Find where the Entra Group is currently being Users \ Assigned to What Policies

<#
.SYNOPSIS
    Find all Intune policy assignments targeting a specific Entra ID group.

.PARAMETER GroupDisplayName
    The display name of the Entra ID group to search for.

.EXAMPLE
    .\Find-IntuneGroupAssignments.ps1 -GroupDisplayName "SG-Intune-Kiosk-Devices"
#>

[CmdletBinding()]
param(
    [Parameter(Mandatory)]
    [string]$GroupDisplayName
)

Import-Module Microsoft.Graph.Authentication -ErrorAction Stop

# Add after Import-Module line
$context = Get-MgContext
if (-not $context) {
    Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All","DeviceManagementApps.Read.All","Group.Read.All"
}

$group = Get-MgGroup -Filter "displayName eq '$GroupDisplayName'" -ErrorAction Stop
if (-not $group) { throw "Group '$GroupDisplayName' not found." }
$GroupId = $group.Id
Write-Host "Resolved '$GroupDisplayName' -> $GroupId" -ForegroundColor Cyan
Write-Host "`nSearching for assignments targeting group: $GroupDisplayName`n" -ForegroundColor Cyan

$results = [System.Collections.Generic.List[PSCustomObject]]::new()

function Get-AssignedPolicies {
    param(
        [string]$Uri,
        [string]$PolicyType
    )

    $policies = @()
    $nextLink = $Uri

    do {
        $response = Invoke-MgGraphRequest -Method GET -Uri $nextLink
        $policies += $response.value
        $nextLink = $response.'@odata.nextLink'
    } while ($nextLink)

    foreach ($policy in $policies) {
        $assignUri = "$Uri/$($policy.id)/assignments"

        try {
            $assignments = (Invoke-MgGraphRequest -Method GET -Uri $assignUri).value
        } catch {
            continue
        }

        foreach ($a in $assignments) {
            $target = $a.target
            if ($target.groupId -eq $GroupId) {
                $odataType = $target.'@odata.type'
                $cleanType = $odataType -replace [regex]::Escape('#microsoft.graph.'), ''

                $policyName = $policy.displayName
                if (-not $policyName) { $policyName = $policy.name }
                if (-not $policyName) { $policyName = '(unnamed)' }

                $filterId = $target.deviceAndAppManagementAssignmentFilterId
                if (-not $filterId) { $filterId = 'None' }

                $results.Add([PSCustomObject]@{
                    PolicyType   = $PolicyType
                    PolicyName   = $policyName
                    PolicyId     = $policy.id
                    AssignmentId = $a.id
                    TargetType   = $cleanType
                    Filter       = $filterId
                })
            }
        }
    }
}

$baseUri = "https://graph.microsoft.com/beta"

$policyTypes = @(
    @{ Uri = "$baseUri/deviceManagement/configurationPolicies";               Name = "Settings Catalog" }
    @{ Uri = "$baseUri/deviceManagement/deviceConfigurations";                Name = "Device Configuration (legacy)" }
    @{ Uri = "$baseUri/deviceManagement/groupPolicyConfigurations";           Name = "Administrative Templates (ADMX)" }
    @{ Uri = "$baseUri/deviceManagement/deviceCompliancePolicies";            Name = "Compliance Policy" }
    @{ Uri = "$baseUri/deviceManagement/intents";                             Name = "Endpoint Security (Intents)" }
    @{ Uri = "$baseUri/deviceManagement/deviceEnrollmentConfigurations";      Name = "Enrollment Configuration" }
    @{ Uri = "$baseUri/deviceManagement/windowsFeatureUpdateProfiles";        Name = "Windows Feature Update" }
    @{ Uri = "$baseUri/deviceManagement/windowsQualityUpdateProfiles";        Name = "Windows Quality Update" }
    @{ Uri = "$baseUri/deviceManagement/windowsDriverUpdateProfiles";         Name = "Windows Driver Update" }
    @{ Uri = "$baseUri/deviceManagement/windowsAutopilotDeploymentProfiles";  Name = "Autopilot Deployment Profile" }
    @{ Uri = "$baseUri/deviceAppManagement/mobileApps";                      Name = "App Assignment" }
    @{ Uri = "$baseUri/deviceAppManagement/managedAppPolicies";               Name = "App Protection Policy" }
    @{ Uri = "$baseUri/deviceAppManagement/targetedManagedAppConfigurations"; Name = "App Configuration (Targeted)" }
    @{ Uri = "$baseUri/deviceManagement/remediations";                        Name = "Proactive Remediation" }
    @{ Uri = "$baseUri/deviceManagement/deviceShellScripts";                  Name = "Shell Script (macOS)" }
    @{ Uri = "$baseUri/deviceManagement/deviceManagementScripts";             Name = "PowerShell Script" }
    @{ Uri = "$baseUri/deviceManagement/deviceCustomAttributeShellScripts";   Name = "Custom Attribute Script" }
)

foreach ($pt in $policyTypes) {
    Write-Host "  Checking: $($pt.Name)..." -NoNewline
    try {
        Get-AssignedPolicies -Uri $pt.Uri -PolicyType $pt.Name
        Write-Host " done" -ForegroundColor Green
    } catch {
        Write-Host " skipped ($($_.Exception.Message))" -ForegroundColor Yellow
    }
}

Write-Host "`n=== Results: $($results.Count) assignment(s) found for '$GroupDisplayName' ===`n" -ForegroundColor Cyan

if ($results.Count -gt 0) {
    $results | Sort-Object PolicyType, PolicyName | Format-Table -AutoSize
    # $results | Export-Csv -Path ".\GroupAssignments_$GroupDisplayName.csv" -NoTypeInformation
}
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely