IntuneAssignmentChecker.ps1

#Requires -Version 7.0
#Requires -Modules Microsoft.Graph.Authentication

<#PSScriptInfo
.VERSION 3.4.1
.GUID c6e25ec6-5787-45ef-95af-8abeb8a17daf
.AUTHOR ugurk
.PROJECTURI https://github.com/ugurkocde/IntuneAssignmentChecker
.DESCRIPTION
This script enables IT administrators to efficiently analyze and audit Intune assignments. It checks assignments for specific users, groups, or devices, displays all policies and their assignments, identifies unassigned policies, detects empty groups in assignments, and searches for specific settings across policies.
.RELEASENOTES
Version 3.4.1:
- Updated release date

Version 3.4.0:
- NEW: Added "Show All Failed Assignments" feature (option 11) to display policy deployment failures
- Added support for Windows 365 Cloud PC Provisioning Policies and User Settings
- Updated HTML export to include these new policy types
- Enhanced assignment checking functionality
- Removed deprecated Administrative Templates option (was option 10)
- Renumbered menu options: Compare Groups is now option 10

Version 3.3.3:
- Fixed HTML Export bug (#70)
- Added display for Autopilot and Enrollment Status Page profiles

Version 3.3.2:
- Added support for Endpoint Security tab (Antivirus profiles, Disk Encryption, etc.)
- Added Autopilot deployment profiles and ESP assignment checks
#>


param(
    [Parameter(Mandatory = $false, HelpMessage = "Check assignments for specific users")]
    [switch]$CheckUser,
    
    [Parameter(Mandatory = $false, HelpMessage = "User Principal Names to check, comma-separated")]
    [string]$UserPrincipalNames,
    
    [Parameter(Mandatory = $false, HelpMessage = "Check assignments for specific groups")]
    [switch]$CheckGroup,
    
    [Parameter(Mandatory = $false, HelpMessage = "Group names or IDs to check, comma-separated")]
    [string]$GroupNames,
    
    [Parameter(Mandatory = $false, HelpMessage = "Check assignments for specific devices")]
    [switch]$CheckDevice,
    
    [Parameter(Mandatory = $false, HelpMessage = "Device names to check, comma-separated")]
    [string]$DeviceNames,
    
    [Parameter(Mandatory = $false, HelpMessage = "Show all policies and their assignments")]
    [switch]$ShowAllPolicies,
    
    [Parameter(Mandatory = $false, HelpMessage = "Show all 'All Users' assignments")]
    [switch]$ShowAllUsersAssignments,
    
    [Parameter(Mandatory = $false, HelpMessage = "Show all 'All Devices' assignments")]
    [switch]$ShowAllDevicesAssignments,
    
    [Parameter(Mandatory = $false, HelpMessage = "Generate HTML report")]
    [switch]$GenerateHTMLReport,
    
    [Parameter(Mandatory = $false, HelpMessage = "Show policies without assignments")]
    [switch]$ShowPoliciesWithoutAssignments,
    
    [Parameter(Mandatory = $false, HelpMessage = "Check for empty groups in assignments")]
    [switch]$CheckEmptyGroups,
    
    [Parameter(Mandatory = $false, HelpMessage = "Show all Administrative Templates")]
    [switch]$ShowAdminTemplates,
    
    [Parameter(Mandatory = $false, HelpMessage = "Show all failed assignments")]
    [switch]$ShowFailedAssignments,
    
    [Parameter(Mandatory = $false, HelpMessage = "Compare assignments between groups")]
    [switch]$CompareGroups,
    
    [Parameter(Mandatory = $false, HelpMessage = "Groups to compare assignments between, comma-separated")]
    [string]$CompareGroupNames,
    
    [Parameter(Mandatory = $false, HelpMessage = "Export results to CSV")]
    [switch]$ExportToCSV,
    
    [Parameter(Mandatory = $false, HelpMessage = "Path for the exported CSV file")]
    [string]$ExportPath,
    
    [Parameter(Mandatory = $false, HelpMessage = "App ID for authentication")]
    [string]$AppId,
    
    [Parameter(Mandatory = $false, HelpMessage = "Tenant ID for authentication")]
    [string]$TenantId,
    
    [Parameter(Mandatory = $false, HelpMessage = "Certificate Thumbprint for authentication")]
    [string]$CertificateThumbprint,
    
    [Parameter(Mandatory = $false, HelpMessage = "Environment (Global, USGov, USGovDoD)")]
    [ValidateSet("Global", "USGov", "USGovDoD")]
    [string]$Environment = "Global"
)

# Check if any command-line parameters were provided
$parameterMode = $false
$selectedOption = $null

if ($CheckUser) { $parameterMode = $true; $selectedOption = '1' }
elseif ($CheckGroup) { $parameterMode = $true; $selectedOption = '2' }
elseif ($CheckDevice) { $parameterMode = $true; $selectedOption = '3' }
elseif ($ShowAllPolicies) { $parameterMode = $true; $selectedOption = '4' }
elseif ($ShowAllUsersAssignments) { $parameterMode = $true; $selectedOption = '5' }
elseif ($ShowAllDevicesAssignments) { $parameterMode = $true; $selectedOption = '6' }
elseif ($GenerateHTMLReport) { $parameterMode = $true; $selectedOption = '7' }
elseif ($ShowPoliciesWithoutAssignments) { $parameterMode = $true; $selectedOption = '8' }
elseif ($CheckEmptyGroups) { $parameterMode = $true; $selectedOption = '9' }
elseif ($CompareGroups) { $parameterMode = $true; $selectedOption = '10' }
elseif ($ShowFailedAssignments) { $parameterMode = $true; $selectedOption = '11' }

<#
.SYNOPSIS
    Checks Intune policy and app assignments for users, groups, and devices.

.DESCRIPTION
    This script helps IT administrators analyze and audit Intune assignments by:
    - Checking assignments for specific users, groups, or devices
    - Showing all policies and their assignments
    - Finding policies without assignments
    - Identifying empty groups in assignments
    - Searching for specific settings across policies

.PARAMETER CheckUser
    Check assignments for specific users.

.PARAMETER UserPrincipalNames
    User Principal Names to check, comma-separated.

.PARAMETER CheckGroup
    Check assignments for specific groups.

.PARAMETER GroupNames
    Group names or IDs to check, comma-separated.

.PARAMETER CheckDevice
    Check assignments for specific devices.

.PARAMETER DeviceNames
    Device names to check, comma-separated.

.PARAMETER ShowAllPolicies
    Show all policies and their assignments.

.PARAMETER ShowAllUsersAssignments
    Show all 'All Users' assignments.

.PARAMETER ShowAllDevicesAssignments
    Show all 'All Devices' assignments.

.PARAMETER GenerateHTMLReport
    Generate HTML report.

.PARAMETER ShowPoliciesWithoutAssignments
    Show policies without assignments.

.PARAMETER CheckEmptyGroups
    Check for empty groups in assignments.

.PARAMETER ShowAdminTemplates
    Show all Administrative Templates.

.PARAMETER CompareGroups
    Compare assignments between groups.

.PARAMETER CompareGroupNames
    Groups to compare assignments between, comma-separated.

.PARAMETER ExportToCSV
    Export results to CSV.

.PARAMETER ExportPath
    Path for the exported CSV file.

.PARAMETER AppId
    App ID for authentication.

.PARAMETER TenantId
    Tenant ID for authentication.

.PARAMETER CertificateThumbprint
    Certificate Thumbprint for authentication.

.PARAMETER Environment
    Environment (Global, USGov, USGovDoD).

.EXAMPLE
    .\IntuneAssignmentChecker_v3.ps1 -CheckUser -UserPrincipalNames "user1@contoso.com,user2@contoso.com"
    Checks assignments for the specified users.

.EXAMPLE
    .\IntuneAssignmentChecker_v3.ps1 -CheckGroup -GroupNames "Marketing Team"
    Checks assignments for the specified group.

.EXAMPLE
    .\IntuneAssignmentChecker_v3.ps1 -ShowAllPolicies -ExportToCSV -ExportPath "C:\Temp\AllPolicies.csv"
    Shows all policies and exports the results to CSV.

.AUTHOR
    Ugur Koc (@ugurkocde)
    GitHub: https://github.com/ugurkocde/IntuneAssignmentChecker
    Sponsor: https://github.com/sponsors/ugurkocde
    Changelog: https://github.com/ugurkocde/IntuneAssignmentChecker/releases

.REQUIRED PERMISSIONS
    - User.Read.All (Read user profiles)
    - Group.Read.All (Read group information)
    - Device.Read.All (Read device information)
    - DeviceManagementApps.Read.All (Read app management data)
    - DeviceManagementConfiguration.Read.All (Read device configurations)
    - DeviceManagementManagedDevices.Read.All (Read device management data)
#>


################################ Prerequisites #####################################################

# Fill in your App ID, Tenant ID, and Certificate Thumbprint
# Use parameter values if provided, otherwise use defaults
$appid = if ($AppId) { $AppId } else { '<YourAppIdHere>' } # App ID of the App Registration
$tenantid = if ($TenantId) { $TenantId } else { '<YourTenantIdHere>' } # Tenant ID of your EntraID
$certThumbprint = if ($CertificateThumbprint) { $CertificateThumbprint } else { '<YourCertificateThumbprintHere>' } # Thumbprint of the certificate associated with the App Registration
# $certName = '<YourCertificateNameHere>' # Name of the certificate associated with the App Registration

####################################################################################################

# Version of the local script
$localVersion = "3.4.1"

Write-Host "🔍 INTUNE ASSIGNMENT CHECKER" -ForegroundColor Cyan
Write-Host "Made by Ugur Koc with" -NoNewline; Write-Host " ❤️ and ☕" -NoNewline
Write-Host " | Version" -NoNewline; Write-Host " $localVersion" -ForegroundColor Yellow -NoNewline
Write-Host " | Last updated: " -NoNewline; Write-Host "2025-07-02" -ForegroundColor Magenta
Write-Host ""
Write-Host "📢 Feedback & Issues: " -NoNewline -ForegroundColor Cyan
Write-Host "https://github.com/ugurkocde/IntuneAssignmentChecker/issues" -ForegroundColor White
Write-Host "📄 Changelog: " -NoNewline -ForegroundColor Cyan
Write-Host "https://github.com/ugurkocde/IntuneAssignmentChecker/releases" -ForegroundColor White
Write-Host ""
Write-Host "💝 Support this Project: " -NoNewline -ForegroundColor Cyan
Write-Host "https://github.com/sponsors/ugurkocde" -ForegroundColor White
Write-Host ""
Write-Host "⚠️ DISCLAIMER: This script is provided AS IS without warranty of any kind." -ForegroundColor Yellow
Write-Host ""

####################################################################################################
# Autoupdate function

# URL to the version file on GitHub
$versionUrl = "https://raw.githubusercontent.com/ugurkocde/IntuneAssignmentChecker/refs/heads/main/version_v3.txt"

# URL to the latest script on GitHub
$scriptUrl = "https://raw.githubusercontent.com/ugurkocde/IntuneAssignmentChecker/main/IntuneAssignmentChecker_v3.ps1"

# Determine the script path based on whether it's run as a file or from an IDE
if ($PSScriptRoot) {
    $newScriptPath = Join-Path $PSScriptRoot "IntuneAssignmentChecker_v3.ps1"
}
else {
    $currentDirectory = Get-Location
    $newScriptPath = Join-Path $currentDirectory "IntuneAssignmentChecker_v3.ps1"
}

# Flag to control auto-update behavior
$autoUpdate = $true  # Set to $false to disable auto-update

try {
    # Fetch the latest version number from GitHub
    $latestVersion = Invoke-RestMethod -Uri $versionUrl
    
    # Compare versions using System.Version for proper semantic versioning
    $local = [System.Version]::new($localVersion)
    $latest = [System.Version]::new($latestVersion)
    
    if ($local -lt $latest) {
        Write-Host "A new version is available: $latestVersion (you are running $localVersion)" -ForegroundColor Yellow
        if ($autoUpdate) {
            Write-Host "AutoUpdate is enabled. Downloading the latest version..." -ForegroundColor Yellow
            try {
                # Download the latest version of the script
                Invoke-WebRequest -Uri $scriptUrl -OutFile $newScriptPath
                Write-Host "The latest version has been downloaded to $newScriptPath" -ForegroundColor Yellow
                Write-Host "Please restart the script to use the updated version." -ForegroundColor Yellow
            }
            catch {
                Write-Host "An error occurred while downloading the latest version. Please download it manually from: https://github.com/ugurkocde/IntuneAssignmentChecker" -ForegroundColor Red
            }
        }
        else {
            Write-Host "Auto-update is disabled. Get the latest version at:" -ForegroundColor Yellow
            Write-Host "https://github.com/ugurkocde/IntuneAssignmentChecker" -ForegroundColor Cyan
            Write-Host "" 
        }
    }
    elseif ($local -gt $latest) {
        Write-Host "Note: You are running a pre-release version ($localVersion)" -ForegroundColor Magenta
        Write-Host ""
    }
}
catch {
    Write-Host "Unable to check for updates. Continue with current version..." -ForegroundColor Gray
}

####################################################################################################

# Do not change the following code

# Script-level variables
$script:GraphEndpoint = $null
$script:GraphEnvironment = $null

# Ask user to select the Intune environment
function Set-Environment {
    param (
        [Parameter(Mandatory = $false)]
        [string]$EnvironmentName
    )
    
    if ($EnvironmentName) {
        switch ($EnvironmentName) {
            'Global' {
                $script:GraphEndpoint = "https://graph.microsoft.com"
                $script:GraphEnvironment = "Global"
                Write-Host "Environment set to Global" -ForegroundColor Green
                return $script:GraphEnvironment
            }
            'USGov' {
                $script:GraphEndpoint = "https://graph.microsoft.us"
                $script:GraphEnvironment = "USGov"
                Write-Host "Environment set to USGov" -ForegroundColor Green
                return $script:GraphEnvironment
            }
            'USGovDoD' {
                $script:GraphEndpoint = "https://dod-graph.microsoft.us"
                $script:GraphEnvironment = "USGovDoD"
                Write-Host "Environment set to USGovDoD" -ForegroundColor Green
                return $script:GraphEnvironment
            }
            default {
                Write-Host "Invalid environment name. Using interactive selection." -ForegroundColor Yellow
                # Fall through to interactive selection
            }
        }
    }
    
    # Interactive selection if no valid environment name was provided
    do {
        Write-Host "Select Intune Tenant Environment:" -ForegroundColor Cyan
        Write-Host " [1] Global" -ForegroundColor White
        Write-Host " [2] USGov" -ForegroundColor White
        Write-Host " [3] USGovDoD" -ForegroundColor White
        Write-Host ""
        Write-Host " [0] Exit" -ForegroundColor White
        Write-Host ""
        Write-Host "Select an option: " -ForegroundColor Yellow -NoNewline

        $selection = Read-Host

        switch ($selection) {
            '1' {
                $script:GraphEndpoint = "https://graph.microsoft.com"
                $script:GraphEnvironment = "Global"
                Write-Host "Environment set to Global" -ForegroundColor Green
                return $script:GraphEnvironment
            }
            '2' {
                $script:GraphEndpoint = "https://graph.microsoft.us"
                $script:GraphEnvironment = "USGov"
                Write-Host "Environment set to USGov" -ForegroundColor Green
                return $script:GraphEnvironment
            }
            '3' {
                $script:GraphEndpoint = "https://dod-graph.microsoft.us"
                $script:GraphEnvironment = "USGovDoD"
                Write-Host "Environment set to USGovDoD" -ForegroundColor Green
                return $script:GraphEnvironment
            }
            '0' {
                Write-Host "Thank you for using IntuneAssignmentChecker! 👋" -ForegroundColor Green
                Write-Host "If you found this tool helpful, please consider:" -ForegroundColor Cyan
                Write-Host "- Starring the repository: https://github.com/ugurkocde/IntuneAssignmentChecker" -ForegroundColor White
                Write-Host "- Supporting the project: https://github.com/sponsors/ugurkocde" -ForegroundColor White
                Write-Host ""
                exit
            }
            default {
                Write-Host "Invalid choice, please select 1,2,3, or 0" -ForegroundColor Red
            }
        }
    } while ($selection -ne '0')
}

# Connect to Microsoft Graph using certificate-based authentication

try {
    # Define required permissions with reasons
    $requiredPermissions = @(
        @{
            Permission = "User.Read.All"
            Reason     = "Required to read user profile information and check group memberships"
        },
        @{
            Permission = "Group.Read.All"
            Reason     = "Needed to read group information and memberships"
        },
        @{
            Permission = "DeviceManagementConfiguration.Read.All"
            Reason     = "Allows reading Intune device configuration policies and their assignments"
        },
        @{
            Permission = "DeviceManagementApps.Read.All"
            Reason     = "Necessary to read mobile app management policies and app configurations"
        },
        @{
            Permission = "DeviceManagementManagedDevices.Read.All"
            Reason     = "Required to read managed device information and compliance policies"
        },
        @{
            Permission = "Device.Read.All"
            Reason     = "Needed to read device information from Entra ID"
        }
    )

    # Check if any of the variables are not set or contain placeholder values
    if (-not $appid -or $appid -eq '<YourAppIdHere>' -or
        -not $tenantid -or $tenantid -eq '<YourTenantIdHere>' -or
        -not $certThumbprint -or $certThumbprint -eq '<YourCertificateThumbprintHere>') {
        Write-Host "App ID, Tenant ID, or Certificate Thumbprint is missing or not set correctly." -ForegroundColor Red
        $manualConnection = Read-Host "Would you like to attempt a manual interactive connection? (y/n)"
        if ($manualConnection -eq 'y') {
            # Manual connection using interactive login
            Write-Host "Attempting manual interactive connection (you need privileges to consent permissions)..." -ForegroundColor Yellow
            $permissionsList = ($requiredPermissions | ForEach-Object { $_.Permission }) -join ', '
            # In parameter mode, use the Environment parameter (which defaults to Global)
            # In interactive mode, always prompt for environment selection
            if ($parameterMode) {
                Set-Environment -EnvironmentName $Environment
            }
            else {
                Set-Environment  # Prompt for environment selection in interactive mode
            }
            $connectionResult = Connect-MgGraph -Scopes $permissionsList -Environment $script:GraphEnvironment -NoWelcome -ErrorAction Stop
        }
        else {
            Write-Host "Script execution cancelled by user." -ForegroundColor Red
            exit
        }
    }
    else {
        # In parameter mode, use the Environment parameter (which defaults to Global)
        # In interactive mode, always prompt for environment selection
        if ($parameterMode) {
            Set-Environment -EnvironmentName $Environment
        }
        else {
            Set-Environment  # Prompt for environment selection in interactive mode
        }
        $connectionResult = Connect-MgGraph -ClientId $appid -TenantId $tenantid -Environment $script:GraphEnvironment -CertificateThumbprint $certThumbprint -NoWelcome -ErrorAction Stop
    }
    Write-Host "Successfully connected to Microsoft Graph" -ForegroundColor Green

    # Check and display the current permissions
    $context = Get-MgContext
    $currentPermissions = $context.Scopes

    Write-Host "Checking required permissions:" -ForegroundColor Cyan
    $missingPermissions = @()
    foreach ($permissionInfo in $requiredPermissions) {
        $permission = $permissionInfo.Permission
        $reason = $permissionInfo.Reason

        # Check if either the exact permission or a "ReadWrite" version of it is granted
        $hasPermission = $currentPermissions -contains $permission -or $currentPermissions -contains $permission.Replace(".Read", ".ReadWrite")

        if ($hasPermission) {
            Write-Host " [✓] $permission" -ForegroundColor Green
            Write-Host " Reason: $reason" -ForegroundColor Gray
        }
        else {
            Write-Host " [✗] $permission" -ForegroundColor Red
            Write-Host " Reason: $reason" -ForegroundColor Gray
            $missingPermissions += $permission
        }
    }

    if ($missingPermissions.Count -eq 0) {
        Write-Host "All required permissions are present." -ForegroundColor Green
        Write-Host ""
    }
    else {
        Write-Host "WARNING: The following permissions are missing:" -ForegroundColor Red
        $missingPermissions | ForEach-Object { 
            $missingPermission = $_
            $reason = ($requiredPermissions | Where-Object { $_.Permission -eq $missingPermission }).Reason
            Write-Host " - $missingPermission" -ForegroundColor Yellow
            Write-Host " Reason: $reason" -ForegroundColor Gray
        }
        Write-Host "The script will continue, but it may not function correctly without these permissions." -ForegroundColor Red
        Write-Host "Please ensure these permissions are granted to the app registration for full functionality." -ForegroundColor Yellow
        
        $continueChoice = Read-Host "Do you want to continue anyway? (y/n)"
        if ($continueChoice -ne 'y') {
            Write-Host "Script execution cancelled by user." -ForegroundColor Red
            exit
        }
    }
}
catch {
    Write-Host "Failed to connect to Microsoft Graph. Error: $_" -ForegroundColor Red
    
    # Additional error handling for certificate issues
    if ($_.Exception.Message -like "*Certificate with thumbprint*was not found*") {
        Write-Host "The specified certificate was not found or has expired. Please check your certificate configuration." -ForegroundColor Yellow
    }
    
    exit
}

# Common Functions
function Get-IntuneAssignments {
    param (
        [Parameter(Mandatory = $true)]
        [string]$EntityType,
        
        [Parameter(Mandatory = $true)]
        [string]$EntityId,
        
        [Parameter(Mandatory = $false)]
        [string]$GroupId = $null
    )

    # Determine the correct assignments URI based on EntityType
    $actualAssignmentsUri = $null
    # $isResolvedAppProtectionPolicy = $false # Flag if we resolved a generic App Protection Policy. Not strictly needed with current logic.

    if ($EntityType -eq "deviceAppManagement/managedAppPolicies") {
        # For generic App Protection Policies, determine the specific policy type first
        $policyDetailsUri = "$GraphEndpoint/beta/deviceAppManagement/managedAppPolicies/$EntityId"
        try {
            $policyDetailsResponse = Invoke-MgGraphRequest -Uri $policyDetailsUri -Method Get
            $policyODataType = $policyDetailsResponse.'@odata.type'
            $specificPolicyTypePath = switch ($policyODataType) {
                "#microsoft.graph.androidManagedAppProtection" { "androidManagedAppProtections" }
                "#microsoft.graph.iosManagedAppProtection" { "iosManagedAppProtections" }
                "#microsoft.graph.windowsManagedAppProtection" { "windowsManagedAppProtections" }
                default { $null }
            }
            if ($specificPolicyTypePath) {
                $actualAssignmentsUri = "$GraphEndpoint/beta/deviceAppManagement/$specificPolicyTypePath('$EntityId')/assignments"
            }
            else {
                Write-Warning "Could not determine specific App Protection Policy type for $EntityId from OData type '$policyODataType'."
                return [System.Collections.ArrayList]::new() # Return empty ArrayList
            }
        }
        catch {
            Write-Warning "Error fetching details for App Protection Policy '$EntityId': $($_.Exception.Message)"
            return [System.Collections.ArrayList]::new() # Return empty ArrayList
        }
    }
    elseif ($EntityType -eq "mobileAppConfigurations") {
        $actualAssignmentsUri = "$GraphEndpoint/beta/deviceAppManagement/mobileAppConfigurations('$EntityId')/assignments"
    }
    elseif ($EntityType -like "deviceAppManagement/*ManagedAppProtections") {
        # Already specific App Protection Policy type
        # Example: deviceAppManagement/iosManagedAppProtections
        $actualAssignmentsUri = "$GraphEndpoint/beta/$EntityType('$EntityId')/assignments" # EntityType already includes deviceAppManagement
    }
    else {
        # General device management entities
        $actualAssignmentsUri = "$GraphEndpoint/beta/deviceManagement/$EntityType('$EntityId')/assignments"
    }

    if (-not $actualAssignmentsUri) {
        # This case should ideally be covered by the logic above, but as a fallback:
        Write-Warning "Could not determine a valid assignments URI for EntityType '$EntityType' and EntityId '$EntityId'."
        return [System.Collections.ArrayList]::new() # Return empty ArrayList
    }

    $assignmentsToReturn = [System.Collections.ArrayList]::new()
    try {
        $allAssignmentsForEntity = [System.Collections.ArrayList]::new()
        $currentAssignmentsPageUri = $actualAssignmentsUri
        do {
            $pagedAssignmentResponse = Invoke-MgGraphRequest -Uri $currentAssignmentsPageUri -Method Get
            if ($pagedAssignmentResponse -and $null -ne $pagedAssignmentResponse.value) {
                $allAssignmentsForEntity.AddRange($pagedAssignmentResponse.value)
            }
            $currentAssignmentsPageUri = $pagedAssignmentResponse.'@odata.nextLink'
        } while (![string]::IsNullOrEmpty($currentAssignmentsPageUri))

        # Ensure $allAssignmentsForEntity is not null before trying to iterate
        $assignmentList = if ($allAssignmentsForEntity) { $allAssignmentsForEntity } else { @() }

        foreach ($assignment in $assignmentList) {
            $currentAssignmentReason = $null
            $currentTargetGroupId = $null # Initialize to null

            if ($assignment.target -and $assignment.target.'@odata.type') {
                $odataType = $assignment.target.'@odata.type'
                
                if ($odataType -eq '#microsoft.graph.groupAssignmentTarget') {
                    $currentTargetGroupId = $assignment.target.groupId
                    if ($GroupId) {
                        # Specific group check requested
                        if ($currentTargetGroupId -eq $GroupId) {
                            $currentAssignmentReason = "Direct Assignment"
                        }
                    }
                    else {
                        # No specific group, list all group assignments
                        $currentAssignmentReason = "Group Assignment"
                    }
                }
                elseif ($odataType -eq '#microsoft.graph.exclusionGroupAssignmentTarget') {
                    $currentTargetGroupId = $assignment.target.groupId
                    if ($GroupId) {
                        # Specific group check requested
                        if ($currentTargetGroupId -eq $GroupId) {
                            $currentAssignmentReason = "Direct Exclusion"
                        }
                    }
                    else {
                        # No specific group, list all group exclusions
                        $currentAssignmentReason = "Group Exclusion"
                    }
                }
                elseif (-not $GroupId) {
                    # Only consider non-group assignments if NOT querying for a specific group
                    $currentAssignmentReason = switch ($odataType) {
                        '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                        default { $null }
                    }
                }
            }
            else {
                Write-Warning "Assignment item for EntityId '$EntityId' (URI: $actualAssignmentsUri) is missing 'target' or 'target.@odata.type' property. Assignment data: $($assignment | ConvertTo-Json -Depth 3)"
            }
            
            if ($currentAssignmentReason) {
                $null = $assignmentsToReturn.Add(@{
                        Reason  = $currentAssignmentReason
                        GroupId = $currentTargetGroupId
                        Apps    = $null # 'Apps' property is not directly available from general assignments endpoint
                    })
            }
        }
    }
    catch {
        Write-Warning "Error fetching assignments from '$actualAssignmentsUri': $($_.Exception.Message)"
    }
    
    return $assignmentsToReturn
}

function Get-IntuneEntities {
    param (
        [Parameter(Mandatory = $true)]
        [string]$EntityType,
        
        [Parameter(Mandatory = $false)]
        [string]$Filter = "",
        
        [Parameter(Mandatory = $false)]
        [string]$Select = "",
        
        [Parameter(Mandatory = $false)]
        [string]$Expand = ""
    )

    # Handle special cases for app management and specific deviceManagement endpoints
    if ($EntityType -like "deviceAppManagement/*" -or $EntityType -eq "deviceManagement/templates" -or $EntityType -eq "deviceManagement/intents") {
        $baseUri = "$GraphEndpoint/beta"
        $actualEntityType = $EntityType
    }
    else {
        $baseUri = "$GraphEndpoint/beta/deviceManagement"
        $actualEntityType = "$EntityType"
    }
    
    $currentUri = "$baseUri/$actualEntityType"
    if ($Filter) { $currentUri += "?`$filter=$Filter" }
    if ($Select) { $currentUri += $(if ($Filter) { "&" }else { "?" }) + "`$select=$Select" }
    if ($Expand) { $currentUri += $(if ($Filter -or $Select) { "&" }else { "?" }) + "`$expand=$Expand" }

    $entities = [System.Collections.ArrayList]::new() # Initialize as ArrayList

    do {
        try {
            $response = Invoke-MgGraphRequest -Uri $currentUri -Method Get -ErrorAction Stop
            if ($null -ne $response -and $null -ne $response.value) {
                if ($response.value -is [array]) {
                    $entities.AddRange($response.value)
                }
                else {
                    $entities.Add($response.value)
                }
            }
            $currentUri = $response.'@odata.nextLink'
        }
        catch {
            Write-Warning "Error fetching entities for $EntityType from $currentUri : $($_.Exception.Message)"
            $currentUri = $null # Stop pagination on error
        }
    } while ($currentUri)

    return $entities
}

function Get-GroupInfo {
    param (
        [Parameter(Mandatory = $true)]
        [string]$GroupId
    )

    try {
        $groupUri = "$GraphEndpoint/v1.0/groups/$GroupId"
        $group = Invoke-MgGraphRequest -Uri $groupUri -Method Get
        return @{
            Id          = $group.id
            DisplayName = $group.displayName
            Success     = $true
        }
    }
    catch {
        return @{
            Id          = $GroupId
            DisplayName = "Unknown Group"
            Success     = $false
        }
    }
}

function Get-DeviceInfo {
    param (
        [Parameter(Mandatory = $true)]
        [string]$DeviceName
    )

    $deviceUri = "$GraphEndpoint/v1.0/devices?`$filter=displayName eq '$DeviceName'"
    $deviceResponse = Invoke-MgGraphRequest -Uri $deviceUri -Method Get
    
    if ($deviceResponse.value) {
        return @{
            Id          = $deviceResponse.value[0].id
            DisplayName = $deviceResponse.value[0].displayName
            Success     = $true
        }
    }
    
    return @{
        Id          = $null
        DisplayName = $DeviceName
        Success     = $false
    }
}

function Get-UserInfo {
    param (
        [Parameter(Mandatory = $true)]
        [string]$UserPrincipalName
    )

    try {
        $userUri = "$GraphEndpoint/v1.0/users/$UserPrincipalName"
        $user = Invoke-MgGraphRequest -Uri $userUri -Method Get
        return @{
            Id                = $user.id
            UserPrincipalName = $user.userPrincipalName
            Success           = $true
        }
    }
    catch {
        return @{
            Id                = $null
            UserPrincipalName = $UserPrincipalName
            Success           = $false
        }
    }
}

function Get-GroupMemberships {
    param (
        [Parameter(Mandatory = $true)]
        [string]$ObjectId,
        
        [Parameter(Mandatory = $true)]
        [ValidateSet("User", "Device")]
        [string]$ObjectType
    )

