Get all Intune policies assigned to the specified account using PowerShell

Get all Intune policies assigned to the specified account using PowerShell

Ondrej Sebela's photo
Ondrej Sebela
ยท

3 min read

Table of contents

In my previous post, I've shown you how to get all assignable Intune policies. Now we can use this data to get all policies assigned to some specified account (user, device, group).

Say hello to the brand new PowerShell function Search-IntuneAccountPolicyAssignment, new member of my IntuneStuff module ๐Ÿ™‚

How is this useful? This function can help you understand, what Intune policies are assigned/applied to the specific account. Which can be very helpful in the case of debugging etc.

Main benefits of this function:

  • you will get all Intune policies assigned to the selected account ๐Ÿ˜Ž
    • we can kind of use the word applied instead, but for now, I ignore Intune filters, so the results don't have to be 100% accurate
  • takes into account EXCLUDE assignments (can be ignored)
  • takes into account assignments to 'All Users' and 'All Devices' (can be ignored)
  • can find policies directly assigned to the specified group
  • can find policies assigned to the specified account (a group(s) he is a member of) and also all groups where he is a member transitively

How to use Search-IntuneAccountPolicyAssignment function?

To be able to use this function you need:

  • my module IntuneStuff
  • an account with READ permissions to your Intune policies
  • objectId of the user/device/group account whose assigned policies you are looking for (can be found in the Azure portal in account properties)
Install-Module IntuneStuff -Force
Import-Module IntuneStuff -Force

### authenticate to Graph API
Connect-MSGraph


### get all Intune policies directly and indirectly assigned to the selected account
# (policies assigned to groups, this group is a member of will be included)
# policies assigned to 'All Users' or 'All Devices' will be included too
# policies where exclude assignment for this account (or group he is member of) exists, will be skipped

Search-IntuneAccountPolicyAssignment -accountId a8r3da8b-6324-4feb-94ef-96723ba4fbf7


### get all Intune policies directly and indirectly assigned to the selected account
# (policies assigned to groups, this group is a member of will be included)
# policies assigned to 'All Users' or 'All Devices' will be included too
# policies where exclude assignment for this account (or group he is member of) exists, won't be skipped!

Search-IntuneAccountPolicyAssignment -accountId a8r3da8b-6324-4feb-94ef-96723ba4fbf7 -ignoreExcludes


### get all Intune policies directly and indirectly assigned to the selected account
# (policies assigned to groups, this group is a member of will be included)
# policies assigned to 'All Users' or 'All Devices' won't be included!
# policies where exclude assignment for this account (or group he is member of) exists, won't be skipped!

Search-IntuneAccountPolicyAssignment -accountId a8r3da8b-6324-4feb-94ef-96723ba4fbf7 -ignoreExcludes -skipAllUsersAllDevicesAssignments


### get all Intune policies directly assigned to the selected group
# (policies assigned to groups, this group is a member of won't be included)
# policies assigned to 'All Users' or 'All Devices' won't be included!
# policies where exclude assignment for this account (or group he is member of) exists, won't be skipped!

Search-IntuneAccountPolicyAssignment -accountId a8r3da8b-6324-4feb-94ef-96723ba4fbf7 -ignoreExcludes -justDirectGroupAssignments

And the result can look like this image.png

TIPs

Cache Intune policies

You can cache Intune policies to speed up the searches, just use the parameter intunePolicy like ๐Ÿ‘‡

# cache Intune policies
$intunePolicy = Get-IntunePolicy

# use the cached version in your searches
Search-IntuneAccountPolicyAssignment -intunePolicy $intunePolicy -accountId a815dh8b-6324-4feb-94ef-96723ba4fbf7  -basicOverview
Search-IntuneAccountPolicyAssignment -intunePolicy $intunePolicy -accountId 3465dk8b-6325-daeb-94ef-56723ba4f5gt

Speed up searches by selecting just a subset of available policy properties

If you are ok with getting basically just policy name, use parameter basicOverview

Search-IntuneAccountPolicyAssignment -accountId a8r3da8b-6324-4feb-94ef-96723ba4fbf7 -basicOverview

Speed up searches by selecting just a subset of available policy types

If you are interested in just some of the available Intune policies, filter them using the parameter policyType

Search-IntuneAccountPolicyAssignment -accountId a8r3da8b-6324-4feb-94ef-96723ba4fbf7 -policyType app,configurationPolicy,compliancePolicy

Summary

Now you have two functions. Get-IntunePolicy to get all assignable Intune policies and Search-IntuneAccountPolicyAssignment to get just policies assigned to some account. And both are part of the module IntuneStuff.

Enjoy ๐Ÿ‘

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!

Powershellintune
ย