Script" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceManagement" -type "deviceHealthScripts" -uriAssignment "assignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"

# Autopilot profile

Write-Host "Windows Autopilot deployment profiles" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceManagement" -type "windowsAutopilotDeploymentProfiles" -uriAssignment "assignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"

# Enrollment Status Page

Write-Host "Enrollment Status Page" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceManagement" -type "deviceEnrollmentConfigurations" -uriAssignment "assignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"

# Enrollment Status Page

Write-Host "Security baselines" -ForegroundColor Yellow

Write-Host "------------------------------"

$hasAssignment = Get-GroupAssignments -groupId $group.id -uri "deviceManagement" -type "intents" -uriAssignment "assignments"

if(-not $hasAssignment) {Write-Host "No Assignment" -ForegroundColor green}

Write-Host "------------------------------"