Cmdlets/IDMDevice.ps1
Function Get-IDMDevice{ <# .SYNOPSIS This function is used to get Intune Managed Devices from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any Intune Managed Device .PARAMETER Platform Options are: Windows,Android,MacOS,iOS. SRetrieves only devices with that Operating system .PARAMETER Filter Filters by devicename by looking for characters that are CONTAINED in name. This means it can either be exact of part of the name .PARAMETER IncludeEAS [True | False] Excluded by default. Included device managed by Active sync .PARAMETER ExcludeMDM [True | False] Excludes and device managed by Mdm. Cannot be combined with IncludeEAS .PARAMETER Expand [True | False] Gets Azure device object and merges with Intune results. If results are larger than 1000; issue may arise. .PARAMETER AuthToken Defaults to $Global:AuthToken Header for Graph bearer token. Must be in hashtable format: Name Value ---- ----- Authorization = 'Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6ImVhMnZPQjlqSmNDOTExcVJtNE1EaEpCd2YyVmRyNXlodjRqejFOOUZhNmciLCJhbGci...' Content-Type = 'application/json' ExpiresOn = '7/29/2022 7:55:14 PM +00:00' Use command: Get-IDMGraphAuthToken -User (Connect-MSGraph).UPN .EXAMPLE Get-IDMDevice -Filter DTOLAB Returns all managed devices that has the characters DTOLAB in it. .EXAMPLE Get-IDMDevice Returns all managed devices but excludes EAS devices registered within the Intune Service .EXAMPLE Get-IDMDevice -IncludeEAS Returns all managed devices including EAS devices registered within the Intune Service .EXAMPLE Get-IDMDevice -Expand Retrieves Intune Managed Devices and association with Azure AD .LINK Get-IDMAzureDevices #> [cmdletbinding()] param ( [Parameter(Mandatory=$false)] [ValidateSet('Windows','Android','MacOS','iOS')] [string]$Platform, [Parameter(Mandatory=$false)] [string]$Filter, [Parameter(Mandatory=$false)] [switch]$IncludeEAS, [Parameter(Mandatory=$false)] [switch]$ExcludeMDM, [Parameter(Mandatory=$false)] [switch]$Expand ) # Defining Variables $graphApiVersion = "beta" $Resource = "deviceManagement/managedDevices" $filterQuery=$null if($IncludeEAS.IsPresent){ $Count_Params++ } if($ExcludeMDM.IsPresent){ $Count_Params++ } if($Count_Params -gt 1){ write-warning "Multiple parameters set, specify a single parameter -IncludeEAS, -ExcludeMDM or no parameter against the function" break } $Query = @() if($IncludeEAS){ #include all queries by leaving filter empty } Elseif($ExcludeMDM){ $Query += "managementAgent eq 'eas'" $Query += "managementAgent eq 'easIntuneClient'" $Query += "managementAgent eq 'configurationManagerClientEas'" } Else{ $Query += "managementAgent eq 'mdm'" $Query += "managementAgent eq 'easMdm'" $Query += "managementAgent eq 'intuneClient'" $Query += "managementAgent eq 'configurationManagerClient'" $Query += "managementAgent eq 'configurationManagerClientMdm'" } If($PSBoundParameters.ContainsKey('Filter')){ #TEST $Filter = '46VEYL1' $Query += "contains(deviceName,'$($Filter)')" } If($PSBoundParameters.ContainsKey('Platform')){ $Query += "operatingSystem eq '$($Platform)'" } #build query filter if exists If($Query.count -ge 1){ $filterQuery = "`?`$filter=" + ($Query -join ' and ') } $uri = "$Global:GraphEndpoint/$graphApiVersion/$Resource" + $filterQuery try { Write-Verbose "Get $uri" $Response = Invoke-MgGraphRequest -Uri $uri -Method Get -ErrorAction Stop } catch { Write-ErrorResponse($_) } If($Expand) { $Devices = @() #Populate AAD devices using splat for filter and platform to minimize seach field # this is becuse if results are more than gropah will show, the results coudl be skewed. If($PSBoundParameters.ContainsKey('Filter')){ $AzureDeviceParam += @{Filter = $Filter} } If($PSBoundParameters.ContainsKey('Platform')){ $AzureDeviceParam += @{Platform = $Platform} } #Call another Azure cmdlet #Write-Verbose ($AzureDeviceParam.GetEnumerator() | Format-List | Out-String) $AADObjects = Get-IDMAzureDevices @AzureDeviceParam #TEST $Item = $Response.Value | Where deviceName -eq 'DTOLAB-46VEYL1' Foreach($Item in $Response.Value) { $OutputItem = New-Object PSObject #first add all properties of Intune device Foreach($p in $Item | Get-Member -MemberType NoteProperty){ $OutputItem | Add-Member NoteProperty $p.name -Value $Item.($p.name) } #TEST $LinkedIntuneDevice = $AADObjects | Where displayName -eq 'DTOLAB-46VEYL1' If($LinkedIntuneDevice = $AADObjects | Where deviceId -eq $Item.azureADDeviceId){ Foreach($p in $LinkedIntuneDevice | Get-Member -MemberType NoteProperty){ switch($p.name){ 'id' {$OutputItem | Add-Member NoteProperty "azureADObjectId" -Value $LinkedIntuneDevice.($p.name) -Force} 'deviceVersion' {<#For internal use only.#>} 'deviceMetadata' {<#For internal use only.#>} 'alternativeSecurityIds' {<#For internal use only.#>} default {$OutputItem | Add-Member NoteProperty $p.name -Value $LinkedIntuneDevice.($p.name) -Force} } } # Add the object to our array of output objects } $Devices += $OutputItem } } Else{ $Devices = $Response.Value } return $Devices } Function Get-IDMDevices{ <# .SYNOPSIS This function is in BETA; used to get Intune Managed Devices from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any Intune Managed Device .PARAMETER Platform Options are: Windows,Android,MacOS,iOS. SRetrieves only devices with that Operating system .PARAMETER Filter Filters by devicename by looking for characters that are CONTAINED in name. This means it can either be exact of part of the name .PARAMETER IncludeEAS [True | False] Excluded by default. Included device managed by Active sync .PARAMETER ExcludeMDM [True | False] Excludes and device managed by Mdm. Cannot be combined with IncludeEAS .PARAMETER Expand [True | False] Gets Azure device object and merges with Intune results. This will query each individual device use multithread query However this can take a while if results are large. .PARAMETER Passthru [True | False] if graph result is larger than 1000, -Passthru passes next link data with devices. If Passthru is not used, default output is devices .EXAMPLE Get-IDMDevice -Filter DTOLAB Returns all managed devices that has the characters DTOLAB in it. .EXAMPLE Get-IDMDevice Returns all managed devices but excludes EAS devices registered within the Intune Service .EXAMPLE Get-IDMDevice -IncludeEAS Returns all managed devices including EAS devices registered within the Intune Service .EXAMPLE Get-IDMDevice -Expand Retrieves Intune Managed Devices and association with Azure AD .LINK Get-IDMAzureDevices #> [cmdletbinding()] param ( [Parameter(Mandatory=$false)] [ValidateSet('Windows','Android','MacOS','iOS')] [string]$Platform, [Parameter(Mandatory=$false)] [string]$Filter, [Parameter(Mandatory=$false)] [switch]$IncludeEAS, [Parameter(Mandatory=$false)] [switch]$ExcludeMDM, [Parameter(Mandatory=$false)] [switch]$Expand, [switch]$Passthru ) # Defining Variables $graphApiVersion = "beta" $Resource = "deviceManagement/managedDevices" $filterQuery=$null if($IncludeEAS.IsPresent){ $Count_Params++ } if($ExcludeMDM.IsPresent){ $Count_Params++ } if($Count_Params -gt 1){ write-warning "Multiple parameters set, specify a single parameter -IncludeEAS, -ExcludeMDM or no parameter against the function" break } $Query = @() if($IncludeEAS){ #include all queries by leaving filter empty } Elseif($ExcludeMDM){ $Query += "managementAgent eq 'eas'" $Query += "managementAgent eq 'easIntuneClient'" $Query += "managementAgent eq 'configurationManagerClientEas'" } Else{ $Query += "managementAgent eq 'mdm'" $Query += "managementAgent eq 'easMdm'" $Query += "managementAgent eq 'intuneClient'" $Query += "managementAgent eq 'configurationManagerClient'" $Query += "managementAgent eq 'configurationManagerClientMdm'" } If($PSBoundParameters.ContainsKey('Filter')){ #TEST $Filter = '46VEYL1' $Query += "contains(deviceName,'$($Filter)')" } If($PSBoundParameters.ContainsKey('Platform')){ $Query += "operatingSystem eq '$($Platform)'" } #build query filter if exists If($Query.count -ge 1){ $filterQuery = "`?`$filter=" + ($Query -join ' and ') } $uri = "$Global:GraphEndpoint/$graphApiVersion/$Resource" + $filterQuery try { Write-Verbose "Get $uri" $Response = Invoke-MgGraphRequest -Uri $uri -Method Get -ErrorAction Stop } catch { Write-ErrorResponse($_) } If($Expand) { $AzureDevicesUris = @() $Devices = @() #Populate AAD devices using splat for filter and platform to minimize seach field # this is becuse if results are more than gropah will show, the results coudl be skewed. #TEST $Item = $Response.Value | Where deviceName -eq 'DTOLAB-46VEYL1' Foreach($Item in $Response.Value) { $AzureDevicesUris += "$Global:GraphEndpoint/$graphApiVersion/devices?`$filter=displayName eq '$($Item.deviceName)'" } #invoke a query on all $AzureDevices = $AzureDevicesUris | Invoke-IDMGraphBatchRequests -Verbose:$VerbosePreference #TEST $Item = $Response.Value | Where deviceName -eq 'DTOLAB-46VEYL1' Foreach($Item in $Response.Value) { $OutputItem = New-Object PSObject #first add all properties of Intune device Foreach($p in $Item | Get-Member -MemberType NoteProperty){ $OutputItem | Add-Member NoteProperty $p.name -Value $Item.($p.name) } #TEST $LinkedIntuneDevice = $AADObjects | Where displayName -eq 'DTOLAB-46VEYL1' If($LinkedIntuneDevice = $AzureDevices | Where deviceId -eq $Item.azureADDeviceId){ Foreach($p in $LinkedIntuneDevice | Get-Member -MemberType NoteProperty){ switch($p.name){ 'id' {$OutputItem | Add-Member NoteProperty "azureADObjectId" -Value $LinkedIntuneDevice.($p.name) -Force} 'deviceVersion' {<#For internal use only.#>} 'deviceMetadata' {<#For internal use only.#>} 'alternativeSecurityIds' {<#For internal use only.#>} default {$OutputItem | Add-Member NoteProperty $p.name -Value $LinkedIntuneDevice.($p.name) -Force} } } # Add the object to our array of output objects } $Devices += $OutputItem } } Else{ $Devices = $Response.Value } #Build a object with next link $NextLinkAndDevices = "" | Select NextLink,Devices $NextLinkAndDevices.NextLink = $Response.'@odata.nextLink' $NextLinkAndDevices.Devices = $Devices If($Passthru){ return $NextLinkAndDevices }Else{ return $Devices } } Function Get-IDMAzureDevices{ <# .SYNOPSIS This function is used to get Azure Devices from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any Azure Device .PARAMETER Filter Filters by devicename by looking for characters that are CONTAINED in name. This means it can either be exact of part of the name .PARAMETER FilterBy Options are: DisplayName,StartWithDisplayName,NOTStartWithDisplayName. Defaults to 'StartWithDisplayName' .PARAMETER Platform Options are: Windows,Android,MacOS,iOS. SRetrieves only devices with that Operating system .PARAMETER Passthru [True | False] -Passthru passes graph raw data. If Passthru is not used, default output is devices .EXAMPLE Get-IDMAzureDevices -Filter DTOLAB Returns all Azure devices that has the characters DTOLAB in it. .EXAMPLE @('WVD1,'WVD2') | Get-IDMAzureDevices -FilterBy SearchDisplayName Returns Azure devices with WVD1 and WVD2 in device name .LINK https://docs.microsoft.com/en-us/graph/api/device-list?view=graph-rest-beta&tabs=http #> [cmdletbinding()] param ( [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)] [string]$Filter, [Parameter(Mandatory=$false)] [ValidateSet('DisplayName','StartWithDisplayName','NOTStartWithDisplayName','SearchDisplayName')] [string]$FilterBy = 'StartWithDisplayName', [Parameter(Mandatory=$false)] [ValidateSet('Windows','Android','MacOS','iOS')] [string]$Platform, [switch]$Passthru ) Begin{ # Defining Variables $graphApiVersion = "beta" $Resource = "devices" $RequestParams = @{} If( ($FilterBy -eq 'SearchDisplayName') -and -NOT($AuthToken['ConsistencyLevel'])){ $RequestParams += @{"Headers" = @{ConsistencyLevel = 'eventual'}} } $filterQuery=$null } Process{ $Query = @() If($PSBoundParameters.ContainsKey('Platform')){ $Query += "operatingSystem eq '$($Platform)'" } If($PSBoundParameters.ContainsKey('Filter')){ switch($FilterBy){ 'DisplayName' {$Query += "displayName eq '$Filter'";$Operator='filter'} 'StartWithDisplayName' {$Query += "startswith(displayName, '$Filter')";$Operator='filter'} 'NOTStartWithDisplayName' {$Query += "NOT startsWith(displayName, '$Filter')";$Operator='filter'} 'SearchDisplayName' {$Query += "`"displayName:$Filter`"";$Operator='search'} default {$Query += "startswith(displayName, '$Filter')";$Operator='filter'} } } #build query filter if exists If($Query.count -ge 1){ $filterQuery = "`?`$$Operator=" + ($Query -join ' and ') } $uri = "$Global:GraphEndpoint/$graphApiVersion/$Resource" + $filterQuery try { Write-Verbose "Get $uri" $Response = Invoke-MgGraphRequest -Uri $uri @RequestParams -Method Get -ErrorAction Stop } catch { Write-ErrorResponse($_) } } End{ If($Passthru){ return $Response }Else{ return $Response.Value } } } Function Get-IDMDevicePendingActions{ <# .SYNOPSIS This function is used to get a Managed Device pending Actions .DESCRIPTION The function connects to the Graph API Interface and gets a managed device pending actions .PARAMETER AllActions [True | False] Allows all actions, if even completed, to display. .PARAMETER DeviceID Must be in GUID format. This is for Intune Managed device ID, not the Azure ID or Object ID .PARAMETER AuthToken Defaults to $Global:AuthToken Header for Graph bearer token. Must be in hashtable format: Name Value ---- ----- Authorization = 'Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6ImVhMnZPQjlqSmNDOTExcVJtNE1EaEpCd2YyVmRyNXlodjRqejFOOUZhNmciLCJhbGci...' Content-Type = 'application/json' ExpiresOn = '7/29/2022 7:55:14 PM +00:00' Use command: Get-IDMGraphAuthToken -User (Connect-MSGraph).UPN .EXAMPLE Get-IDMDevicePendingActions -DeviceID 08d06b3b-8513-417b-80ee-9dc8a3beb377 Returns a device pending action that matches DeviceID .EXAMPLE @('0a212b6a-e1d2-4985-b9dd-4cf5205662fa','ef07dabc-2b16-48cb-9692-a6ab9ff48c55') | Get-IDMDevicePendingActions Returns a device pending action that matches DeviceID's #> [cmdletbinding()] param ( [Parameter(Mandatory=$True,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)] $DeviceID, [Parameter(Mandatory=$false)] [switch]$AllActions ) Begin{ # Defining Variables $graphApiVersion = "beta" } Process{ $Resource = "deviceManagement/manageddevices/$DeviceID" try { $uri = "$Global:GraphEndpoint/$graphApiVersion/$($Resource)" Write-Verbose "Get $uri" $response = Invoke-MgGraphRequest -Uri $uri -Method Get -ErrorAction Stop } catch { Write-ErrorResponse($_) } } End{ If($AllActions){ return $response.deviceActionResults }Else{ return ($response.deviceActionResults | Where actionState -eq 'pending') } } } Function Get-IDMDeviceCategory{ <# .SYNOPSIS Gets Device Category details. .DESCRIPTION The Get-IDMDeviceCategory cmdlet returns either a list of all categories for the current Azure AD tenant, or information for the specific profile specified by its ID. .EXAMPLE Get a list of all Device Categories. Get-IDMDeviceCategory #> [cmdletbinding()] param() # Defining Variables $graphApiVersion = "beta" $Resource = "deviceManagement/deviceCategories" $uri = "$Global:GraphEndpoint/$graphApiVersion/$Resource" try { Write-Verbose "GET $uri" $response = Invoke-MgGraphRequest -Uri $uri -Method Get -ErrorAction Stop } catch { Write-ErrorResponse($_) } Finally{ $response.Value } } Function Set-IDMDeviceCategory{ <# .SYNOPSIS Sets Device Category .DESCRIPTION The Set-IDMDeviceCategory cmdlet sets the category of device ID .EXAMPLE Set-IDMDeviceCategory -DeviceID '08d06b3b-8513-417b-80ee-9dc8a3beb377' -Category 'Standard Device' .LINK Get-IDMDeviceCategory #> [cmdletbinding()] param ( [Parameter(Mandatory=$true)] $DeviceID, [Parameter(Mandatory=$true)] $Category ) # Defining Variables $graphApiVersion = "beta" $Resource = "deviceManagement/managedDevices" $Categories = Get-IDMDeviceCategory -AuthToken $AuthToken $CategoryId = ($Categories | Where displayName -eq $Category).id #$requestBody = @{ "@odata.id" = "https://graph.microsoft.com/$graphApiVersion/deviceManagement/deviceCategories/3137f37d-ff7c-48ec-af57-d4404faf844e" } $requestBody = @{ "@odata.id" = "$Global:GraphEndpoint/$graphApiVersion/deviceManagement/deviceCategories/$CategoryId" } $BodyJson = $requestBody | ConvertTo-Json #$uri = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/08d06b3b-8513-417b-80ee-9dc8a3beb377/deviceCategory/`$ref" $uri = "$Global:GraphEndpoint/$graphApiVersion/$Resource/$DeviceID/deviceCategory/`$ref" try { Write-Verbose "GET $uri" $null = Invoke-MgGraphRequest -Uri $uri -Body $BodyJson -Method PUT -ErrorAction Stop } catch { Write-ErrorResponse($_) } } Function Invoke-IDMDeviceAction{ <# .SYNOPSIS This function is used to initiate a intune device action from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and sets a generic Intune Resource .EXAMPLE Invoke-IDMDeviceAction -DeviceID $DeviceID -remoteLock Resets a managed device passcode .NOTES NAME: Invoke-IDMDeviceAction #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact='Medium')] param ( [Parameter(Mandatory=$True,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true,HelpMessage="DeviceId (guid) for the Device you want to take action on must be specified:")] $DeviceID, [Parameter(Mandatory=$true)] [ValidateSet('RemoteLock','ResetPasscode','Wipe','Retire','Delete','Sync','Rename')] $Action, [switch]$Force, $NewDeviceName ) Begin{ ## Get the name of this function [string]${CmdletName} = $PSCmdlet.MyInvocation.MyCommand.Name if (-not $PSBoundParameters.ContainsKey('Verbose')) { $VerbosePreference = $PSCmdlet.SessionState.PSVariable.GetValue('VerbosePreference') } if (-not $PSBoundParameters.ContainsKey('Confirm')) { $ConfirmPreference = $PSCmdlet.SessionState.PSVariable.GetValue('ConfirmPreference') } if (-not $PSBoundParameters.ContainsKey('WhatIf')) { $WhatIfPreference = $PSCmdlet.SessionState.PSVariable.GetValue('WhatIfPreference') } $graphApiVersion = "Beta" } Process{ $RequestParams = @{ Headers=$AuthToken } switch($Action){ 'RemoteLock' { $WhatIfMsg = "Performing the operation `"Reset passcode`" on target `"$DeviceID`"." $ActionMsg = "Sending remoteLock command to device ID: $DeviceID..." $Resource = "deviceManagement/managedDevices/$DeviceID/remoteLock" $uri = "$Global:GraphEndpoint/$graphApiVersion/$($resource)" $RequestParams += @{ Uri=$uri Method='Post' } } 'ResetPasscode' { $WhatIfMsg = "Performing the operation `"Reset passcode`" on target `"$DeviceID`"." $ActionMsg = "Resetting the Passcode for device ID: $DeviceID..." $Resource = "deviceManagement/managedDevices/$DeviceID/resetPasscode" $uri = "$Global:GraphEndpoint/$graphApiVersion/$($resource)" $RequestParams += @{ Uri=$uri Method='Post' } } 'Wipe' { $WhatIfMsg = "Performing the operation `"Device Wipe`" on target `"$DeviceID`"." $ActionMsg = "Sending [Wipe] action to device ID: `"$DeviceID`"..." $Resource = "deviceManagement/managedDevices/$DeviceID/wipe" $uri = "$Global:GraphEndpoint/$graphApiVersion/$($resource)" $RequestParams += @{ Uri=$uri Method='Post' } } 'Retire' { $WhatIfMsg = "Performing the operation `"Retire Device`" on target `"$DeviceID`"." $ActionMsg = "Sending [Retire] to device ID: `"$DeviceID`"..." $Resource = "deviceManagement/managedDevices/$DeviceID/retire" $uri = "$Global:GraphEndpoint/$graphApiVersion/$($resource)" $RequestParams += @{ Uri=$uri Method='Post' } } 'Delete' { $WhatIfMsg = "Performing the operation `"Delete Device`" on target `"$DeviceID`"." $ActionMsg = "Deleting `"$DeviceID`"..." $Resource = "deviceManagement/managedDevices('$DeviceID')" $uri = "$Global:GraphEndpoint/$graphApiVersion/$($resource)" $RequestParams += @{ Uri=$uri Method='Delete' } } 'Sync' { $WhatIfMsg = "Performing the operation `"Device Sync`" on target `"$DeviceID`"." $ActionMsg = "Syncing device Id: `"$DeviceID`"..." $Resource = "deviceManagement/managedDevices('$DeviceID')/syncDevice" $uri = "$Global:GraphEndpoint/$graphApiVersion/$($resource)" $RequestParams += @{ Uri=$uri Method='Post' } } 'Rename' { $WhatIfMsg = "Performing the operation `"Device Rename`" on target `"$DeviceID`"." $ActionMsg = "Sending rename action to device Id: `"$DeviceID`" as new name: `"$NewDeviceName`"..." If($Null -eq $NewDeviceName){Break} $JSON = @" { deviceName:"$($NewDeviceName)" } "@ $Resource = "deviceManagement/managedDevices('$DeviceID')/setDeviceName" $uri = "$Global:GraphEndpoint/$graphApiVersion/$($resource)" $RequestParams += @{ Uri=$uri Method='Post' Body=$Json ContentType="application/json" } } } If($WhatIfPreference){ Write-Host "What if: $WhatIfMsg" } else { Write-host $ActionMsg try { Write-Verbose ("{0}: {1}" -f $RequestParams.Method,$RequestParams.uri) $null = Invoke-MgGraphRequest @RequestParams -ErrorAction Stop } catch { Write-ErrorResponse($_) } } } } Function Remove-IDMDeviceRecords{ [CmdletBinding(DefaultParameterSetName='All')] Param ( [Parameter(ParameterSetName='All',Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)] [Parameter(ParameterSetName='Individual',Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)] [Parameter(ParameterSetName='Azure',Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)] [Parameter(ParameterSetName='ConfigMgr',Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)] $ComputerName, [Parameter(ParameterSetName='All')] [Parameter(ParameterSetName='Azure')] [Parameter(ParameterSetName='ConfigMgr')] [switch]$All, [Parameter(ParameterSetName='Individual')] [switch]$AD, [Parameter(ParameterSetName='Individual')] [Parameter(ParameterSetName='Azure')] [switch]$AAD, [Parameter(ParameterSetName='Individual')] [Parameter(ParameterSetName='Azure')] [switch]$Intune, [Parameter(ParameterSetName='Individual')] [Parameter(ParameterSetName='Azure')] [switch]$Autopilot, [Parameter(ParameterSetName='Individual')] [Parameter(ParameterSetName='ConfigMgr')] [switch]$ConfigMgr, [Parameter(ParameterSetName='Individual')] [Parameter(Mandatory=$true,ParameterSetName='ConfigMgr')] [Parameter(Mandatory=$true,ParameterSetName='All')] [switch]$SiteCode ) # Delete from AD If ($PSBoundParameters.ContainsKey("AD") -or $PSBoundParameters.ContainsKey("All")) { Try { Write-host "Retrieving Active Directory computer account..." -NoNewline $Searcher = [ADSISearcher]::new() $Searcher.Filter = "(sAMAccountName=$ComputerName`$)" [void]$Searcher.PropertiesToLoad.Add("distinguishedName") $ComputerAccount = $Searcher.FindOne() If ($ComputerAccount) { Write-host "Success" -ForegroundColor Green Write-Host " Deleting computer account…" -NoNewline $DirectoryEntry = $ComputerAccount.GetDirectoryEntry() $Result = $DirectoryEntry.DeleteTree() Write-Host "Success" -ForegroundColor Green } Else { Write-host "Not found!" -ForegroundColor Red } } Catch { Write-Host ("Failed to remove {0} from AD! {1}" -f $ComputerName,$_.Exception.Message) -ForegroundColor Red } } # Delete from Azure AD If ($PSBoundParameters.ContainsKey("AAD") -or $PSBoundParameters.ContainsKey("All")) { Try { Write-host "Retrieving Azure AD device records..." -NoNewline [array]$AzureADDevices = Get-IDMAzureDevices -Filter $ComputerName -ErrorAction Stop If ($AzureADDevices.Count -ge 1) { Write-Host "Success" -ForegroundColor Green Foreach ($AzureADDevice in $AzureADDevices) { Write-host " Deleting DisplayName: $($AzureADDevice.DisplayName) | ObjectId: $($AzureADDevice.ObjectId) | DeviceId: $($AzureADDevice.DeviceId) …" -NoNewline Remove-IDMAzureDevices -ObjectId $AzureADDevice.ObjectId -ErrorAction Stop Write-host "Success" -ForegroundColor Green } } Else { Write-host "Not found!" -ForegroundColor Red } } Catch { Write-Host ("Failed to remove {0} from Azure AD! {1}" -f $ComputerName,$_.Exception.Message) -ForegroundColor Red } } # Delete from Intune If ($PSBoundParameters.ContainsKey("Intune") -or $PSBoundParameters.ContainsKey("Autopilot") -or $PSBoundParameters.ContainsKey("All")) { Try { Write-host "Retrieving Intune managed device records..." -NoNewline [array]$IntuneDevices = Get-IDMDevice -Filter $ComputerName -ErrorAction Stop If ($IntuneDevices.Count -ge 1) { Write-Host "Success" -ForegroundColor Green If ($PSBoundParameters.ContainsKey("Intune") -or $PSBoundParameters.ContainsKey("All")) { foreach ($IntuneDevice in $IntuneDevices) { Write-host " Deleting DeviceName: $($IntuneDevice.deviceName) | Id: $($IntuneDevice.Id) | AzureADDeviceId: $($IntuneDevice.azureADDeviceId) | SerialNumber: $($IntuneDevice.serialNumber) …" -NoNewline Invoke-IDMDeviceAction -DeviceID $IntuneDevice.Id -Action Delete -ErrorAction Stop Write-host "Success" -ForegroundColor Green } } } Else { Write-host "Not found!" -ForegroundColor Red } } Catch { Write-Host ("Failed to remove {0} from Intune! {1}" -f $ComputerName,$_.Exception.Message) -ForegroundColor Red } } # Delete Autopilot device If ($PSBoundParameters.ContainsKey("Autopilot") -or $PSBoundParameters.ContainsKey("All")) { If ($IntuneDevices.Count -ge 1) { Try { Write-host "Retrieving Autopilot device registration..." -NoNewline $AutopilotDevices = New-Object System.Collections.ArrayList foreach ($IntuneDevice in $IntuneDevices) { $URI = "$Global:GraphEndpoint/beta/deviceManagement/windowsAutopilotDeviceIdentities?`$filter=contains(serialNumber,'$($IntuneDevice.serialNumber)')" $AutopilotDevice = Invoke-MgGraphRequest -Uri $uri -Method Get -ErrorAction Stop [void]$AutopilotDevices.Add($AutopilotDevice) } Write-Host "Success" -ForegroundColor Green foreach ($device in $AutopilotDevices) { Write-host " Deleting SerialNumber: $($Device.value.serialNumber) | Model: $($Device.value.model) | Id: $($Device.value.id) | GroupTag: $($Device.value.groupTag) | ManagedDeviceId: $($device.value.managedDeviceId) …" -NoNewline $URI = "$Global:GraphEndpoint/beta/deviceManagement/windowsAutopilotDeviceIdentities/$($device.value.Id)" $AutopilotDevice = Invoke-MgGraphRequest -Uri $uri -Method Delete -ErrorAction Stop Write-Host "Success" -ForegroundColor Green } } Catch { Write-Host ("Failed to remove {0} from Autopilot Devices! {1}" -f $ComputerName,$_.Exception.Message) -ForegroundColor Red } } } # Delete from ConfigMgr If ($PSBoundParameters.ContainsKey("ConfigMgr") -or $PSBoundParameters.ContainsKey("All")) { Try { Write-host "Retrieving ConfigMgr device records..." -NoNewline $SiteCode = (Get-PSDrive -PSProvider $SiteCode -ErrorAction Stop).Name Set-Location ("$SiteCode" + ":") -ErrorAction Stop [array]$ConfigMgrDevices = Get-CMDevice -Name $ComputerName -Fast -ErrorAction Stop Write-Host "Success" -ForegroundColor Green foreach ($ConfigMgrDevice in $ConfigMgrDevices) { Write-host " Deleting Name: $($ConfigMgrDevice.Name) | ResourceID: $($ConfigMgrDevice.ResourceID) | SMSID: $($ConfigMgrDevice.SMSID) | UserDomainName: $($ConfigMgrDevice.UserDomainName) …" -NoNewline Remove-CMDevice -InputObject $ConfigMgrDevice -Force -ErrorAction Stop Write-Host "Success" -ForegroundColor Green } } Catch { Write-Host ("Failed to remove {0} from Configuration Manager! {1}" -f $ComputerName,$_.Exception.Message) -ForegroundColor Red } } } Function Get-IDMStaleDevices{ <# .SYNOPSIS