I found this fantastic PowerShell module from jseerden that queries Microsoft Graph, and allows for cross-tenant Backup & Restore of your Intune Configuration. The Intune Configuration is backed up as JSON files in a given directory. The module allows an administrator to backup, restore and even compare different Intune backup sets.
Pre-Requisites
The module requires a total of 3 modules to be present, you can install them by running the following commands in an administrative PowerShell prompt:
AzureAD Module
- AzureAD (
Install-Module -Name AzureAD)
MSGraphFunction Module
- MSGraphFunction (
Install-Module -Name MSGraphFunctions)
IntuneBackupandRestore Module
The IntuneBackupandRestore PowerShell module is hosted on the PowerShell Gallery. You can install it by running the following command in an administrative PowerShell prompt:
Install-Module -Name IntuneBackupAndRestore
Connect to Microsoft Graph
Next, we will connect to Microsoft Graph using the “Microsoft Intune PowerShell” application in AzureAD, so you don’t need to create your own Azure AD application and set permissions. In PowerShell import the MSGraphFunctions module by running:
Import-Module MSGraphFunctions
Once you have the module loaded into memory, you will connect to Graph by running Connect-Graph. Connect-Graph loads a webform which supports MFA login. You will see a prompt asking for permissions, if you are a global administrator you can also consent on behalf of your organization.
Once authenticated, the shell will return to the normal prompt.
Note: The function Connect-Graph has a Credential parameter that accepts a PSCredential object if you wanted to automate the backup/restore.
Back Up Intune Configuration
To backup your tenant Intune configuration make sure you have the IntuneBackupandRestore module imported into memory. You can import it by running
Import-Module IntuneBackupandRestore
The Start-IntuneBackup cmdlet will then allow you to begin backing up your entire Intune configuration. The cmdlet has one parameter of FilePath. In my example I will save my Intune backup to $env:Temp\IntuneBackup folder. If the folder is not present it will automatically create the folder for you. To accomplish this I would run the command
Start-IntuneBackup -Path $Env:Temp\IntuneBackup
If I navigate to that folder in explorer I can see the backed up items from Intune. The files are backed up as JSON files, however if you got to \Device Management Scripts\Script Content you will see your Configuration PowerShell scripts which will be PS1 source files.
Compare Intune Backup Files
In an environment where multiple engineers may be making Intune changes, it may be beneficial to view configuration changes from a known working state to a later state. In my example, my ‘co worker’ made an Intune configuration change for the Bitlocker policy from my earlier Intune backup and forgot what he changed. To see what changed I took another backup and stored it at $Env:Temp\Intune2
To now compare both configuration I can use the Compare-IntuneBackupFile cmdlet. My full scriptblock would be
Compare-IntuneBackupFile -ReferenceFilePath "$Env:temp\IntuneBackup\Device Configurations\Bitlocker Encrypt.json" -DifferenceFilePath "$Env:temp\Intune2\Device Configurations\Bitlocker Encrypt.json"
In the Shell I can see that he changed the minimum pin length from 4 to 8
Compare Intune Backup Directories
This next function is something I created during this write up because I thought Compare-IntuneBackupFile would recursively list changes in two backup sets. Currently, I pushed this change to the master project on GitHub and its awaiting approval so until then you will have to load this function into memory separately. The function will recursively compare all the JSON backup files in each directory. Its able to match up the JSON files by looking for the reference JSON file in the backup directory, if there is more than 1 result (which you will see with things like assignments) it will go back to the reference file, extract its parent folder and compare it to the results.
Parameters
The function requires values for 2 parameters:
ReferenceDirectory: The directory containing the reference backup files
DifferenceDirectory: The directory containing the newest (difference) backup files
Output
Verbose messages are displayed if you use the -Verbose switch parameter. Otherwise you will just see files that are different and what is different between the two JSON files
Example
In my example I will compare 2 backup sets for changes. My first backup (reference) is located at $Env:Temp\IntuneBackup. My newest backup (Difference) is located at $Env:\Intune2. My example command would be
Compare-IntuneBackupDirectories -Verbose -ReferenceDirectory C:\Users\BRADWY~1\AppData\Local\Temp\IntuneBackup -DifferenceDirectory C:\Users\BRADWY~1\AppData\Local\Temp\Intune2
Function
Below is the PowerShell function. Until it becomes approved and part of the module you will have to load it into memory. I was using ISE so I just ran it in ISE (or VSCode). You could also dot source the file. It does require the IntuneBackupAndRestore module to be installed and loaded into memory.
Function Compare-IntuneBackupDirectories
{
<#
.SYNOPSIS
Compare two Intune Backup Directories for changes in each of their JSON backup files.