    $uri = "$GraphEndpoint/v1.0/$($ObjectType.ToLower())s/$ObjectId/transitiveMemberOf?`$select=id,displayName"
    $response = Invoke-MgGraphRequest -Uri $uri -Method Get
    
    return $response.value
}

function Get-AssignmentInfo {
    param (
        [Parameter(Mandatory = $true)]
        [AllowNull()]
        [array]$Assignments
    )

    if ($null -eq $Assignments -or $Assignments.Count -eq 0) {
        return @{
            Type   = "None"
            Target = "Not Assigned"
        }
    }

    $assignment = $Assignments[0]  # Take the first assignment
    $type = switch ($assignment.Reason) {
        "All Users" { "All Users"; break }
        "All Devices" { "All Devices"; break }
        "Group Assignment" { "Group"; break }
        default { "None" }
    }

    $target = switch ($type) {
        "All Users" { "All Users" }
        "All Devices" { "All Devices" }
        "Group" {
            if ($assignment.GroupId) {
                $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId
                $groupInfo.DisplayName
            }
            else {
                "Unknown Group"
            }
        }
        default { "Not Assigned" }
    }

    return @{
        Type   = $type
        Target = $target
    }
}

function Get-AssignmentFailures {
    Write-Host "Fetching assignment failures..." -ForegroundColor Green
    
    $failedAssignments = [System.Collections.ArrayList]::new()
    $headers = @{
        'Authorization' = "Bearer $($global:graphApiToken)"
        'Content-Type'  = 'application/json'
    }
    
    # 1. Get App Install Failures
    # Note: App installation status endpoint requires specific permissions and may not be available in all environments
    <# Temporarily disabled due to endpoint availability
    Write-Host "Checking app installation failures..." -ForegroundColor Yellow
    try {
        $reportBody = @{
            filter = ""
            select = @(
                "DeviceName", "UserPrincipalName", "Platform", "AppVersion",
                "InstallState", "InstallStateDetail", "ErrorCode", "HexErrorCode",
                "ApplicationId", "AppInstallState", "AppInstallStateDetails",
                "LastModifiedDateTime", "DeviceId", "UserId", "UserName"
            )
            skip = 0
            top = 50
        } | ConvertTo-Json
        
        $allAppFailures = @()
        $skip = 0
        
        do {
            $reportBody = @{
                filter = ""
                select = @(
                    "DeviceName", "UserPrincipalName", "Platform", "AppVersion",
                    "InstallState", "InstallStateDetail", "ErrorCode", "HexErrorCode",
                    "ApplicationId", "AppInstallState", "AppInstallStateDetails",
                    "LastModifiedDateTime", "DeviceId", "UserId", "UserName"
                )
                skip = $skip
                top = 50
            } | ConvertTo-Json
            
            $uri = "https://graph.microsoft.com/beta/deviceManagement/reports/getMobileApplicationManagementAppStatusReport"
            $response = try {
                Invoke-MgGraphRequest -Uri $uri -Method POST -Body $reportBody
            } catch {
                # If the new endpoint fails, try the alternative endpoint
                $uri = "https://graph.microsoft.com/beta/deviceManagement/reports/getAppStatusOverviewReport"
                Invoke-MgGraphRequest -Uri $uri -Method POST -Body $reportBody
            }
            
            if ($response.values) {
                $appFailures = $response.values | Where-Object {
                    $_[6] -ne 0 -or # ErrorCode
                    $_[4] -eq "failed" -or # InstallState
                    $_[9] -eq "failed" # AppInstallState
                }
                
                foreach ($failure in $appFailures) {
                    $allAppFailures += [PSCustomObject]@{
                        Type = "App"
                        PolicyName = "Application ID: $($failure[8])" # ApplicationId
                        Target = if ($failure[1]) { "User: $($failure[1])" } else { "Device: $($failure[0])" }
                        ErrorCode = if ($failure[7]) { "Error: 0x$($failure[7])" } else { "Error: $($failure[6])" } # HexErrorCode or ErrorCode
                        ErrorDescription = if ($failure[5] -and $failure[10]) { "$($failure[5]) - $($failure[10])" } elseif ($failure[5]) { $failure[5] } elseif ($failure[10]) { $failure[10] } else { "Installation failed" }
                        LastAttempt = $failure[11] # LastModifiedDateTime
                    }
                }
                $skip += 50
            }
        } while ($response.values -and $response.values.Count -eq 50)
        
        Write-Host "Found $($allAppFailures.Count) app installation failures" -ForegroundColor Green
        $failedAssignments.AddRange($allAppFailures)
    }
    catch {
        Write-Host "Error fetching app installation failures: $($_.Exception.Message)" -ForegroundColor Red
    }
    #>

    
    # 2. Get Device Configuration Policy Failures
    Write-Host "Checking device configuration policy failures..." -ForegroundColor Yellow
    try {
        $configPoliciesUri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations"
        $configPolicies = (Invoke-MgGraphRequest -Uri $configPoliciesUri -Method GET).value
        
        foreach ($policy in $configPolicies) {
            $statusUri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$($policy.id)')/deviceStatuses"
            $statuses = (Invoke-MgGraphRequest -Uri $statusUri -Method GET).value
            
            $failures = $statuses | Where-Object { 
                $_.status -in @("error", "conflict", "notApplicable") -or
                $_.complianceGracePeriodExpirationDateTime -and 
                [DateTime]$_.complianceGracePeriodExpirationDateTime -lt [DateTime]::Now
            }
            
            foreach ($failure in $failures) {
                $null = $failedAssignments.Add([PSCustomObject]@{
                        Type             = "Device Configuration"
                        PolicyName       = $policy.displayName
                        Target           = "Device: $($failure.deviceDisplayName)"
                        ErrorCode        = "$($failure.status)"
                        ErrorDescription = if ($failure.userPrincipalName) { "$($failure.userPrincipalName)" } else { "No additional details" }
                        LastAttempt      = $failure.lastReportedDateTime
                    })
            }
        }
    }
    catch {
        Write-Host "Error fetching device configuration failures: $($_.Exception.Message)" -ForegroundColor Red
    }
    
    # 3. Get Compliance Policy Failures
    Write-Host "Checking compliance policy failures..." -ForegroundColor Yellow
    try {
        $compliancePoliciesUri = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies"
        $compliancePolicies = (Invoke-MgGraphRequest -Uri $compliancePoliciesUri -Method GET).value
        
        foreach ($policy in $compliancePolicies) {
            $statusUri = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies('$($policy.id)')/deviceStatuses"
            $statuses = (Invoke-MgGraphRequest -Uri $statusUri -Method GET).value
            
            $failures = $statuses | Where-Object { 
                $_.status -in @("error", "conflict", "notApplicable", "nonCompliant")
            }
            
            foreach ($failure in $failures) {
                $null = $failedAssignments.Add([PSCustomObject]@{
                        Type             = "Compliance Policy"
                        PolicyName       = $policy.displayName
                        Target           = "Device: $($failure.deviceDisplayName)"
                        ErrorCode        = "$($failure.status)"
                        ErrorDescription = if ($failure.userPrincipalName) { "$($failure.userPrincipalName)" } else { "No additional details" }
                        LastAttempt      = $failure.lastReportedDateTime
                    })
            }
        }
    }
    catch {
        Write-Host "Error fetching compliance policy failures: $($_.Exception.Message)" -ForegroundColor Red
    }
    
    return $failedAssignments
}

function Show-SaveFileDialog {
    param (
        [string]$DefaultFileName
    )
    
    Add-Type -AssemblyName System.Windows.Forms
    $saveFileDialog = New-Object System.Windows.Forms.SaveFileDialog
    $saveFileDialog.Filter = "Excel files (*.xlsx)|*.xlsx|CSV files (*.csv)|*.csv|All files (*.*)|*.*"
    $saveFileDialog.FileName = $DefaultFileName
    $saveFileDialog.Title = "Save Policy Report"
    
    if ($saveFileDialog.ShowDialog() -eq 'OK') {
        return $saveFileDialog.FileName
    }
    return $null
}

function Export-PolicyData {
    param (
        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList]$ExportData,
        [Parameter(Mandatory = $true)]
        [string]$FilePath
    )

    $extension = [System.IO.Path]::GetExtension($FilePath).ToLower()
    
    if ($extension -eq '.xlsx') {
        # Check if ImportExcel module is installed
        if (-not (Get-Module -ListAvailable -Name ImportExcel)) {
            Write-Host "The ImportExcel module is required for Excel export. Would you like to install it? (y/n)" -ForegroundColor Yellow
            $install = Read-Host
            if ($install -eq 'y') {
                try {
                    Install-Module -Name ImportExcel -Force -Scope CurrentUser
                    Write-Host "ImportExcel module installed successfully." -ForegroundColor Green
                }
                catch {
                    Write-Host "Failed to install ImportExcel module. Falling back to CSV export." -ForegroundColor Red
                    $FilePath = [System.IO.Path]::ChangeExtension($FilePath, '.csv')
                    $ExportData | Export-Csv -Path $FilePath -NoTypeInformation
                    Write-Host "Results exported to $FilePath" -ForegroundColor Green
                    return
                }
            }
            else {
                Write-Host "Falling back to CSV export." -ForegroundColor Yellow
                $FilePath = [System.IO.Path]::ChangeExtension($FilePath, '.csv')
                $ExportData | Export-Csv -Path $FilePath -NoTypeInformation
                Write-Host "Results exported to $FilePath" -ForegroundColor Green
                return
            }
        }

        try {
            $ExportData | Export-Excel -Path $FilePath -AutoSize -AutoFilter -WorksheetName "Intune Assignments" -TableName "IntuneAssignments"
            Write-Host "Results exported to $FilePath" -ForegroundColor Green
        }
        catch {
            Write-Host "Failed to export to Excel. Falling back to CSV export." -ForegroundColor Red
            $FilePath = [System.IO.Path]::ChangeExtension($FilePath, '.csv')
            $ExportData | Export-Csv -Path $FilePath -NoTypeInformation
            Write-Host "Results exported to $FilePath" -ForegroundColor Green
        }
    }
    else {
        $ExportData | Export-Csv -Path $FilePath -NoTypeInformation
        Write-Host "Results exported to $FilePath" -ForegroundColor Green
    }
}

function Add-ExportData {
    param (
        [System.Collections.ArrayList]$ExportData,
        [string]$Category,
        [object[]]$Items,
        [Parameter(Mandatory = $false)]
        [object]$AssignmentReason = "N/A"
    )
    
    foreach ($item in $Items) {
        $itemName = if ($item.displayName) { $item.displayName } else { $item.name }
        
        # Handle different types of assignment reason input
        $reason = if ($AssignmentReason -is [scriptblock]) {
            & $AssignmentReason $item
        }
        elseif ($item.AssignmentReason) {
            $item.AssignmentReason
        }
        elseif ($item.AssignmentSummary) {
            $item.AssignmentSummary
        }
        else {
            $AssignmentReason
        }
        
        $null = $ExportData.Add([PSCustomObject]@{
                Category         = $Category
                Item             = "$itemName (ID: $($item.id))"
                AssignmentReason = $reason
            })
    }
}

function Add-AppExportData {
    param (
        [System.Collections.ArrayList]$ExportData,
        [string]$Category,
        [object[]]$Apps,
        [string]$AssignmentReason = "N/A"
    )
    
    foreach ($app in $Apps) {
        $appName = if ($app.displayName) { $app.displayName } else { $app.name }
        $null = $ExportData.Add([PSCustomObject]@{
                Category         = $Category
                Item             = "$appName (ID: $($app.id))"
                AssignmentReason = "$AssignmentReason - $($app.AssignmentIntent)"
            })
    }
}

function Show-Menu {    
    Write-Host "Assignment Checks:" -ForegroundColor Cyan
    Write-Host " [1] Check User(s) Assignments" -ForegroundColor White
    Write-Host " [2] Check Group(s) Assignments" -ForegroundColor White
    Write-Host " [3] Check Device(s) Assignments" -ForegroundColor White
    Write-Host ""
    
    Write-Host "Policy Overview:" -ForegroundColor Cyan
    Write-Host " [4] Show All Policies and Their Assignments" -ForegroundColor White
    Write-Host " [5] Show All 'All Users' Assignments" -ForegroundColor White
    Write-Host " [6] Show All 'All Devices' Assignments" -ForegroundColor White
    Write-Host ""
    
    Write-Host "Advanced Options:" -ForegroundColor Cyan
    Write-Host " [7] Generate HTML Report" -ForegroundColor White
    Write-Host " [8] Show Policies Without Assignments" -ForegroundColor White
    Write-Host " [9] Check for Empty Groups in Assignments" -ForegroundColor White
    Write-Host " [10] Compare Assignments Between Groups" -ForegroundColor White
    Write-Host " [11] Show All Failed Assignments" -ForegroundColor White
    Write-Host ""
    
    Write-Host "System:" -ForegroundColor Cyan
    Write-Host " [0] Exit" -ForegroundColor White
    Write-Host " [98] Support the Project 💝" -ForegroundColor Magenta
    Write-Host " [99] Report a Bug or Request a Feature" -ForegroundColor White
    Write-Host ""
    
    Write-Host "Select an option: " -ForegroundColor Yellow -NoNewline
}

# Function to handle export
function Export-ResultsIfRequested {
    param (
        [System.Collections.ArrayList]$ExportData,
        [string]$DefaultFileName,
        [switch]$ForceExport,
        [string]$CustomExportPath
    )
    
    if ($ForceExport -or $ExportToCSV) {
        $exportPath = if ($CustomExportPath) {
            $CustomExportPath
        }
        else {
            Show-SaveFileDialog -DefaultFileName $DefaultFileName
        }
        
        if ($exportPath) {
            Export-PolicyData -ExportData $ExportData -FilePath $exportPath
        }
    }
    else {
        $export = Read-Host "`nWould you like to export the results to CSV? (y/n)"
        if ($export -eq 'y') {
            $exportPath = Show-SaveFileDialog -DefaultFileName $DefaultFileName
            if ($exportPath) {
                Export-PolicyData -ExportData $ExportData -FilePath $exportPath
            }
        }
    }
}

# Move this code to the beginning of the script, right after the param block

# Main script logic
do {
    # Only show menu in interactive mode
    if (-not $parameterMode) {
        Show-Menu
        $selection = Read-Host
    }
    else {
        $selection = $selectedOption
    }

    switch ($selection) {
        '1' {
            Write-Host "User selection chosen" -ForegroundColor Green

            # Get User Principal Names from parameter or prompt
            if ($parameterMode -and $UserPrincipalNames) {
                $upnInput = $UserPrincipalNames
            }
            else {
                # Prompt for one or more User Principal Names
                Write-Host "Please enter User Principal Name(s), separated by commas (,): " -ForegroundColor Cyan
                $upnInput = Read-Host
            }
    
            # Validate input
            if ([string]::IsNullOrWhiteSpace($upnInput)) {
                Write-Host "No UPN provided. Please try again with a valid UPN." -ForegroundColor Red
                if ($parameterMode) { exit 1 } else { continue }
            }
    
            $upns = $upnInput -split ',' | ForEach-Object { $_.Trim() } | Where-Object { -not [string]::IsNullOrWhiteSpace($_) }
    
            if ($upns.Count -eq 0) {
                Write-Host "No valid UPNs provided. Please try again with at least one valid UPN." -ForegroundColor Red
                if ($parameterMode) { exit 1 } else { continue }
            }

            $exportData = [System.Collections.ArrayList]::new()

            foreach ($upn in $upns) {
                Write-Host "Checking following UPN: $upn" -ForegroundColor Yellow