This function is used to get Intune Managed Devices from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any Intune Managed Device that has not synced with the service in the past X days .EXAMPLE Get-IDMStaleDevices Returns all managed devices but excludes EAS devices registered within the Intune Service that have not checked in for X days .NOTES https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices #> [cmdletbinding()] param ( [Int]$cutoffDays ) # Defining Variables $graphApiVersion = "beta" $Resource = "deviceManagement/managedDevices" # this will get the date/time at the time this is run, so if it is 3pm on 2/27, the 90 day back mark would be 11/29 at 3pm, meaning if a device checked in on 11/29 at 3:01pm it would not meet the check #change cutoffDays to negative number if non-negative was supplied if($cutoffDays -ge 0){ $cutoffDays = -$cutoffDays } $cutoffDate = (Get-Date).AddDays($cutoffDays).ToString("yyyy-MM-dd") $uri = ("$global:GraphEndpoint/$graphApiVersion/$($Resource)?`$filter=managementAgent eq 'mdm' or managementAgent eq 'easMDM' and lastSyncDateTime le $cutoffDate") try { $devices = (Invoke-MgGraphRequest -Uri $uri -Method Get).Value }catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Failed to retrieve managed devices; response content: `n$responseBody" -ForegroundColor Red Write-Host "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" -ForegroundColor Red } return $devices } Function Get-IDMStaleAzureDevices{ <# .SYNOPSIS This function is used to get Intune Managed Devices from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any Intune Managed Device that has not synced with the service in the past X days .EXAMPLE Get-IDMStaleAzureDevices Returns all managed devices but excludes EAS devices registered within the Intune Service that have not checked in for X days .NOTES https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices #> [cmdletbinding()] param ( [Int]$cutoffDays ) # Defining Variables $graphApiVersion = "beta" $Resource = "devices" # this will get the date/time at the time this is run, so if it is 3pm on 2/27, the 90 day back mark would be 11/29 at 3pm, meaning if a device checked in on 11/29 at 3:01pm it would not meet the check #change cutoffDays to negative number if non-negative was supplied if($cutoffDays -ge 0){ $cutoffDays = -$cutoffDays }else{ $cutoffDays = -60 } $cutoffDate = (Get-Date).AddDays($cutoffDays) #$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$filter=approximateLastSignInDateTime le $cutoffDate" $uri = "$global:GraphEndpoint/$graphApiVersion/$($Resource)" try { Write-Verbose $uri $devices = (Invoke-MgGraphRequest -Uri $uri -Method Get).Value | Where {($_.ApproximateLastLogonTimeStamp -le $cutoffDate) -and ($_.AccountEnabled -eq $false)} }catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Failed to retrieve managed devices; response content: `n$responseBody" -ForegroundColor Red Write-Host "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" -ForegroundColor Red } return $devices } function Remove-IDMStaleDevices{ <# .SYNOPSIS This function retires all stale devices in Intune that have not checked in within 90 days .DESCRIPTION The function connects to the Graph API Interface and retires any Intune Managed Device that has not synced with the service in the past 90 days .EXAMPLE Remove-IDMStaleDevices -Devices $deviceList Executes a retire command against all devices in the list provided and then deletes the record from the console .NOTES NAME: Remove-IDMStaleDevices #> [cmdletbinding()] param ( [Parameter(Mandatory=$true)] $DeviceID ) $graphApiVersion = "beta" try { $Resource = "deviceManagement/managedDevices/$DeviceID/retire" $uri = "$global:GraphEndpoint/$graphApiVersion/$($resource)" Write-Output "Sending retire command to $DeviceID" Invoke-MgGraphRequest -Uri $uri -Method Post -UseBasicParsing $Resource = "deviceManagement/managedDevices('$DeviceID')" $uri = "$global:GraphEndpoint/$graphApiVersion/$($resource)" Write-Output "Sending delete command to $DeviceID" Invoke-MgGraphRequest -Uri $uri -Method Delete -UseBasicParsing }catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Verbose "response content: `n$responseBody" Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" } } Function Get-IDMAzureDeviceExtension { <# https://docs.microsoft.com/en-us/graph/api/resources/extensionproperty?view=graph-rest-1.0 https://docs.microsoft.com/en-us/graph/extensibility-overview #> [cmdletbinding()] param ( [Parameter(Mandatory=$true)] [string]$DeviceID, [Parameter(Mandatory=$false)] [ValidateRange(1-15)] [int]$ExtensionID ) $graphApiVersion = "beta" $Resource = "devices" $uri = "$global:GraphEndpoint/$graphApiVersion/$($Resource)/$($DeviceID)?