.DESCRIPTION
Compare two Intune Backup Directories for changes.
.PARAMETER $ReferenceDirectory
Any Intune Backup Directory.
.PARAMETER $DifferenceDirectory
Latest Intune Backup directory
.EXAMPLE
- Show verbose output
Compare-IntuneBackupDirectories -Verbose -ReferenceDirectory C:\Users\BradleyWyatt\AppData\Local\Temp\IntuneBackup -DifferenceDirectory C:\Users\BradleyWyatt\AppData\Local\Temp\IntuneNewBackup
Compare-IntuneBackupDirectories -ReferenceDirectory C:\Users\BradleyWyatt\AppData\Local\Temp\IntuneBackup -DifferenceDirectory C:\Users\BradleyWyatt\AppData\Local\Temp\IntuneNewBackup
.NOTES
Requires the IntuneBackupAndRestore Module
.AUTHOR
Bradley Wyatt - The Lazy Administrator
#>
Param (
[parameter(Mandatory = $true, Position = 0)]
[String]$ReferenceDirectory,
[parameter(Mandatory = $true, Position = 1)]
[String]$DifferenceDirectory
)
Begin
{
$ReferenceFiles = Get-ChildItem $ReferenceDirectory -Recurse | Where-Object { $_.Name -like "*.json*" } | Select-Object -ExpandProperty VersionInfo
$DifferenceFiles = Get-ChildItem $DifferenceDirectory -Recurse | Where-Object { $_.Name -like "*.json*" } | Select-Object @{ Label = "FileName"; Expression = { (($_.VersionInfo).FileName).split("\") | Select-Object -Last 1 } }, @{ Label = "FullPath"; Expression = { (($_.VersionInfo).FileName) } }
}
Process
{
Foreach ($File in $ReferenceFiles)
{
$ReferenceJSONFile = ($File.Filename).split("\") | Select-Object -last 1
Write-Verbose "The reference file is '$ReferenceJSONFile'"
Write-Verbose "The reference file path is $($File.FileName)"
$DifFileFound = $DifferenceFiles | Where-Object { $_.FileName -eq $ReferenceJSONFile }
If (($DifFileFound.FileName).count -gt 1)
{
$ReferenceJSONFile = ($File.Filename).split("\") | Select-Object -last 2
$ReferenceJSONFileParent = ($File.FileName).split("\") | Select-Object -Last 2
$ReferenceJSONFileParentPath = "$(($ReferenceJSONFileParent).item(0))\$(($ReferenceJSONFileParent).item(1))"
Write-Verbose "Multiple difference files found that were matching the reference file"
$DifFileFound = $DifferenceFiles | Where-Object { $_.FullPath -like "*$ReferenceJSONFileParentPath*" }
}
Write-Verbose "The difference file is located at $($DifFileFound.fullpath)"
Write-Verbose "Checking for changes in the file '$ReferenceJSONFile'"
$Changes = Compare-IntuneBackupFile -ReferenceFilePath $File.FileName -DifferenceFilePath $DifFileFound.FullPath -ErrorAction silentlycontinue
If ($Changes)
{
Write-Host "There was a change in the file, '$ReferenceJSONFile' which is located at $($DifFileFound.fullpath)"
$Changes | Format-Table -AutoSize
}
}
}
}
Restore Intune Backup
In this next section we will go over restoring Intune configuration and assignments.
Note: Restoring configurations will NOT overwrite existing configurations, but instead create new ones. Restoring assignments may overwrite existing assignments
Restore Everything
To restore everything you would use the Start-IntuneRestoreConfig cmdlet. It will recursively parse the folder structure and restore everything from each JSON file. It requires value for the Path parameter which is the directory of the backup files.
Start-IntuneRestoreConfig -Path C:\Users\BRADWY~1\AppData\Local\Temp\IntuneBackup\
Restore Single Backup File
To restore a single backup file you would use the same command as above. It will again parse the backup folder structure and import any JSON files it finds so to only backup 1 JSON file you will need to ensure its the only JSON file in all of the directories. If you delete the directories you will see some red on your console because it cannot find a folder its looking for but the import will still work. In my example I just went through all of the folders and deleted the JSON files I didn’t want to import.
Restore Assignments
To restore Intune Assignments you will use the Start-IntuneRestoreAssignments cmdlet. It will recursively parse your assignments and check to see if it needs to be restored or hasn’t changed. In my example only Adobe Reader had an assignment change and it was successfully changed back.
Source: https://www.thelazyadministrator.com/2019/11/26/backup-and-restore-your-intune-configuration-using-powershell/