{"id":9702,"date":"2026-06-04T04:39:22","date_gmt":"2026-06-04T04:39:22","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=9702"},"modified":"2026-06-04T04:39:23","modified_gmt":"2026-06-04T04:39:23","slug":"find-where-the-entra-group-is-currently-being-users-assigned-to-what-policies","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/find-where-the-entra-group-is-currently-being-users-assigned-to-what-policies","title":{"rendered":"Find where the Entra Group is currently being Users \\ Assigned to What Policies"},"content":{"rendered":"\n<pre class=\"wp-block-code\"><code class=\"\">&lt;#\n.SYNOPSIS\n    Find all Intune policy assignments targeting a specific Entra ID group.\n\n.PARAMETER GroupDisplayName\n    The display name of the Entra ID group to search for.\n\n.EXAMPLE\n    .\\Find-IntuneGroupAssignments.ps1 -GroupDisplayName \"SG-Intune-Kiosk-Devices\"\n#>\n\n[CmdletBinding()]\nparam(\n    [Parameter(Mandatory)]\n    [string]$GroupDisplayName\n)\n\nImport-Module Microsoft.Graph.Authentication -ErrorAction Stop\n\n# Add after Import-Module line\n$context = Get-MgContext\nif (-not $context) {\n    Connect-MgGraph -Scopes \"DeviceManagementConfiguration.Read.All\",\"DeviceManagementApps.Read.All\",\"Group.Read.All\"\n}\n\n$group = Get-MgGroup -Filter \"displayName eq '$GroupDisplayName'\" -ErrorAction Stop\nif (-not $group) { throw \"Group '$GroupDisplayName' not found.\" }\n$GroupId = $group.Id\nWrite-Host \"Resolved '$GroupDisplayName' -> $GroupId\" -ForegroundColor Cyan\nWrite-Host \"`nSearching for assignments targeting group: $GroupDisplayName`n\" -ForegroundColor Cyan\n\n$results = [System.Collections.Generic.List[PSCustomObject]]::new()\n\nfunction Get-AssignedPolicies {\n    param(\n        [string]$Uri,\n        [string]$PolicyType\n    )\n\n    $policies = @()\n    $nextLink = $Uri\n\n    do {\n        $response = Invoke-MgGraphRequest -Method GET -Uri $nextLink\n        $policies += $response.value\n        $nextLink = $response.'@odata.nextLink'\n    } while ($nextLink)\n\n    foreach ($policy in $policies) {\n        $assignUri = \"$Uri\/$($policy.id)\/assignments\"\n\n        try {\n            $assignments = (Invoke-MgGraphRequest -Method GET -Uri $assignUri).value\n        } catch {\n            continue\n        }\n\n        foreach ($a in $assignments) {\n            $target = $a.target\n            if ($target.groupId -eq $GroupId) {\n                $odataType = $target.'@odata.type'\n                $cleanType = $odataType -replace [regex]::Escape('#microsoft.graph.'), ''\n\n                $policyName = $policy.displayName\n                if (-not $policyName) { $policyName = $policy.name }\n                if (-not $policyName) { $policyName = '(unnamed)' }\n\n                $filterId = $target.deviceAndAppManagementAssignmentFilterId\n                if (-not $filterId) { $filterId = 'None' }\n\n                $results.Add([PSCustomObject]@{\n                    PolicyType   = $PolicyType\n                    PolicyName   = $policyName\n                    PolicyId     = $policy.id\n                    AssignmentId = $a.id\n                    TargetType   = $cleanType\n                    Filter       = $filterId\n                })\n            }\n        }\n    }\n}\n\n$baseUri = \"https:\/\/graph.microsoft.com\/beta\"\n\n$policyTypes = @(\n    @{ Uri = \"$baseUri\/deviceManagement\/configurationPolicies\";               Name = \"Settings Catalog\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/deviceConfigurations\";                Name = \"Device Configuration (legacy)\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/groupPolicyConfigurations\";           Name = \"Administrative Templates (ADMX)\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/deviceCompliancePolicies\";            Name = \"Compliance Policy\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/intents\";                             Name = \"Endpoint Security (Intents)\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/deviceEnrollmentConfigurations\";      Name = \"Enrollment Configuration\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/windowsFeatureUpdateProfiles\";        Name = \"Windows Feature Update\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/windowsQualityUpdateProfiles\";        Name = \"Windows Quality Update\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/windowsDriverUpdateProfiles\";         Name = \"Windows Driver Update\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/windowsAutopilotDeploymentProfiles\";  Name = \"Autopilot Deployment Profile\" }\n    @{ Uri = \"$baseUri\/deviceAppManagement\/mobileApps\";                      Name = \"App Assignment\" }\n    @{ Uri = \"$baseUri\/deviceAppManagement\/managedAppPolicies\";               Name = \"App Protection Policy\" }\n    @{ Uri = \"$baseUri\/deviceAppManagement\/targetedManagedAppConfigurations\"; Name = \"App Configuration (Targeted)\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/remediations\";                        Name = \"Proactive Remediation\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/deviceShellScripts\";                  Name = \"Shell Script (macOS)\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/deviceManagementScripts\";             Name = \"PowerShell Script\" }\n    @{ Uri = \"$baseUri\/deviceManagement\/deviceCustomAttributeShellScripts\";   Name = \"Custom Attribute Script\" }\n)\n\nforeach ($pt in $policyTypes) {\n    Write-Host \"  Checking: $($pt.Name)...\" -NoNewline\n    try {\n        Get-AssignedPolicies -Uri $pt.Uri -PolicyType $pt.Name\n        Write-Host \" done\" -ForegroundColor Green\n    } catch {\n        Write-Host \" skipped ($($_.Exception.Message))\" -ForegroundColor Yellow\n    }\n}\n\nWrite-Host \"`n=== Results: $($results.Count) assignment(s) found for '$GroupDisplayName' ===`n\" -ForegroundColor Cyan\n\nif ($results.Count -gt 0) {\n    $results | Sort-Object PolicyType, PolicyName | Format-Table -AutoSize\n    # $results | Export-Csv -Path \".\\GroupAssignments_$GroupDisplayName.csv\" -NoTypeInformation\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9702","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=9702"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9702\/revisions"}],"predecessor-version":[{"id":9703,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9702\/revisions\/9703"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=9702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=9702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=9702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}