                # Get User Info
                $userInfo = Get-UserInfo -UserPrincipalName $upn
                if (-not $userInfo.Success) {
                    Write-Host "User not found: $upn" -ForegroundColor Red
                    Write-Host "Please verify the User Principal Name is correct." -ForegroundColor Yellow
                    continue
                }

                # Get User Group Memberships
                try {
                    $groupMemberships = Get-GroupMemberships -ObjectId $userInfo.Id -ObjectType "User"
                    Write-Host "User Group Memberships: $($groupMemberships.displayName -join ', ')" -ForegroundColor Green
                }
                catch {
                    Write-Host "Error fetching group memberships for user: $upn" -ForegroundColor Red
                    Write-Host "Error details: $($_.Exception.Message)" -ForegroundColor Red
                    continue
                }

                Write-Host "Fetching Intune Profiles and Applications for the user ... (this takes a few seconds)" -ForegroundColor Yellow

                # Initialize collections for relevant policies
                $relevantPolicies = @{
                    DeviceConfigs               = @()
                    SettingsCatalog             = @()
                    AdminTemplates              = @()
                    CompliancePolicies          = @()
                    AppProtectionPolicies       = @()
                    AppConfigurationPolicies    = @()
                    AppsRequired                = @()
                    AppsAvailable               = @()
                    AppsUninstall               = @()
                    PlatformScripts             = @()
                    HealthScripts               = @()
                    AntivirusProfiles           = @()
                    DiskEncryptionProfiles      = @()
                    FirewallProfiles            = @()
                    EndpointDetectionProfiles   = @()
                    AttackSurfaceProfiles       = @()
                    DeploymentProfiles          = @()
                    ESPProfiles                 = @()
                    CloudPCProvisioningPolicies = @()
                    CloudPCUserSettings         = @()
                }

                # Get Device Configurations
                Write-Host "Fetching Device Configurations..." -ForegroundColor Yellow
                $deviceConfigs = Get-IntuneEntities -EntityType "deviceConfigurations"
                foreach ($config in $deviceConfigs) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceConfigurations" -EntityId $config.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -eq "All Users" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $config | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.DeviceConfigs += $config
                            break
                        }
                        elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                            $config | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                            $relevantPolicies.DeviceConfigs += $config
                            break
                        }
                    }
                }

                # Get Settings Catalog Policies
                Write-Host "Fetching Settings Catalog Policies..." -ForegroundColor Yellow
                $settingsCatalog = Get-IntuneEntities -EntityType "configurationPolicies"
                foreach ($policy in $settingsCatalog) {
                    $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -eq "All Users" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.SettingsCatalog += $policy
                            break
                        }
                        elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                            $relevantPolicies.SettingsCatalog += $policy
                            break
                        }
                    }
                }

                # Get Administrative Templates
                Write-Host "Fetching Administrative Templates..." -ForegroundColor Yellow
                $adminTemplates = Get-IntuneEntities -EntityType "groupPolicyConfigurations"
                foreach ($template in $adminTemplates) {
                    $assignments = Get-IntuneAssignments -EntityType "groupPolicyConfigurations" -EntityId $template.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -eq "All Users" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $template | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.AdminTemplates += $template
                            break
                        }
                        elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                            $template | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                            $relevantPolicies.AdminTemplates += $template
                            break
                        }
                    }
                }

                # Get Compliance Policies
                Write-Host "Fetching Compliance Policies..." -ForegroundColor Yellow
                $compliancePolicies = Get-IntuneEntities -EntityType "deviceCompliancePolicies"
                foreach ($policy in $compliancePolicies) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceCompliancePolicies" -EntityId $policy.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -eq "All Users" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.CompliancePolicies += $policy
                            break
                        }
                        elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                            $relevantPolicies.CompliancePolicies += $policy
                            break
                        }
                    }
                }

                # Get App Protection Policies
                Write-Host "Fetching App Protection Policies..." -ForegroundColor Yellow
                $appProtectionPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/managedAppPolicies"
                foreach ($policy in $appProtectionPolicies) {
                    $policyType = $policy.'@odata.type'
                    $assignmentsUri = switch ($policyType) {
                        "#microsoft.graph.androidManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/androidManagedAppProtections('$($policy.id)')/assignments" }
                        "#microsoft.graph.iosManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/iosManagedAppProtections('$($policy.id)')/assignments" }
                        "#microsoft.graph.windowsManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/windowsManagedAppProtections('$($policy.id)')/assignments" }
                        default { $null }
                    }

                    if ($assignmentsUri) {
                        try {
                            $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
                            $assignments = @()
                            foreach ($assignment in $assignmentResponse.value) {
                                $assignmentReason = $null
                                switch ($assignment.target.'@odata.type') {
                                    '#microsoft.graph.allLicensedUsersAssignmentTarget' {
                                        $assignmentReason = "All Users"
                                    }
                                    '#microsoft.graph.groupAssignmentTarget' {
                                        if (!$GroupId -or $assignment.target.groupId -eq $GroupId) {
                                            $assignmentReason = "Group Assignment"
                                        }
                                    }
                                    '#microsoft.graph.exclusionGroupAssignmentTarget' {
                                        if (!$GroupId -or $assignment.target.groupId -eq $GroupId) {
                                            $assignmentReason = "Group Exclusion"
                                        }
                                    }
                                }

                                if ($assignmentReason) {
                                    $assignments += @{
                                        Reason  = $assignmentReason
                                        GroupId = $assignment.target.groupId
                                    }
                                }
                            }

                            if ($assignments.Count -gt 0) {
                                $assignmentSummary = $assignments | ForEach-Object {
                                    if ($_.Reason -eq "Group Assignment" -or $_.Reason -eq "Group Exclusion") {
                                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                                        $color = if ($_.Reason -eq "Group Exclusion") { "Red" } else { "White" }
                                        "$($_.Reason) - $($groupInfo.DisplayName)"
                                    }
                                    else {
                                        $_.Reason
                                    }
                                }
                                $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                                $relevantPolicies.AppProtectionPolicies += $policy
                            }
                        }
                        catch {
                            Write-Host "Error fetching assignments for policy $($policy.displayName): $($_.Exception.Message)" -ForegroundColor Red
                        }
                    }
                }

                # Get App Configuration Policies
                Write-Host "Fetching App Configuration Policies..." -ForegroundColor Yellow
                $appConfigPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/mobileAppConfigurations"
                foreach ($policy in $appConfigPolicies) {
                    $assignments = Get-IntuneAssignments -EntityType "mobileAppConfigurations" -EntityId $policy.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -eq "All Users" -or 
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.AppConfigurationPolicies += $policy
                            break
                        }
                    }
                }

                # Fetch and process Applications
                Write-Host "Fetching Applications..." -ForegroundColor Yellow
                $appUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps?`$filter=isAssigned eq true"
                $appResponse = Invoke-MgGraphRequest -Uri $appUri -Method Get
                $allApps = $appResponse.value
                while ($appResponse.'@odata.nextLink') {
                    $appResponse = Invoke-MgGraphRequest -Uri $appResponse.'@odata.nextLink' -Method Get
                    $allApps += $appResponse.value
                }
                $totalApps = $allApps.Count
                $currentApp = 0

                foreach ($app in $allApps) {
                    # Filter out irrelevant apps
                    if ($app.isFeatured -or $app.isBuiltIn) {
                        continue
                    }

                    $currentApp++
                    Write-Host "`rFetching Application $currentApp of $totalApps" -NoNewline
                    $appId = $app.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps('$appId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    $isExcluded = $false
                    $isIncluded = $false

                    foreach ($assignment in $assignmentResponse.value) {
                        if ($assignment.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' -and
                            $groupMemberships.id -contains $assignment.target.groupId) {
                            $isExcluded = $true
                            break
                        }
                        elseif ($assignment.target.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget' -or
                            ($assignment.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and
                            $groupMemberships.id -contains $assignment.target.groupId)) {
                            $isIncluded = $true
                        }
                    }

                    if ($isIncluded -and -not $isExcluded) {
                        $appWithReason = $app.PSObject.Copy()
                        $appWithReason | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Included" -Force
                        switch ($assignment.intent) {
                            "required" { $relevantPolicies.AppsRequired += $appWithReason; break }
                            "available" { $relevantPolicies.AppsAvailable += $appWithReason; break }
                            "uninstall" { $relevantPolicies.AppsUninstall += $appWithReason; break }
                        }
                    }
                    elseif ($isExcluded) {
                        $appWithReason = $app.PSObject.Copy()
                        $appWithReason | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                        switch ($assignment.intent) {
                            "required" { $relevantPolicies.AppsRequired += $appWithReason; break }
                            "available" { $relevantPolicies.AppsAvailable += $appWithReason; break }
                            "uninstall" { $relevantPolicies.AppsUninstall += $appWithReason; break }
                        }
                    }
                }
                Write-Host "`rFetching Application $totalApps of $totalApps" -NoNewline
                Start-Sleep -Milliseconds 100
                Write-Host ""  # Move to the next line after the loop

                # Get Platform Scripts
                Write-Host "Fetching Platform Scripts..." -ForegroundColor Yellow
                $platformScripts = Get-IntuneEntities -EntityType "deviceManagementScripts"
                foreach ($script in $platformScripts) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceManagementScripts" -EntityId $script.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -eq "All Users" -or 
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.PlatformScripts += $script
                            break
                        }
                    }
                }

                # Get Proactive Remediation Scripts
                Write-Host "Fetching Proactive Remediation Scripts..." -ForegroundColor Yellow
                $healthScripts = Get-IntuneEntities -EntityType "deviceHealthScripts"
                foreach ($script in $healthScripts) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceHealthScripts" -EntityId $script.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -eq "All Users" -or 
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.HealthScripts += $script
                            break
                        }
                    }
                }

                # Get Endpoint Security - Antivirus Policies
                Write-Host "Fetching Antivirus Policies..." -ForegroundColor Yellow
                $antivirusPoliciesFound = [System.Collections.ArrayList]::new()
                $processedAntivirusIds = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForAntivirus = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesAntivirus = $configPoliciesForAntivirus | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }

                if ($matchingConfigPoliciesAntivirus) {
                    foreach ($policy in $matchingConfigPoliciesAntivirus) {
                        if ($processedAntivirusIds.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if ($assignmentDetail.Reason -eq "All Users" -or
                                    ($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$antivirusPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$antivirusPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForAntivirus = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsAntivirus = $allIntentsForAntivirus | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }
                
                if ($matchingIntentsAntivirus) {
                    foreach ($policy in $matchingIntentsAntivirus) {
                        if ($processedAntivirusIds.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }
                                if ($assignmentDetails.Reason -eq "All Users" -or
                                    ($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$antivirusPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$antivirusPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.AntivirusProfiles = $antivirusPoliciesFound
                
                # Get Endpoint Security - Disk Encryption Policies
                Write-Host "Fetching Disk Encryption Policies..." -ForegroundColor Yellow
                $diskEncryptionPoliciesFound = [System.Collections.ArrayList]::new()
                $processedDiskEncryptionIds = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForDiskEncryption = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesDiskEnc = $configPoliciesForDiskEncryption | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }
                
                if ($matchingConfigPoliciesDiskEnc) {
                    foreach ($policy in $matchingConfigPoliciesDiskEnc) {
                        if ($processedDiskEncryptionIds.Add($policy.id)) {
                            # Ensure unique processing
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                # Get-IntuneAssignments returns an array of hashtables
                                if ($assignmentDetail.Reason -eq "All Users" -or
                                    ($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$diskEncryptionPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$diskEncryptionPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents (excluding those already found)
                $allIntentsForDiskEncryption = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsDiskEnc = $allIntentsForDiskEncryption | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }

                if ($matchingIntentsDiskEnc) {
                    foreach ($policy in $matchingIntentsDiskEnc) {
                        if ($processedDiskEncryptionIds.Add($policy.id)) {
                            # Ensure unique processing
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }

                                if ($assignmentDetails.Reason -eq "All Users" -or
                                    ($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$diskEncryptionPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$diskEncryptionPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.DiskEncryptionProfiles = $diskEncryptionPoliciesFound
                
                # Get Endpoint Security - Firewall Policies
                Write-Host "Fetching Firewall Policies..." -ForegroundColor Yellow
                $firewallPoliciesFound = [System.Collections.ArrayList]::new()
                $processedFirewallIds = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForFirewall = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesFirewall = $configPoliciesForFirewall | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }

                if ($matchingConfigPoliciesFirewall) {
                    foreach ($policy in $matchingConfigPoliciesFirewall) {
                        if ($processedFirewallIds.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if ($assignmentDetail.Reason -eq "All Users" -or
                                    ($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$firewallPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$firewallPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForFirewall = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsFirewall = $allIntentsForFirewall | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }

                if ($matchingIntentsFirewall) {
                    foreach ($policy in $matchingIntentsFirewall) {
                        if ($processedFirewallIds.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }
                                if ($assignmentDetails.Reason -eq "All Users" -or
                                    ($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$firewallPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$firewallPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.FirewallProfiles = $firewallPoliciesFound
                
                # Get Endpoint Security - Endpoint Detection and Response Policies
                Write-Host "Fetching Endpoint Detection and Response Policies..." -ForegroundColor Yellow
                $edrPoliciesFound = [System.Collections.ArrayList]::new()
                $processedEDRIds = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForEDR = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesEDR = $configPoliciesForEDR | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }

                if ($matchingConfigPoliciesEDR) {
                    foreach ($policy in $matchingConfigPoliciesEDR) {
                        if ($processedEDRIds.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if ($assignmentDetail.Reason -eq "All Users" -or
                                    ($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$edrPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$edrPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForEDR = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsEDR = $allIntentsForEDR | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }

                if ($matchingIntentsEDR) {
                    foreach ($policy in $matchingIntentsEDR) {
                        if ($processedEDRIds.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }
                                if ($assignmentDetails.Reason -eq "All Users" -or
                                    ($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$edrPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$edrPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.EndpointDetectionProfiles = $edrPoliciesFound
                
                # Get Endpoint Security - Attack Surface Reduction Policies
                Write-Host "Fetching Attack Surface Reduction Policies..." -ForegroundColor Yellow
                $asrPoliciesFound = [System.Collections.ArrayList]::new()
                $processedASRIds = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForASR = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesASR = $configPoliciesForASR | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }

                if ($matchingConfigPoliciesASR) {
                    foreach ($policy in $matchingConfigPoliciesASR) {
                        if ($processedASRIds.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if ($assignmentDetail.Reason -eq "All Users" -or
                                    ($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$asrPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$asrPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForASR = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsASR = $allIntentsForASR | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }

                if ($matchingIntentsASR) {
                    foreach ($policy in $matchingIntentsASR) {
                        if ($processedASRIds.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }
                                if ($assignmentDetails.Reason -eq "All Users" -or
                                    ($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId)) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$asrPoliciesFound.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$asrPoliciesFound.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.AttackSurfaceProfiles = $asrPoliciesFound

                # Get Windows 365 Cloud PC Provisioning Policies
                Write-Host "Fetching Windows 365 Cloud PC Provisioning Policies..." -ForegroundColor Yellow
                try {
                    $cloudPCProvisioningPolicies = Get-IntuneEntities -EntityType "virtualEndpoint/provisioningPolicies"
                    foreach ($policy in $cloudPCProvisioningPolicies) {
                        $assignments = Get-IntuneAssignments -EntityType "virtualEndpoint/provisioningPolicies" -EntityId $policy.id
                        foreach ($assignment in $assignments) {
                            if ($assignment.Reason -eq "All Users" -or
                                ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                                $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                                $relevantPolicies.CloudPCProvisioningPolicies += $policy
                                break
                            }
                            elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                                $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                $relevantPolicies.CloudPCProvisioningPolicies += $policy
                                break
                            }
                        }
                    }
                }
                catch {
                    Write-Warning "Unable to fetch Windows 365 Cloud PC Provisioning Policies: $($_.Exception.Message)"
                }

                # Get Windows 365 Cloud PC User Settings
                Write-Host "Fetching Windows 365 Cloud PC User Settings..." -ForegroundColor Yellow
                try {
                    $cloudPCUserSettings = Get-IntuneEntities -EntityType "virtualEndpoint/userSettings"
                    foreach ($setting in $cloudPCUserSettings) {
                        $assignments = Get-IntuneAssignments -EntityType "virtualEndpoint/userSettings" -EntityId $setting.id
                        foreach ($assignment in $assignments) {
                            if ($assignment.Reason -eq "All Users" -or
                                ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                                $setting | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                                $relevantPolicies.CloudPCUserSettings += $setting
                                break
                            }
                            elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                                $setting | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                $relevantPolicies.CloudPCUserSettings += $setting
                                break
                            }
                        }
                    }
                }
                catch {
                    Write-Warning "Unable to fetch Windows 365 Cloud PC User Settings: $($_.Exception.Message)"
                }

                # Display results
                Write-Host "`nAssignments for User: $upn" -ForegroundColor Green

                # Display Device Configurations
                Write-Host "`n------- Device Configurations -------" -ForegroundColor Cyan
                if ($relevantPolicies.DeviceConfigs.Count -eq 0) {
                    Write-Host "No Device Configurations found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Configuration Name", "Configuration ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($config in $relevantPolicies.DeviceConfigs) {
                        $configName = if ([string]::IsNullOrWhiteSpace($config.name)) { $config.displayName } else { $config.name }
                        if ($configName.Length -gt 47) {
                            $configName = $configName.Substring(0, 44) + "..."
                        }
                        
                        $configId = $config.id
                        if ($configId.Length -gt 37) {
                            $configId = $configId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $config.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $configName, $configId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Settings Catalog Policies
                Write-Host "`n------- Settings Catalog Policies -------" -ForegroundColor Cyan
                if ($relevantPolicies.SettingsCatalog.Count -eq 0) {
                    Write-Host "No Settings Catalog Policies found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Policy Name", "Policy ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($policy in $relevantPolicies.SettingsCatalog) {
                        $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                        if ($policyName.Length -gt 47) {
                            $policyName = $policyName.Substring(0, 44) + "..."
                        }
                        
                        $policyId = $policy.id
                        if ($policyId.Length -gt 37) {
                            $policyId = $policyId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $policy.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $policyName, $policyId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Administrative Templates
                Write-Host "`n------- Administrative Templates -------" -ForegroundColor Cyan
                if ($relevantPolicies.AdminTemplates.Count -eq 0) {
                    Write-Host "No Administrative Templates found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Template Name", "Template ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($template in $relevantPolicies.AdminTemplates) {
                        $templateName = if ([string]::IsNullOrWhiteSpace($template.name)) { $template.displayName } else { $template.name }
                        if ($templateName.Length -gt 47) {
                            $templateName = $templateName.Substring(0, 44) + "..."
                        }
                        
                        $templateId = $template.id
                        if ($templateId.Length -gt 37) {
                            $templateId = $templateId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $template.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $templateName, $templateId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Compliance Policies
                Write-Host "`n------- Compliance Policies -------" -ForegroundColor Cyan
                if ($relevantPolicies.CompliancePolicies.Count -eq 0) {
                    Write-Host "No Compliance Policies found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Policy Name", "Policy ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($policy in $relevantPolicies.CompliancePolicies) {
                        $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                        if ($policyName.Length -gt 47) {
                            $policyName = $policyName.Substring(0, 44) + "..."
                        }
                        
                        $policyId = $policy.id
                        if ($policyId.Length -gt 37) {
                            $policyId = $policyId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $policy.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $policyName, $policyId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display App Protection Policies
                Write-Host "`n------- App Protection Policies -------" -ForegroundColor Cyan
                if ($relevantPolicies.AppProtectionPolicies.Count -eq 0) {
                    Write-Host "No App Protection Policies found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-40} {1,-30} {2,-20} {3,-30}" -f "Policy Name", "Policy ID", "Type", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($policy in $relevantPolicies.AppProtectionPolicies) {
                        $policyName = $policy.displayName
                        if ($policyName.Length -gt 37) {
                            $policyName = $policyName.Substring(0, 34) + "..."
                        }
                        
                        $policyId = $policy.id
                        if ($policyId.Length -gt 27) {
                            $policyId = $policyId.Substring(0, 24) + "..."
                        }
                        
                        $policyType = switch ($policy.'@odata.type') {
                            "#microsoft.graph.androidManagedAppProtection" { "Android" }
                            "#microsoft.graph.iosManagedAppProtection" { "iOS" }
                            "#microsoft.graph.windowsManagedAppProtection" { "Windows" }
                            default { "Unknown" }
                        }
                        
                        $assignment = $policy.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-40} {1,-30} {2,-20} {3,-30}" -f $policyName, $policyId, $policyType, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display App Configuration Policies
                Write-Host "`n------- App Configuration Policies -------" -ForegroundColor Cyan
                if ($relevantPolicies.AppConfigurationPolicies.Count -eq 0) {
                    Write-Host "No App Configuration Policies found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Policy Name", "Policy ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($policy in $relevantPolicies.AppConfigurationPolicies) {
                        $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                        if ($policyName.Length -gt 47) {
                            $policyName = $policyName.Substring(0, 44) + "..."
                        }
                        
                        $policyId = $policy.id
                        if ($policyId.Length -gt 37) {
                            $policyId = $policyId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $policy.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $policyName, $policyId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Platform Scripts
                Write-Host "`n------- Platform Scripts -------" -ForegroundColor Cyan
                if ($relevantPolicies.PlatformScripts.Count -eq 0) {
                    Write-Host "No Platform Scripts found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Script Name", "Script ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($script in $relevantPolicies.PlatformScripts) {
                        $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                        if ($scriptName.Length -gt 47) {
                            $scriptName = $scriptName.Substring(0, 44) + "..."
                        }
                        
                        $scriptId = $script.id
                        if ($scriptId.Length -gt 37) {
                            $scriptId = $scriptId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $script.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $scriptName, $scriptId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Proactive Remediation Scripts
                Write-Host "`n------- Proactive Remediation Scripts -------" -ForegroundColor Cyan
                if ($relevantPolicies.HealthScripts.Count -eq 0) {
                    Write-Host "No Proactive Remediation Scripts found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Script Name", "Script ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($script in $relevantPolicies.HealthScripts) {
                        $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                        if ($scriptName.Length -gt 47) {
                            $scriptName = $scriptName.Substring(0, 44) + "..."
                        }
                        
                        $scriptId = $script.id
                        if ($scriptId.Length -gt 37) {
                            $scriptId = $scriptId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $script.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $scriptName, $scriptId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Required Apps
                Write-Host "`n------- Required Apps -------" -ForegroundColor Cyan
                if ($relevantPolicies.AppsRequired.Count -eq 0) {
                    Write-Host "No Required Apps found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "App Name", "App ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($app in $relevantPolicies.AppsRequired) {
                        $appName = $app.displayName
                        if ($appName.Length -gt 47) {
                            $appName = $appName.Substring(0, 44) + "..."
                        }
                        
                        $appId = $app.id
                        if ($appId.Length -gt 37) {
                            $appId = $appId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $app.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $appName, $appId, $assignment
                        if ($assignment -like "*Exclusion*") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Available Apps
                Write-Host "`n------- Available Apps -------" -ForegroundColor Cyan
                if ($relevantPolicies.AppsAvailable.Count -eq 0) {
                    Write-Host "No Available Apps found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "App Name", "App ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($app in $relevantPolicies.AppsAvailable) {
                        $appName = $app.displayName
                        if ($appName.Length -gt 47) {
                            $appName = $appName.Substring(0, 44) + "..."
                        }
                        
                        $appId = $app.id
                        if ($appId.Length -gt 37) {
                            $appId = $appId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $app.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $appName, $appId, $assignment
                        if ($assignment -like "*Exclusion*") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Uninstall Apps
                Write-Host "`n------- Uninstall Apps -------" -ForegroundColor Cyan
                if ($relevantPolicies.AppsUninstall.Count -eq 0) {
                    Write-Host "No Uninstall Apps found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "App Name", "App ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($app in $relevantPolicies.AppsUninstall) {
                        $appName = $app.displayName
                        if ($appName.Length -gt 47) {
                            $appName = $appName.Substring(0, 44) + "..."
                        }
                        
                        $appId = $app.id
                        if ($appId.Length -gt 37) {
                            $appId = $appId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $app.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $appName, $appId, $assignment
                        if ($assignment -like "*Exclusion*") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }
                
                # Display Endpoint Security - Antivirus Profiles
                Write-Host "`n------- Endpoint Security - Antivirus Profiles -------" -ForegroundColor Cyan
                if ($relevantPolicies.AntivirusProfiles.Count -eq 0) {
                    Write-Host "No Antivirus Profiles found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Profile Name", "Profile ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($profile in $relevantPolicies.AntivirusProfiles) {
                        $profileName = if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" }
                        if ($profileName.Length -gt 47) {
                            $profileName = $profileName.Substring(0, 44) + "..."
                        }
                        
                        $profileId = $profile.id
                        if ($profileId.Length -gt 37) {
                            $profileId = $profileId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $profile.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $profileName, $profileId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }
                
                # Display Endpoint Security - Disk Encryption Profiles
                Write-Host "`n------- Endpoint Security - Disk Encryption Profiles -------" -ForegroundColor Cyan
                if ($relevantPolicies.DiskEncryptionProfiles.Count -eq 0) {
                    Write-Host "No Disk Encryption Profiles found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Profile Name", "Profile ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($profile in $relevantPolicies.DiskEncryptionProfiles) {
                        $profileName = if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" }
                        if ($profileName.Length -gt 47) {
                            $profileName = $profileName.Substring(0, 44) + "..."
                        }
                        
                        $profileId = $profile.id
                        if ($profileId.Length -gt 37) {
                            $profileId = $profileId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $profile.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $profileName, $profileId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }
                
                # Display Endpoint Security - Firewall Profiles
                Write-Host "`n------- Endpoint Security - Firewall Profiles -------" -ForegroundColor Cyan
                if ($relevantPolicies.FirewallProfiles.Count -eq 0) {
                    Write-Host "No Firewall Profiles found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Profile Name", "Profile ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($profile in $relevantPolicies.FirewallProfiles) {
                        $profileName = if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" }
                        if ($profileName.Length -gt 47) {
                            $profileName = $profileName.Substring(0, 44) + "..."
                        }
                        
                        $profileId = $profile.id
                        if ($profileId.Length -gt 37) {
                            $profileId = $profileId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $profile.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $profileName, $profileId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }
                
                # Display Endpoint Security - Endpoint Detection and Response Profiles
                Write-Host "`n------- Endpoint Security - Endpoint Detection and Response Profiles -------" -ForegroundColor Cyan
                if ($relevantPolicies.EndpointDetectionProfiles.Count -eq 0) {
                    Write-Host "No Endpoint Detection and Response Profiles found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Profile Name", "Profile ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($profile in $relevantPolicies.EndpointDetectionProfiles) {
                        $profileName = if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" }
                        if ($profileName.Length -gt 47) {
                            $profileName = $profileName.Substring(0, 44) + "..."
                        }
                        
                        $profileId = $profile.id
                        if ($profileId.Length -gt 37) {
                            $profileId = $profileId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $profile.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $profileName, $profileId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }
                
                # Display Endpoint Security - Attack Surface Reduction Profiles
                Write-Host "`n------- Endpoint Security - Attack Surface Reduction Profiles -------" -ForegroundColor Cyan
                if ($relevantPolicies.AttackSurfaceProfiles.Count -eq 0) {
                    Write-Host "No Attack Surface Reduction Profiles found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Profile Name", "Profile ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($profile in $relevantPolicies.AttackSurfaceProfiles) {
                        $profileName = if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" }
                        if ($profileName.Length -gt 47) {
                            $profileName = $profileName.Substring(0, 44) + "..."
                        }
                        
                        $profileId = $profile.id
                        if ($profileId.Length -gt 37) {
                            $profileId = $profileId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $profile.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $profileName, $profileId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Windows 365 Cloud PC Provisioning Policies
                Write-Host "`n------- Windows 365 Cloud PC Provisioning Policies -------" -ForegroundColor Cyan
                if ($relevantPolicies.CloudPCProvisioningPolicies.Count -eq 0) {
                    Write-Host "No Windows 365 Cloud PC Provisioning Policies found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Policy Name", "Policy ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($policy in $relevantPolicies.CloudPCProvisioningPolicies) {
                        $policyName = if (-not [string]::IsNullOrWhiteSpace($policy.displayName)) { $policy.displayName } elseif (-not [string]::IsNullOrWhiteSpace($policy.name)) { $policy.name } else { "Unnamed Policy" }
                        if ($policyName.Length -gt 47) {
                            $policyName = $policyName.Substring(0, 44) + "..."
                        }
                        
                        $policyId = $policy.id
                        if ($policyId.Length -gt 37) {
                            $policyId = $policyId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $policy.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $policyName, $policyId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Display Windows 365 Cloud PC User Settings
                Write-Host "`n------- Windows 365 Cloud PC User Settings -------" -ForegroundColor Cyan
                if ($relevantPolicies.CloudPCUserSettings.Count -eq 0) {
                    Write-Host "No Windows 365 Cloud PC User Settings found" -ForegroundColor Gray
                }
                else {
                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Setting Name", "Setting ID", "Assignment"
                    $separator = "-" * 120
                    Write-Host $separator
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $separator
                    
                    foreach ($setting in $relevantPolicies.CloudPCUserSettings) {
                        $settingName = if (-not [string]::IsNullOrWhiteSpace($setting.displayName)) { $setting.displayName } elseif (-not [string]::IsNullOrWhiteSpace($setting.name)) { $setting.name } else { "Unnamed Setting" }
                        if ($settingName.Length -gt 47) {
                            $settingName = $settingName.Substring(0, 44) + "..."
                        }
                        
                        $settingId = $setting.id
                        if ($settingId.Length -gt 37) {
                            $settingId = $settingId.Substring(0, 34) + "..."
                        }
                        
                        $assignment = $setting.AssignmentReason
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $settingName, $settingId, $assignment
                        if ($assignment -eq "Excluded") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $separator
                }

                # Add all data to export
                Add-ExportData -ExportData $exportData -Category "User" -Items @([PSCustomObject]@{
                        displayName      = $upn
                        id               = $userInfo.Id
                        AssignmentReason = "N/A"
                    }

                    Add-ExportData -ExportData $exportData -Category "Device Configuration" -Items $relevantPolicies.DeviceConfigs -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Settings Catalog Policy" -Items $relevantPolicies.SettingsCatalog -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Administrative Template" -Items $relevantPolicies.AdminTemplates -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Compliance Policy" -Items $relevantPolicies.CompliancePolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "App Protection Policy" -Items $relevantPolicies.AppProtectionPolicies -AssignmentReason { param($item) $item.AssignmentSummary }
                    Add-ExportData -ExportData $exportData -Category "App Configuration Policy" -Items $relevantPolicies.AppConfigurationPolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Platform Scripts" -Items $relevantPolicies.PlatformScripts -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Proactive Remediation Scripts" -Items $relevantPolicies.HealthScripts -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Autopilot Deployment Profile" -Items $relevantPolicies.DeploymentProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Enrollment Status Page" -Items $relevantPolicies.ESPProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Windows 365 Cloud PC Provisioning Policy" -Items $relevantPolicies.CloudPCProvisioningPolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Windows 365 Cloud PC User Setting" -Items $relevantPolicies.CloudPCUserSettings -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Antivirus" -Items $relevantPolicies.AntivirusProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Disk Encryption" -Items $relevantPolicies.DiskEncryptionProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Firewall" -Items $relevantPolicies.FirewallProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - EDR" -Items $relevantPolicies.EndpointDetectionProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - ASR" -Items $relevantPolicies.AttackSurfaceProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                )
            }

            # Export results if requested
            Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneUserAssignments.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath
        }
        '2' {
            Write-Host "Group selection chosen" -ForegroundColor Green

            # Prompt for Group names or IDs
            Write-Host "Please enter Group names or Object IDs, separated by commas (,): " -ForegroundColor Cyan
            Write-Host "Example: 'Marketing Team, 12345678-1234-1234-1234-123456789012'" -ForegroundColor Gray
            $groupInput = Read-Host

            if ([string]::IsNullOrWhiteSpace($groupInput)) {
                Write-Host "No group information provided. Please try again." -ForegroundColor Red
                continue
            }

            $groupInputs = $groupInput -split ',' | ForEach-Object { $_.Trim() }
            $exportData = [System.Collections.ArrayList]::new()

            foreach ($input in $groupInputs) {
                Write-Host "`nProcessing input: $input" -ForegroundColor Yellow

                # Initialize variables
                $groupId = $null
                $groupName = $null

                # Check if input is a GUID
                if ($input -match '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$') {
                    $groupInfo = Get-GroupInfo -GroupId $input
                    if (-not $groupInfo.Success) {
                        Write-Host "No group found with ID: $input" -ForegroundColor Red
                        continue
                    }
                    $groupId = $groupInfo.Id
                    $groupName = $groupInfo.DisplayName
                }
                else {
                    # Try to find group by display name
                    $groupUri = "$GraphEndpoint/v1.0/groups?`$filter=displayName eq '$input'"
                    $groupResponse = Invoke-MgGraphRequest -Uri $groupUri -Method Get

                    if ($groupResponse.value.Count -eq 0) {
                        Write-Host "No group found with name: $input" -ForegroundColor Red
                        continue
                    }
                    elseif ($groupResponse.value.Count -gt 1) {
                        Write-Host "Multiple groups found with name: $input. Please use the Object ID instead:" -ForegroundColor Red
                        foreach ($group in $groupResponse.value) {
                            Write-Host " - $($group.displayName) (ID: $($group.id))" -ForegroundColor Yellow
                        }
                        continue
                    }

                    $groupId = $groupResponse.value[0].id
                    $groupName = $groupResponse.value[0].displayName
                }

                Write-Host "Found group: $groupName (ID: $groupId)" -ForegroundColor Green
                Write-Host "Fetching Intune Profiles and Applications for the group ... (this takes a few seconds)" -ForegroundColor Yellow

                # Initialize collections for relevant policies
                $relevantPolicies = @{
                    DeviceConfigs               = @()
                    SettingsCatalog             = @()
                    AdminTemplates              = @()
                    CompliancePolicies          = @()
                    AppProtectionPolicies       = @()
                    AppConfigurationPolicies    = @()
                    AppsRequired                = @()
                    AppsAvailable               = @()
                    AppsUninstall               = @()
                    PlatformScripts             = @()
                    HealthScripts               = @()
                    # Endpoint Security profiles
                    AntivirusProfiles           = @()
                    DiskEncryptionProfiles      = @()
                    FirewallProfiles            = @()
                    EndpointDetectionProfiles   = @()
                    AttackSurfaceProfiles       = @()
                    DeploymentProfiles          = @()
                    ESPProfiles                 = @()
                    CloudPCProvisioningPolicies = @()
                    CloudPCUserSettings         = @()
                }

                # Get Device Configurations
                Write-Host "Fetching Device Configurations..." -ForegroundColor Yellow
                $deviceConfigs = Get-IntuneEntities -EntityType "deviceConfigurations"
                foreach ($config in $deviceConfigs) {
                    $directAssignments = Get-IntuneAssignments -EntityType "deviceConfigurations" -EntityId $config.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $config | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.DeviceConfigs += $config
                        }
                    }
                }

                # Get Settings Catalog Policies
                Write-Host "Fetching Settings Catalog Policies..." -ForegroundColor Yellow
                $settingsCatalog = Get-IntuneEntities -EntityType "configurationPolicies"
                foreach ($policy in $settingsCatalog) {
                    # Exclude Endpoint Security policies from this generic Settings Catalog fetch for group view
                    if ($policy.templateReference -and $policy.templateReference.templateFamily -like "endpointSecurity*") {
                        continue
                    }
                    $directAssignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.SettingsCatalog += $policy
                        }
                    }
                }

                # Get Administrative Templates
                Write-Host "Fetching Administrative Templates..." -ForegroundColor Yellow
                $adminTemplates = Get-IntuneEntities -EntityType "groupPolicyConfigurations"
                foreach ($template in $adminTemplates) {
                    $directAssignments = Get-IntuneAssignments -EntityType "groupPolicyConfigurations" -EntityId $template.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $template | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.AdminTemplates += $template
                        }
                    }
                }

                # Get Compliance Policies
                Write-Host "Fetching Compliance Policies..." -ForegroundColor Yellow
                $compliancePolicies = Get-IntuneEntities -EntityType "deviceCompliancePolicies"
                foreach ($policy in $compliancePolicies) {
                    $directAssignments = Get-IntuneAssignments -EntityType "deviceCompliancePolicies" -EntityId $policy.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.CompliancePolicies += $policy
                        }
                    }
                }

                # Get App Protection Policies
                Write-Host "Fetching App Protection Policies..." -ForegroundColor Yellow
                $appProtectionPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/managedAppPolicies"
                foreach ($policy in $appProtectionPolicies) {
                    $policyType = $policy.'@odata.type'
                    $assignmentsUri = switch ($policyType) {
                        "#microsoft.graph.androidManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/androidManagedAppProtections('$($policy.id)')/assignments" }
                        "#microsoft.graph.iosManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/iosManagedAppProtections('$($policy.id)')/assignments" }
                        "#microsoft.graph.windowsManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/windowsManagedAppProtections('$($policy.id)')/assignments" }
                        default { $null }
                    }

                    if ($assignmentsUri) {
                        try {
                            $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
                            # For group queries, Get-IntuneAssignments will return only direct assignments/exclusions
                            $directAssignments = Get-IntuneAssignments -EntityType "deviceAppManagement/managedAppPolicies" -EntityId $policy.id -GroupId $groupId
                            if ($directAssignments.Count -gt 0) {
                                $assignmentReason = $directAssignments[0].Reason
                                if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                                    $relevantPolicies.AppProtectionPolicies += $policy
                                }
                            }
                        }
                        catch {
                            Write-Host "Error fetching assignments for policy $($policy.displayName): $($_.Exception.Message)" -ForegroundColor Red
                        }
                    }
                }

                # Get App Configuration Policies
                Write-Host "Fetching App Configuration Policies..." -ForegroundColor Yellow
                $appConfigPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/mobileAppConfigurations"
                foreach ($policy in $appConfigPolicies) {
                    $directAssignments = Get-IntuneAssignments -EntityType "mobileAppConfigurations" -EntityId $policy.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.AppConfigurationPolicies += $policy
                        }
                    }
                }

                # Get Endpoint Security - Antivirus Policies
                Write-Host "Fetching Antivirus Policies for group..." -ForegroundColor Yellow
                $antivirusPoliciesFoundGroup = [System.Collections.ArrayList]::new()
                $processedAntivirusIdsGroup = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForAntivirusGroup = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesAntivirusGroup = $configPoliciesForAntivirusGroup | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }

                # Endpoint Security Policies for the specific group
                $endpointSecurityCategories = @(
                    @{ Name = "Antivirus"; Key = "AntivirusProfiles"; TemplateFamily = "endpointSecurityAntivirus"; UserFriendlyType = "Antivirus Profile" },
                    @{ Name = "Disk Encryption"; Key = "DiskEncryptionProfiles"; TemplateFamily = "endpointSecurityDiskEncryption"; UserFriendlyType = "Disk Encryption Profile" },
                    @{ Name = "Firewall"; Key = "FirewallProfiles"; TemplateFamily = "endpointSecurityFirewall"; UserFriendlyType = "Firewall Profile" },
                    @{ Name = "Endpoint Detection and Response"; Key = "EndpointDetectionProfiles"; TemplateFamily = "endpointSecurityEndpointDetectionAndResponse"; UserFriendlyType = "EDR Profile" },
                    @{ Name = "Attack Surface Reduction"; Key = "AttackSurfaceProfiles"; TemplateFamily = "endpointSecurityAttackSurfaceReductionRules"; UserFriendlyType = "ASR Profile" }
                )

                foreach ($esCategory in $endpointSecurityCategories) {
                    Write-Host "Fetching $($esCategory.Name) Policies for group..." -ForegroundColor Yellow
                    $processedEsPolicyIds = [System.Collections.Generic.HashSet[string]]::new() # Track IDs per category to avoid duplicates from configPolicies and intents

                    # 1. Check configurationPolicies (Settings Catalog style ES policies)
                    $allConfigEsPolicies = Get-IntuneEntities -EntityType "configurationPolicies" # Fetch all, then filter
                    $matchingConfigEsPolicies = $allConfigEsPolicies | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq $esCategory.TemplateFamily }
                    if ($matchingConfigEsPolicies) {
                        foreach ($policy in $matchingConfigEsPolicies) {
                            if ($processedEsPolicyIds.Add($policy.id)) {
                                $directAssignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id -GroupId $groupId
                                if ($directAssignments.Count -gt 0) {
                                    $assignmentReason = $directAssignments[0].Reason
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                                    $relevantPolicies[$esCategory.Key] += $policy
                                }
                            }
                        }
                    }

                    # 2. Check deviceManagement/intents (Template style ES policies)
                    $allIntentEsPolicies = Get-IntuneEntities -EntityType "deviceManagement/intents" # Fetch all, then filter
                    $matchingIntentEsPolicies = $allIntentEsPolicies | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq $esCategory.TemplateFamily }
                    if ($matchingIntentEsPolicies) {
                        foreach ($policy in $matchingIntentEsPolicies) {
                            if ($processedEsPolicyIds.Add($policy.id)) {
                                # For intents, assignments are fetched differently
                                try {
                                    $allIntentAssignments = [System.Collections.ArrayList]::new()
                                    $currentIntentAssignmentsUri = "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments"
                                    do {
                                        $intentAssignmentsResponsePage = Invoke-MgGraphRequest -Uri $currentIntentAssignmentsUri -Method Get
                                        if ($intentAssignmentsResponsePage -and $null -ne $intentAssignmentsResponsePage.value) {
                                            $allIntentAssignments.AddRange($intentAssignmentsResponsePage.value)
                                        }
                                        $currentIntentAssignmentsUri = $intentAssignmentsResponsePage.'@odata.nextLink'
                                    } while (![string]::IsNullOrEmpty($currentIntentAssignmentsUri))

                                    $directGroupAssignment = $allIntentAssignments | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and $_.target.groupId -eq $groupId }
                                    $directGroupExclusion = $allIntentAssignments | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' -and $_.target.groupId -eq $groupId }

                                    $assignmentReason = $null
                                    if ($directGroupExclusion) {
                                        $assignmentReason = "Direct Exclusion"
                                    }
                                    elseif ($directGroupAssignment) {
                                        $assignmentReason = "Direct Assignment"
                                    }

                                    if ($assignmentReason) {
                                        $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                                        $relevantPolicies[$esCategory.Key] += $policy
                                    }
                                }
                                catch {
                                    Write-Warning "Error fetching assignments for ES Intent $($policy.displayName) (ID: $($policy.id)): $($_.Exception.Message)"
                                }
                            }
                        }
                    }
                }

                # Fetch and process Applications
                Write-Host "Fetching Applications..." -ForegroundColor Yellow
                $appUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps?`$filter=isAssigned eq true"
                $appResponse = Invoke-MgGraphRequest -Uri $appUri -Method Get
                $allApps = $appResponse.value
                while ($appResponse.'@odata.nextLink') {
                    $appResponse = Invoke-MgGraphRequest -Uri $appResponse.'@odata.nextLink' -Method Get
                    $allApps += $appResponse.value
                }
                $totalApps = $allApps.Count

                foreach ($app in $allApps) {
                    # Filter out irrelevant apps
                    if ($app.isFeatured -or $app.isBuiltIn) {
                        continue
                    }

                    $appId = $app.id
                    $allAppAssignments = [System.Collections.ArrayList]::new()
                    $currentAppAssignmentsUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps('$appId')/assignments"
                    do {
                        $appAssignmentsResponsePage = Invoke-MgGraphRequest -Uri $currentAppAssignmentsUri -Method Get
                        if ($appAssignmentsResponsePage -and $null -ne $appAssignmentsResponsePage.value) {
                            $allAppAssignments.AddRange($appAssignmentsResponsePage.value)
                        }
                        $currentAppAssignmentsUri = $appAssignmentsResponsePage.'@odata.nextLink'
                    } while (![string]::IsNullOrEmpty($currentAppAssignmentsUri))
                    
                    $relevantAppAssignmentReason = $null
                    $intentForGroup = $null

                    foreach ($assignmentItem in $allAppAssignments) {
                        if ($assignmentItem.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and $assignmentItem.target.groupId -eq $groupId) {
                            $relevantAppAssignmentReason = "Direct Assignment"
                            $intentForGroup = $assignmentItem.intent
                            break
                        }
                        elseif ($assignmentItem.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' -and $assignmentItem.target.groupId -eq $groupId) {
                            $relevantAppAssignmentReason = "Group Exclusion"
                            $intentForGroup = $assignmentItem.intent # Intent might still be relevant for excluded apps
                            break
                        }
                    }

                    if ($relevantAppAssignmentReason) {
                        $appWithReason = $app.PSObject.Copy()
                        $appWithReason | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $relevantAppAssignmentReason -Force
                        if ($intentForGroup) {
                            switch ($intentForGroup) {
                                "required" { $relevantPolicies.AppsRequired += $appWithReason }
                                "available" { $relevantPolicies.AppsAvailable += $appWithReason }
                                "uninstall" { $relevantPolicies.AppsUninstall += $appWithReason }
                            }
                        }
                    }
                }

                # Get Platform Scripts
                Write-Host "Fetching Platform Scripts..." -ForegroundColor Yellow
                $platformScripts = Get-IntuneEntities -EntityType "deviceManagementScripts"
                foreach ($script in $platformScripts) {
                    $directAssignments = Get-IntuneAssignments -EntityType "deviceManagementScripts" -EntityId $script.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.PlatformScripts += $script
                        }
                    }
                }

                # Get Proactive Remediation Scripts
                Write-Host "Fetching Proactive Remediation Scripts..." -ForegroundColor Yellow
                $healthScripts = Get-IntuneEntities -EntityType "deviceHealthScripts"
                foreach ($script in $healthScripts) {
                    $directAssignments = Get-IntuneAssignments -EntityType "deviceHealthScripts" -EntityId $script.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.HealthScripts += $script
                        }
                    }
                }

                # Get Autopilot Deployment Profiles
                Write-Host "Fetching Autopilot Deployment Profiles..." -ForegroundColor Yellow
                $autoProfiles = Get-IntuneEntities -EntityType "windowsAutopilotDeploymentProfiles"
                foreach ($profile in $autoProfiles) {
                    $directAssignments = Get-IntuneAssignments -EntityType "windowsAutopilotDeploymentProfiles" -EntityId $profile.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $profile | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.DeploymentProfiles += $profile
                        }
                    }
                }

                # Get Enrollment Status Page Profiles
                Write-Host "Fetching Enrollment Status Page Profiles..." -ForegroundColor Yellow
                $enrollmentConfigs = Get-IntuneEntities -EntityType "deviceEnrollmentConfigurations"
                $espProfiles = $enrollmentConfigs | Where-Object { $_.'@odata.type' -match 'EnrollmentCompletionPageConfiguration' }
                foreach ($esp in $espProfiles) {
                    $directAssignments = Get-IntuneAssignments -EntityType "deviceEnrollmentConfigurations" -EntityId $esp.id -GroupId $groupId
                    if ($directAssignments.Count -gt 0) {
                        $assignmentReason = $directAssignments[0].Reason
                        if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                            $esp | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                            $relevantPolicies.ESPProfiles += $esp
                        }
                    }
                }

                # Get Windows 365 Cloud PC Provisioning Policies
                Write-Host "Fetching Windows 365 Cloud PC Provisioning Policies..." -ForegroundColor Yellow
                try {
                    $cloudPCProvisioningPolicies = Get-IntuneEntities -EntityType "virtualEndpoint/provisioningPolicies"
                    foreach ($policy in $cloudPCProvisioningPolicies) {
                        $directAssignments = Get-IntuneAssignments -EntityType "virtualEndpoint/provisioningPolicies" -EntityId $policy.id -GroupId $groupId
                        if ($directAssignments.Count -gt 0) {
                            $assignmentReason = $directAssignments[0].Reason
                            if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                                $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                                $relevantPolicies.CloudPCProvisioningPolicies += $policy
                            }
                        }
                    }
                }
                catch {
                    Write-Warning "Unable to fetch Windows 365 Cloud PC Provisioning Policies: $($_.Exception.Message)"
                }

                # Get Windows 365 Cloud PC User Settings
                Write-Host "Fetching Windows 365 Cloud PC User Settings..." -ForegroundColor Yellow
                try {
                    $cloudPCUserSettings = Get-IntuneEntities -EntityType "virtualEndpoint/userSettings"
                    foreach ($setting in $cloudPCUserSettings) {
                        $directAssignments = Get-IntuneAssignments -EntityType "virtualEndpoint/userSettings" -EntityId $setting.id -GroupId $groupId
                        if ($directAssignments.Count -gt 0) {
                            $assignmentReason = $directAssignments[0].Reason
                            if ($assignmentReason -eq "Direct Assignment" -or $assignmentReason -eq "Direct Exclusion") {
                                $setting | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentReason -Force
                                $relevantPolicies.CloudPCUserSettings += $setting
                            }
                        }
                    }
                }
                catch {
                    Write-Warning "Unable to fetch Windows 365 Cloud PC User Settings: $($_.Exception.Message)"
                }

                # Function to format and display policy table (specific to Option 2)
                function Format-PolicyTable {
                    param (
                        [string]$Title,
                        [object[]]$Policies,
                        [scriptblock]$GetName,
                        [scriptblock]$GetExtra = { param($p) "" }
                    )
                    $localTableSeparator = "-" * 120 # Use a local variable for separator

                    # Create prominent section header
                    $headerSeparator = "-" * ($Title.Length + 16)
                    Write-Host "`n$headerSeparator" -ForegroundColor Cyan
                    Write-Host "------- $Title -------" -ForegroundColor Cyan
                    Write-Host "$headerSeparator" -ForegroundColor Cyan
                    
                    if ($Policies.Count -eq 0) {
                        Write-Host "No $Title found for this group." -ForegroundColor Gray
                        Write-Host $localTableSeparator -ForegroundColor Gray
                        Write-Host ""
                        return
                    }

                    # Create table header
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Policy Name", "ID", "Assignment"
                    
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $localTableSeparator -ForegroundColor Gray
                    
                    # Display each policy
                    foreach ($policy in $Policies) {
                        $name = & $GetName $policy
                        $extra = & $GetExtra $policy
                        
                        if ($name.Length -gt 47) { $name = $name.Substring(0, 44) + "..." }
                        
                        $id = $policy.id
                        if ($id.Length -gt 37) { $id = $id.Substring(0, 34) + "..." }
                        
                        $assignment = if ($policy.AssignmentReason) { $policy.AssignmentReason } else { "N/A" }
                        if ($assignment.Length -gt 27) { $assignment = $assignment.Substring(0, 24) + "..." }
                        
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $name, $id, $assignment
                        if ($assignment -eq "Direct Exclusion") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    Write-Host $localTableSeparator -ForegroundColor Gray
                }

                # Display Device Configurations
                Format-PolicyTable -Title "Device Configurations" -Policies $relevantPolicies.DeviceConfigs -GetName {
                    param($config)
                    if ([string]::IsNullOrWhiteSpace($config.name)) { $config.displayName } else { $config.name }
                }

                # Display Settings Catalog Policies
                Format-PolicyTable -Title "Settings Catalog Policies" -Policies $relevantPolicies.SettingsCatalog -GetName {
                    param($policy)
                    if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                }

                # Display Administrative Templates
                Format-PolicyTable -Title "Administrative Templates" -Policies $relevantPolicies.AdminTemplates -GetName {
                    param($template)
                    if ([string]::IsNullOrWhiteSpace($template.name)) { $template.displayName } else { $template.name }
                }

                # Display Compliance Policies
                Format-PolicyTable -Title "Compliance Policies" -Policies $relevantPolicies.CompliancePolicies -GetName {
                    param($policy)
                    if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                }

                # Display App Protection Policies
                Format-PolicyTable -Title "App Protection Policies" -Policies $relevantPolicies.AppProtectionPolicies -GetName {
                    param($policy)
                    $policy.displayName
                } -GetExtra {
                    param($policy)
                    @{
                        Label = 'Platform'
                        Value = switch ($policy.'@odata.type') {
                            "#microsoft.graph.androidManagedAppProtection" { "Android" }
                            "#microsoft.graph.iosManagedAppProtection" { "iOS" }
                            "#microsoft.graph.windowsManagedAppProtection" { "Windows" }
                            default { "Unknown" }
                        }
                    }
                }

                # Display App Configuration Policies
                Format-PolicyTable -Title "App Configuration Policies" -Policies $relevantPolicies.AppConfigurationPolicies -GetName {
                    param($policy)
                    if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                }

                # Display Platform Scripts
                Format-PolicyTable -Title "Platform Scripts" -Policies $relevantPolicies.PlatformScripts -GetName {
                    param($script)
                    if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                }

                # Display Proactive Remediation Scripts
                Format-PolicyTable -Title "Proactive Remediation Scripts" -Policies $relevantPolicies.HealthScripts -GetName {
                    param($script)
                    if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                }

                # Display Autopilot Deployment Profiles
                Format-PolicyTable -Title "Autopilot Deployment Profiles" -Policies $relevantPolicies.DeploymentProfiles -GetName {
                    param($profile)
                    if ([string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.name } else { $profile.displayName }
                }

                # Display Enrollment Status Page Profiles
                Format-PolicyTable -Title "Enrollment Status Page Profiles" -Policies $relevantPolicies.ESPProfiles -GetName {
                    param($profile)
                    if ([string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.name } else { $profile.displayName }
                }

                # Display Windows 365 Cloud PC Provisioning Policies
                Format-PolicyTable -Title "Windows 365 Cloud PC Provisioning Policies" -Policies $relevantPolicies.CloudPCProvisioningPolicies -GetName {
                    param($policy)
                    if ([string]::IsNullOrWhiteSpace($policy.displayName)) { $policy.name } else { $policy.displayName }
                }

                # Display Windows 365 Cloud PC User Settings
                Format-PolicyTable -Title "Windows 365 Cloud PC User Settings" -Policies $relevantPolicies.CloudPCUserSettings -GetName {
                    param($setting)
                    if ([string]::IsNullOrWhiteSpace($setting.displayName)) { $setting.name } else { $setting.displayName }
                }

                # Display Required Apps
                Format-PolicyTable -Title "Required Apps" -Policies $relevantPolicies.AppsRequired -GetName {
                    param($app)
                    $app.displayName
                }

                # Display Available Apps
                Format-PolicyTable -Title "Available Apps" -Policies $relevantPolicies.AppsAvailable -GetName {
                    param($app)
                    $app.displayName
                }

                # Display Uninstall Apps
                Format-PolicyTable -Title "Uninstall Apps" -Policies $relevantPolicies.AppsUninstall -GetName {
                    param($app)
                    $app.displayName
                }

                # Display Endpoint Security - Antivirus Profiles
                Format-PolicyTable -Title "Endpoint Security - Antivirus Profiles" -Policies $relevantPolicies.AntivirusProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }
                
                # Display Endpoint Security - Disk Encryption Profiles
                Format-PolicyTable -Title "Endpoint Security - Disk Encryption Profiles" -Policies $relevantPolicies.DiskEncryptionProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }
                
                # Display Endpoint Security - Firewall Profiles
                Format-PolicyTable -Title "Endpoint Security - Firewall Profiles" -Policies $relevantPolicies.FirewallProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }
                
                # Display Endpoint Security - Endpoint Detection and Response Profiles
                Format-PolicyTable -Title "Endpoint Security - EDR Profiles" -Policies $relevantPolicies.EndpointDetectionProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }
                
                # Display Endpoint Security - Attack Surface Reduction Profiles
                Format-PolicyTable -Title "Endpoint Security - ASR Profiles" -Policies $relevantPolicies.AttackSurfaceProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }

                # Add to export data
                Add-ExportData -ExportData $exportData -Category "Device" -Items @([PSCustomObject]@{
                        displayName      = $deviceName
                        id               = $deviceInfo.Id
                        AssignmentReason = "N/A"
                    }

                    Add-ExportData -ExportData $exportData -Category "Device Configuration" -Items $relevantPolicies.DeviceConfigs -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Settings Catalog Policy" -Items $relevantPolicies.SettingsCatalog -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Administrative Template" -Items $relevantPolicies.AdminTemplates -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Compliance Policy" -Items $relevantPolicies.CompliancePolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "App Protection Policy" -Items $relevantPolicies.AppProtectionPolicies -AssignmentReason { param($item) $item.AssignmentSummary }
                    Add-ExportData -ExportData $exportData -Category "App Configuration Policy" -Items $relevantPolicies.AppConfigurationPolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Platform Scripts" -Items $relevantPolicies.PlatformScripts -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Proactive Remediation Scripts" -Items $relevantPolicies.HealthScripts -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Autopilot Deployment Profile" -Items $relevantPolicies.DeploymentProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Enrollment Status Page" -Items $relevantPolicies.ESPProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Windows 365 Cloud PC Provisioning Policy" -Items $relevantPolicies.CloudPCProvisioningPolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Windows 365 Cloud PC User Setting" -Items $relevantPolicies.CloudPCUserSettings -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Antivirus" -Items $relevantPolicies.AntivirusProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Disk Encryption" -Items $relevantPolicies.DiskEncryptionProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Firewall" -Items $relevantPolicies.FirewallProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - EDR" -Items $relevantPolicies.EndpointDetectionProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - ASR" -Items $relevantPolicies.AttackSurfaceProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                )
            }

            # Export results if requested
            Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneDeviceAssignments.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath
        }
        '3' {
            Write-Host "Device selection chosen" -ForegroundColor Green

            # Get Device names from parameter or prompt
            if ($parameterMode -and $DeviceNames) {
                $deviceInput = $DeviceNames
            }
            else {
                # Prompt for one or more Device Names
                Write-Host "Please enter Device Name(s), separated by commas (,): " -ForegroundColor Cyan
                $deviceInput = Read-Host
            }

            if ([string]::IsNullOrWhiteSpace($deviceInput)) {
                Write-Host "No device name provided. Please try again." -ForegroundColor Red
                if ($parameterMode) { exit 1 } else { continue }
            }

            $deviceNames = $deviceInput -split ',' | ForEach-Object { $_.Trim() }
            $exportData = [System.Collections.ArrayList]::new()

            foreach ($deviceName in $deviceNames) {
                Write-Host "`nProcessing device: $deviceName" -ForegroundColor Yellow

                # Get Device Info
                $deviceInfo = Get-DeviceInfo -DeviceName $deviceName
                if (-not $deviceInfo.Success) {
                    Write-Host "Device not found: $deviceName" -ForegroundColor Red
                    Write-Host "Please verify the device name is correct." -ForegroundColor Yellow
                    continue
                }

                # Get Device Group Memberships
                try {
                    $groupMemberships = Get-GroupMemberships -ObjectId $deviceInfo.Id -ObjectType "Device"
                    Write-Host "Device Group Memberships: $($groupMemberships.displayName -join ', ')" -ForegroundColor Green
                }
                catch {
                    Write-Host "Error fetching group memberships for device: $deviceName" -ForegroundColor Red
                    Write-Host "Error details: $($_.Exception.Message)" -ForegroundColor Red
                    continue
                }

                Write-Host "Fetching Intune Profiles and Applications for the device ... (this takes a few seconds)" -ForegroundColor Yellow

                # Initialize collections for relevant policies
                $relevantPolicies = @{
                    DeviceConfigs               = @()
                    SettingsCatalog             = @()
                    AdminTemplates              = @()
                    CompliancePolicies          = @()
                    AppProtectionPolicies       = @()
                    AppConfigurationPolicies    = @()
                    AppsRequired                = @()
                    AppsAvailable               = @()
                    AppsUninstall               = @()
                    PlatformScripts             = @()
                    HealthScripts               = @()
                    AntivirusProfiles           = @()
                    DiskEncryptionProfiles      = @()
                    FirewallProfiles            = @()
                    EndpointDetectionProfiles   = @()
                    AttackSurfaceProfiles       = @()
                    CloudPCProvisioningPolicies = @()
                    CloudPCUserSettings         = @()
                }

                # Get Device Configurations
                Write-Host "Fetching Device Configurations..." -ForegroundColor Yellow
                $deviceConfigs = Get-IntuneEntities -EntityType "deviceConfigurations"
                foreach ($config in $deviceConfigs) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceConfigurations" -EntityId $config.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -ne "All Users" -and
                            ($assignment.Reason -eq "All Devices" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId))) {
                            $config | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.DeviceConfigs += $config
                            break
                        }
                    }
                }

                # Get Settings Catalog Policies
                Write-Host "Fetching Settings Catalog Policies..." -ForegroundColor Yellow
                $settingsCatalog = Get-IntuneEntities -EntityType "configurationPolicies"
                foreach ($policy in $settingsCatalog) {
                    $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -ne "All Users" -and
                            ($assignment.Reason -eq "All Devices" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId))) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.SettingsCatalog += $policy
                            break
                        }
                    }
                }

                # Get Administrative Templates
                Write-Host "Fetching Administrative Templates..." -ForegroundColor Yellow
                $adminTemplates = Get-IntuneEntities -EntityType "groupPolicyConfigurations"
                foreach ($template in $adminTemplates) {
                    $assignments = Get-IntuneAssignments -EntityType "groupPolicyConfigurations" -EntityId $template.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -ne "All Users" -and
                            ($assignment.Reason -eq "All Devices" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId))) {
                            $template | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.AdminTemplates += $template
                            break
                        }
                    }
                }