`$select=extensionAttributes" try { Write-Verbose $uri $response = Invoke-MgGraphRequest -Uri $uri -Method Get }catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Verbose "response content: `n$responseBody" Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" } If($ExtensionID){ Return $response.extensionAttributes | Select -ExpandProperty "extensionAttribute$($ExtensionID)" }Else{ Return $response.extensionAttributes } } Function Set-IDMAzureDeviceExtension { <# https://docs.microsoft.com/en-us/graph/api/resources/extensionproperty?view=graph-rest-1.0 https://docs.microsoft.com/en-us/graph/extensibility-overview https://docs.microsoft.com/en-us/graph/api/application-post-extensionproperty?view=graph-rest-beta&tabs=http #> [cmdletbinding()] param ( [Parameter(Mandatory=$true)] [string]$DeviceID, [Parameter(Mandatory=$true)] [ValidateRange(1,15)] [int]$ExtensionID, [Parameter(Mandatory=$true)] [AllowEmptyString()] [string]$ExtensionValue ) $graphApiVersion = "beta" $Resource = "devices" If($ExtensionValue.Length -gt 0){ $JsonBody = @{"extensionAttributes" = @{"extensionAttribute$($ExtensionID)" = $ExtensionValue}} | ConvertTo-Json }Else{ $JsonBody = @{"extensionAttributes" = @{"extensionAttribute$($ExtensionID)" = $null}} | ConvertTo-Json } $uri = "$global:GraphEndpoint/$graphApiVersion/$($Resource)/$($DeviceID)" try { Write-Verbose $uri $null = Invoke-MgGraphRequest -Uri $uri -Method Patch -Body $JsonBody } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Verbose "response content: `n$responseBody" Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode): $($ex.Response.StatusDescription)" } } Function Get-IDMIntuneAssignments{ <# .SYNOPSIS This function is used to retrieve all assignments from Intune for both device and users .DESCRIPTION The function connects to the Graph API Interface and retrieves all assignments from Intune for both device and users .PARAMETER Target [Devices | Users]. Specify which assignment to pull. .PARAMETER Target [Device | User]. Specify which assignment to pull. Target id is associated .PARAMETER TargetId Must be in guid format. SHould be id of device or id of user .PARAMETER TargetSet Must be in hashtable format. Should contain an id of device and/or id of user eg. @{devices='b215decf-4188-4d19-9e22-fb2e89ae0fec';users='c9d00ac2-b07d-4477-961b-442bbc424586'} .PARAMETER AuthToken Defaults to $Global:AuthToken Header for Graph bearer token. Must be in hashtable format: Name Value ---- ----- Authorization = 'Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6ImVhMnZPQjlqSmNDOTExcVJtNE1EaEpCd2YyVmRyNXlodjRqejFOOUZhNmciLCJhbGci...' Content-Type = 'application/json' ExpiresOn = '7/29/2022 7:55:14 PM +00:00' Use command: Get-IDMGraphAuthToken -User (Connect-MSGraph).UPN .EXAMPLE $targetSet = @{devices=$syncHash.Data.SelectedDevice.azureADObjectId;users=$syncHash.Data.AssignedUser.id} $platform = $syncHash.Data.SelectedDevice.OperatingSystem Get-IDMIntuneAssignments -TargetSet $targetSet -Platform $platform -AuthToken $syncHash.Data.AuthToken -IncludePolicySetInherits #> [cmdletbinding()] Param( [Parameter(Mandatory=$true,ParameterSetName='TargetArea')] [ValidateSet('Devices','Users')] [string]$Target, [Parameter(Mandatory=$true,ParameterSetName='TargetArea')] [string]$TargetId, [Parameter(Mandatory=$true,ParameterSetName='TargetSet')] [hashtable]$TargetSet, [Parameter(Mandatory=$false)] [ValidateSet('Windows','Android','MacOS','iOS')] [string]$Platform = 'Windows', [Parameter(Mandatory=$false)] [switch]$IncludePolicySetInherits ) $graphApiVersion = "beta" #First get all Azure AD groups this device is a member of. $UriResources = @() #TEST $TargetSet = @{devices=$syncHash.Data.SelectedDevice.azureADObjectId;users=$syncHash.Data.AssignedUser.id} If($TargetSet) { $UriResources += $TargetSet.GetEnumerator() | %{"$Global:GraphEndpoint/$graphApiVersion/$($_.Name)/$($_.Value)/memberOf"} } Else{ $UriResources += "$Global:GraphEndpoint/$graphApiVersion/$($Target.ToLower())/memberOf" } #loop through each Intune Component, then get assignments for each Switch($Platform){ 'Windows' { $PlatformType = @('microsoftStore', 'win32LobApp', 'windows', 'officeSuiteApp', 'sharedPC', 'editionUpgrade', 'webApp' ) $PlatformComponents = @( #'deviceManagement/advancedThreatProtectionOnboardingStateSummary' 'deviceManagement/windowsAutopilotDeploymentProfiles' 'deviceManagement/deviceCompliancePolicies' 'deviceManagement/deviceComplianceScripts' 'deviceManagement/deviceConfigurations' 'deviceManagement/configurationPolicies' 'deviceManagement/deviceEnrollmentConfigurations' 'deviceManagement/deviceHealthScripts' 'deviceManagement/deviceManagementScripts' 'deviceManagement/roleScopeTags' #'deviceManagement/windowsDriverUpdateProfiles' 'deviceManagement/windowsQualityUpdateProfiles' 'deviceManagement/windowsFeatureUpdateProfiles' 'deviceAppManagement/windowsInformationProtectionPolicies' 'deviceAppManagement/mdmWindowsInformationProtectionPolicies' 'deviceAppManagement/mobileApps' 'deviceAppManagement/policysets' #'deviceAppManagement/assignmentFilters' ) } 'Android' {$PlatformType = @('android', 'webApp', 'aosp' ) $PlatformComponents = @( 'deviceManagement/androidDeviceOwnerEnrollmentProfiles' 'deviceAppManagement/androidForWorkAppConfigurationSchemas' 'deviceAppManagement/androidForWorkEnrollmentProfiles' 'deviceAppManagement/androidForWorkSettings' 'deviceAppManagement/androidManagedStoreAccountEnterpriseSettings' 'deviceAppManagement/androidManagedStoreAppConfigurationSchemas' ) } 'MacOS' {$PlatformType = @('ios', 'macOS', 'webApp' ) $PlatformComponents = @( ) } 'iOS' {$PlatformType = @('ios', 'webApp' ) $PlatformComponents = @( ) } } #Add component URIs $UriResources += $PlatformComponents | %{ "$Global:GraphEndpoint/$graphApiVersion/$($_)"} Foreach($Uri in $UriResources){ Write-Verbose "URI: $Uri" } #BATCH CALL #1: Do a batch call on device,users and platform resources to get all properties #Using -Passthru with Invoke-IDMGraphRequests will out graph data including next link and context. #No Passthru will out value only #$GraphRequests = $UriResources | Invoke-IDMGraphRequests -Threads $UriResources.Count $GraphRequests = $UriResources | Invoke-IDMGraphBatchRequests -Verbose:$VerbosePreference #$GraphRequests = $UriResources | Invoke-IDMGraphRequests -Headers $AuthToken $DeviceGroups = ($GraphRequests | Where {$_.uri -like '*/devices/*/memberOf'}) $UserGroups = ($GraphRequests | Where {$_.uri -like '*/users/*/memberOf'}) $DeviceGroupMembers = $DeviceGroups | Select id, displayName,@{N='GroupType';E={If('DynamicMembership' -in $_.groupTypes){return 'Dynamic'}Else{return 'Static'} }},@{N='Target';E={'Devices'}} $UserGroupMembers = $UserGroups | Select id, displayName,@{N='GroupType';E={If('DynamicMembership' -in $_.groupTypes){return 'Dynamic'}Else{return 'Static'} }},@{N='Target';E={'Users'}} #combine device and users memberships $AllGroupMembers = @() $AllGroupMembers = $DeviceGroupMembers + $UserGroupMembers #NOW Build platform resources based on graph info $PlatformResources = ($GraphRequests | Where {$_.'@odata.type' -match ($PlatformType -join '|')}) | Select Id,uri, @{N='type';E={Set-IDMResourceFriendlyType -Category (split-path $_.uri -leaf) -ODataType $_.'@odata.type'}}, @{N='name';E={Set-IDMResourceFriendlyName -Name $_.displayName -LicenseType $_.licenseType -ODataType $_.'@odata.type'}}, @{N='assigned';E={If('isAssigned' -in ($_ | Get-Member -MemberType NoteProperty).Name){[boolean]$_.isAssigned}Else{'Unknown'}}} #BATCH CALL #2: get Assignments of all resource using batch jobs. #Using -Passthru with Invoke-IDMGraphRequests will out graph data including next link and context. Value contains devices. No Passthru will out value only #batch jobs can only be ran in series of 20; split collection up and process each group $ResourceAssignments = $PlatformResources | %{ $_.uri + '/' + $_.id + '/assignments'} | Split-IDMRequests -GroupOf 20 | ForEach-Object { $_ | Invoke-IDMGraphBatchRequests -Verbose:$VerbosePreference} #$ResourceAssignments = $PlatformResources | Invoke-IDMGraphRequests -Verbose:$VerbosePreference #$ResourceAssignments.count $AssignmentList= @() #TEST $Assignment = $ResourceAssignments[0] #TEST $Assignment = ($ResourceAssignments | Where Source -eq 'policySets')[0] $i=0 Foreach($Assignment in $ResourceAssignments) { $ReferenceResource = $PlatformResources | Where { $Assignment.uri -eq ($_.uri + '/' + $_.id + '/assignments')} $AssignmentGroup = '' | Select Id,Name,Type,Mode,Target,Platform,Group,GroupType,GroupId,Assigned $AssignmentGroup.Id = $Assignment.id $AssignmentGroup.Name = $ReferenceResource.name $AssignmentGroup.Type = $ReferenceResource.type #$AssignmentGroup.Target = $Assignment.target $AssignmentGroup.Platform = $Platform $AssignmentGroup.Assigned = $ReferenceResource.assigned If($Assignment.intent){ $AssignmentGroup.Mode = (Get-Culture).TextInfo.ToTitleCase($Assignment.intent) }Else{ $AssignmentGroup.Mode = 'Assigned' } #Grab Policyset info If($Assignment.source -eq 'policySets' -and $IncludePolicySetInherits){ $PolicySet = $True $PolicySetDetails = $PlatformResources | Where id -eq $Assignment.sourceId If(!$PolicySetDetails){ $PolicySet = $False } } Else{ $PolicySet = $False } switch($Assignment.target.'@odata.type'){ '#microsoft.graph.allLicensedUsersAssignmentTarget' { $AddToGroup = $true $AssignmentGroup.Group = 'All Users' #$ResourceAssignments += $AssignmentGroup $AssignmentGroup.GroupType = 'Built-In' $AssignmentGroup.Target = 'Users' } '#microsoft.graph.allDevicesAssignmentTarget' { $AddToGroup = $true $AssignmentGroup.Group = 'All Devices' $AssignmentGroup.GroupType = 'Built-In' $AssignmentGroup.Target = 'Devices' } '#microsoft.graph.exclusionGroupAssignmentTarget' { $AssignmentGroup.Mode = 'Excluded' $TargetAssignments = $Assignment.target | Where '@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' #$Group = $TargetAssignments.GroupId[-1] Foreach($Group in $TargetAssignments.GroupId) { If($Group -in $AllGroupMembers.id){ $GroupDetails = ($AllGroupMembers | Where id -eq $Group) $AddToGroup = $true $AssignmentGroup.GroupId = $GroupDetails.id $AssignmentGroup.Group = $GroupDetails.displayName $AssignmentGroup.GroupType = $GroupDetails.GroupType $AssignmentGroup.Target = $GroupDetails.Target }Else{ $AddToGroup = $false } } } '#microsoft.graph.groupAssignmentTarget' { $TargetAssignments = $Assignment.target | Where '@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' Foreach($Group in $TargetAssignments.GroupId) { If($Group -in $AllGroupMembers.id){ $GroupDetails = ($AllGroupMembers | Where id -eq $Group) $AddToGroup = $true $AssignmentGroup.GroupId = $GroupDetails.id $AssignmentGroup.Group = $GroupDetails.displayName $AssignmentGroup.GroupType = $GroupDetails.GroupType $AssignmentGroup.Target = $GroupDetails.Target }Else{ $AddToGroup = $false } } } default {$AddToGroup = $false} }#end switch If($AddToGroup){ #update assignment group columns if policy is set If($PolicySet){ $AssignmentGroup.Mode = 'Applied (Inherited)' $AssignmentGroup.Group = ($AssignmentGroup.Group + ' (' + $AssignmentGroup.GroupType + ')') #$AssignmentGroup.Group = ('PolicySet: ' + $PolicySet.displayName) #$AssignmentGroup.GroupType = ($AssignmentGroup.Group + ' (Inherited)') $AssignmentGroup.GroupType = ('PolicySet: ' + $PolicySetDetails.name) } $AssignmentList += $AssignmentGroup } $i++ }#end assignment loop Return $AssignmentList } |