                # Get Compliance Policies
                Write-Host "Fetching Compliance Policies..." -ForegroundColor Yellow
                $compliancePolicies = Get-IntuneEntities -EntityType "deviceCompliancePolicies"
                foreach ($policy in $compliancePolicies) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceCompliancePolicies" -EntityId $policy.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -ne "All Users" -and
                            ($assignment.Reason -eq "All Devices" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId))) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.CompliancePolicies += $policy
                            break
                        }
                    }
                }

                # Get App Protection Policies
                Write-Host "Fetching App Protection Policies..." -ForegroundColor Yellow
                $appProtectionPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/managedAppPolicies"
                foreach ($policy in $appProtectionPolicies) {
                    $policyType = $policy.'@odata.type'
                    $assignmentsUri = switch ($policyType) {
                        "#microsoft.graph.androidManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/androidManagedAppProtections('$($policy.id)')/assignments" }
                        "#microsoft.graph.iosManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/iosManagedAppProtections('$($policy.id)')/assignments" }
                        "#microsoft.graph.windowsManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/windowsManagedAppProtections('$($policy.id)')/assignments" }
                        default { $null }
                    }

                    if ($assignmentsUri) {
                        try {
                            $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
                            $assignments = @()
                            foreach ($assignment in $assignmentResponse.value) {
                                $assignmentReason = $null
                                switch ($assignment.target.'@odata.type') {
                                    '#microsoft.graph.allLicensedUsersAssignmentTarget' {
                                        $assignmentReason = "All Users"
                                    }
                                    '#microsoft.graph.allDevicesAssignmentTarget' {
                                        $assignmentReason = "All Devices"
                                    }
                                    '#microsoft.graph.groupAssignmentTarget' {
                                        if ($groupMemberships.id -contains $assignment.target.groupId) {
                                            $assignmentReason = "Group Assignment"
                                        }
                                    }
                                    '#microsoft.graph.exclusionGroupAssignmentTarget' {
                                        if ($groupMemberships.id -contains $assignment.target.groupId) {
                                            $assignmentReason = "Group Exclusion"
                                        }
                                    }
                                }

                                if ($assignmentReason -and $assignmentReason -ne "All Users") {
                                    $assignments += @{
                                        Reason  = $assignmentReason
                                        GroupId = $assignment.target.groupId
                                    }
                                }
                            }

                            if ($assignments.Count -gt 0) {
                                $assignmentSummary = $assignments | Where-Object { $_.Reason -ne "All Users" } | ForEach-Object {
                                    if ($_.Reason -eq "Group Assignment") {
                                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                                        "$($_.Reason) - $($groupInfo.DisplayName)"
                                    }
                                    else {
                                        $_.Reason
                                    }
                                }
                                $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                                $relevantPolicies.AppProtectionPolicies += $policy
                            }
                        }
                        catch {
                            Write-Host "Error fetching assignments for policy $($policy.displayName): $($_.Exception.Message)" -ForegroundColor Red
                        }
                    }
                }

                # Get App Configuration Policies
                Write-Host "Fetching App Configuration Policies..." -ForegroundColor Yellow
                $appConfigPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/mobileAppConfigurations"
                foreach ($policy in $appConfigPolicies) {
                    $assignments = Get-IntuneAssignments -EntityType "mobileAppConfigurations" -EntityId $policy.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -ne "All Users" -and
                            ($assignment.Reason -eq "All Devices" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId))) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.AppConfigurationPolicies += $policy
                            break
                        }
                    }
                }

                # Get Platform Scripts
                Write-Host "Fetching Platform Scripts..." -ForegroundColor Yellow
                $platformScripts = Get-IntuneEntities -EntityType "deviceManagementScripts"
                foreach ($script in $platformScripts) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceManagementScripts" -EntityId $script.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -ne "All Users" -and
                            ($assignment.Reason -eq "All Devices" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId))) {
                            $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.PlatformScripts += $script
                            break
                        }
                    }
                }

                # Get Proactive Remediation Scripts
                Write-Host "Fetching Proactive Remediation Scripts..." -ForegroundColor Yellow
                $healthScripts = Get-IntuneEntities -EntityType "deviceHealthScripts"
                foreach ($script in $healthScripts) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceHealthScripts" -EntityId $script.id
                    foreach ($assignment in $assignments) {
                        if ($assignment.Reason -ne "All Users" -and
                            ($assignment.Reason -eq "All Devices" -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId))) {
                            $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.HealthScripts += $script
                            break
                        }
                    }
                }

                # Get Autopilot Deployment Profiles
                Write-Host "Fetching Autopilot Deployment Profiles..." -ForegroundColor Yellow
                $autoProfiles = Get-IntuneEntities -EntityType "windowsAutopilotDeploymentProfiles"
                foreach ($profile in $autoProfiles) {
                    $assignments = Get-IntuneAssignments -EntityType "windowsAutopilotDeploymentProfiles" -EntityId $profile.id
                    foreach ($assignment in $assignments) {
                        if (($assignment.Reason -eq "All Devices") -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $profile | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.DeploymentProfiles += $profile
                            break
                        }
                        elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                            $profile | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                            $relevantPolicies.DeploymentProfiles += $profile
                            break
                        }
                    }
                }

                # Get Enrollment Status Page Profiles
                Write-Host "Fetching Enrollment Status Page Profiles..." -ForegroundColor Yellow
                $enrollmentConfigs = Get-IntuneEntities -EntityType "deviceEnrollmentConfigurations"
                $espProfiles = $enrollmentConfigs | Where-Object { $_.'@odata.type' -match 'EnrollmentCompletionPageConfiguration' }
                foreach ($esp in $espProfiles) {
                    $assignments = Get-IntuneAssignments -EntityType "deviceEnrollmentConfigurations" -EntityId $esp.id
                    foreach ($assignment in $assignments) {
                        if (($assignment.Reason -eq "All Devices") -or
                            ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                            $esp | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                            $relevantPolicies.ESPProfiles += $esp
                            break
                        }
                        elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                            $esp | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                            $relevantPolicies.ESPProfiles += $esp
                            break
                        }
                    }
                }

                # Get Windows 365 Cloud PC Provisioning Policies
                Write-Host "Fetching Windows 365 Cloud PC Provisioning Policies..." -ForegroundColor Yellow
                try {
                    $cloudPCProvisioningPolicies = Get-IntuneEntities -EntityType "virtualEndpoint/provisioningPolicies"
                    foreach ($policy in $cloudPCProvisioningPolicies) {
                        $assignments = Get-IntuneAssignments -EntityType "virtualEndpoint/provisioningPolicies" -EntityId $policy.id
                        foreach ($assignment in $assignments) {
                            if (($assignment.Reason -eq "All Devices") -or
                                ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                                $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                                $relevantPolicies.CloudPCProvisioningPolicies += $policy
                                break
                            }
                            elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                                $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                $relevantPolicies.CloudPCProvisioningPolicies += $policy
                                break
                            }
                        }
                    }
                }
                catch {
                    Write-Warning "Unable to fetch Windows 365 Cloud PC Provisioning Policies: $($_.Exception.Message)"
                }

                # Get Windows 365 Cloud PC User Settings
                Write-Host "Fetching Windows 365 Cloud PC User Settings..." -ForegroundColor Yellow
                try {
                    $cloudPCUserSettings = Get-IntuneEntities -EntityType "virtualEndpoint/userSettings"
                    foreach ($setting in $cloudPCUserSettings) {
                        $assignments = Get-IntuneAssignments -EntityType "virtualEndpoint/userSettings" -EntityId $setting.id
                        foreach ($assignment in $assignments) {
                            if (($assignment.Reason -eq "All Devices") -or
                                ($assignment.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignment.GroupId)) {
                                $setting | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignment.Reason -Force
                                $relevantPolicies.CloudPCUserSettings += $setting
                                break
                            }
                            elseif ($assignment.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignment.GroupId) {
                                $setting | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                $relevantPolicies.CloudPCUserSettings += $setting
                                break
                            }
                        }
                    }
                }
                catch {
                    Write-Warning "Unable to fetch Windows 365 Cloud PC User Settings: $($_.Exception.Message)"
                }

                # Get Endpoint Security - Antivirus Policies
                Write-Host "Fetching Antivirus Policies" -ForegroundColor Yellow
                $antivirusPoliciesFoundDevice = [System.Collections.ArrayList]::new()
                $processedAntivirusIdsDevice = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForAntivirusDevice = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesAntivirusDevice = $configPoliciesForAntivirusDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }

                if ($matchingConfigPoliciesAntivirusDevice) {
                    foreach ($policy in $matchingConfigPoliciesAntivirusDevice) {
                        if ($processedAntivirusIdsDevice.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if (($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId) -or
                                    ($assignmentDetail.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$antivirusPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$antivirusPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForAntivirusDevice = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsAntivirusDevice = $allIntentsForAntivirusDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }

                if ($matchingIntentsAntivirusDevice) {
                    foreach ($policy in $matchingIntentsAntivirusDevice) {
                        if ($processedAntivirusIdsDevice.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }

                                if (($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId) -or
                                    ($assignmentDetails.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$antivirusPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$antivirusPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.AntivirusProfiles = $antivirusPoliciesFoundDevice

                # Get Endpoint Security - Disk Encryption Policies
                Write-Host "Fetching Disk Encryption Policies." -ForegroundColor Yellow
                $diskEncryptionPoliciesFoundDevice = [System.Collections.ArrayList]::new()
                $processedDiskEncryptionIdsDevice = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForDiskEncDevice = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesDiskEncDevice = $configPoliciesForDiskEncDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }
                
                if ($matchingConfigPoliciesDiskEncDevice) {
                    foreach ($policy in $matchingConfigPoliciesDiskEncDevice) {
                        if ($processedDiskEncryptionIdsDevice.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if (($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId) -or
                                    ($assignmentDetail.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$diskEncryptionPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$diskEncryptionPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForDiskEncDevice = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsDiskEncDevice = $allIntentsForDiskEncDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }

                if ($matchingIntentsDiskEncDevice) {
                    foreach ($policy in $matchingIntentsDiskEncDevice) {
                        if ($processedDiskEncryptionIdsDevice.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }
                                if (($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId) -or
                                    ($assignmentDetails.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$diskEncryptionPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$diskEncryptionPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.DiskEncryptionProfiles = $diskEncryptionPoliciesFoundDevice

                # Get Endpoint Security - Firewall Policies
                Write-Host "Fetching Firewall Policies" -ForegroundColor Yellow
                $firewallPoliciesFoundDevice = [System.Collections.ArrayList]::new()
                $processedFirewallIdsDevice = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForFirewallDevice = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesFirewallDevice = $configPoliciesForFirewallDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }
                
                if ($matchingConfigPoliciesFirewallDevice) {
                    foreach ($policy in $matchingConfigPoliciesFirewallDevice) {
                        if ($processedFirewallIdsDevice.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if (($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId) -or
                                    ($assignmentDetail.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$firewallPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$firewallPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForFirewallDevice = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsFirewallDevice = $allIntentsForFirewallDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }

                if ($matchingIntentsFirewallDevice) {
                    foreach ($policy in $matchingIntentsFirewallDevice) {
                        if ($processedFirewallIdsDevice.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }
                                if (($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId) -or
                                    ($assignmentDetails.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$firewallPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$firewallPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.FirewallProfiles = $firewallPoliciesFoundDevice

                # Get Endpoint Security - Endpoint Detection and Response Policies
                Write-Host "Fetching EDR Policies" -ForegroundColor Yellow
                $edrPoliciesFoundDevice = [System.Collections.ArrayList]::new()
                $processedEDRIdsDevice = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForEDRDevice = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesEDRDevice = $configPoliciesForEDRDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }

                if ($matchingConfigPoliciesEDRDevice) {
                    foreach ($policy in $matchingConfigPoliciesEDRDevice) {
                        if ($processedEDRIdsDevice.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if (($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId) -or
                                    ($assignmentDetail.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$edrPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$edrPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForEDRDevice = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsEDRDevice = $allIntentsForEDRDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }
                
                if ($matchingIntentsEDRDevice) {
                    foreach ($policy in $matchingIntentsEDRDevice) {
                        if ($processedEDRIdsDevice.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }
                                if (($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId) -or
                                    ($assignmentDetails.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$edrPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$edrPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.EndpointDetectionProfiles = $edrPoliciesFoundDevice

                # Get Endpoint Security - Attack Surface Reduction Policies
                Write-Host "Fetching ASR Policies" -ForegroundColor Yellow
                $asrPoliciesFoundDevice = [System.Collections.ArrayList]::new()
                $processedASRIdsDevice = [System.Collections.Generic.HashSet[string]]::new()

                # 1. Check configurationPolicies
                $configPoliciesForASRDevice = Get-IntuneEntities -EntityType "configurationPolicies"
                $matchingConfigPoliciesASRDevice = $configPoliciesForASRDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }

                if ($matchingConfigPoliciesASRDevice) {
                    foreach ($policy in $matchingConfigPoliciesASRDevice) {
                        if ($processedASRIdsDevice.Add($policy.id)) {
                            $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                            foreach ($assignmentDetail in $assignments) {
                                if (($assignmentDetail.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetail.GroupId) -or
                                    ($assignmentDetail.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetail.Reason -Force
                                    [void]$asrPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetail.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetail.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$asrPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }

                # 2. Check deviceManagement/intents
                $allIntentsForASRDevice = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $matchingIntentsASRDevice = $allIntentsForASRDevice | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }

                if ($matchingIntentsASRDevice) {
                    foreach ($policy in $matchingIntentsASRDevice) {
                        if ($processedASRIdsDevice.Add($policy.id)) {
                            $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                            $assignments = $assignmentsResponse.value
                            foreach ($assignment in $assignments) {
                                $assignmentDetails = @{
                                    Reason  = switch ($assignment.target.'@odata.type') {
                                        '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                        '#microsoft.graph.groupAssignmentTarget' { "Group Assignment" }
                                        '#microsoft.graph.exclusionGroupAssignmentTarget' { "Group Exclusion" }
                                        default { "Unknown" }
                                    }
                                    GroupId = if ($assignment.target.'@odata.type' -match "groupAssignmentTarget") { $assignment.target.groupId } else { $null }
                                }
                                if (($assignmentDetails.Reason -eq "Group Assignment" -and $groupMemberships.id -contains $assignmentDetails.GroupId) -or
                                    ($assignmentDetails.Reason -eq "All Devices")) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $assignmentDetails.Reason -Force
                                    [void]$asrPoliciesFoundDevice.Add($policy)
                                    break
                                }
                                elseif ($assignmentDetails.Reason -eq "Group Exclusion" -and $groupMemberships.id -contains $assignmentDetails.GroupId) {
                                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "Excluded" -Force
                                    [void]$asrPoliciesFoundDevice.Add($policy)
                                    break
                                }
                            }
                        }
                    }
                }
                $relevantPolicies.AttackSurfaceProfiles = $asrPoliciesFoundDevice

                # Get Applications
                Write-Host "Fetching Applications..." -ForegroundColor Yellow
                # Fetch Applications
                $appUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps?`$filter=isAssigned eq true"
                $appResponse = Invoke-MgGraphRequest -Uri $appUri -Method Get
                $allApps = $appResponse.value
                while ($appResponse.'@odata.nextLink') {
                    $appResponse = Invoke-MgGraphRequest -Uri $appResponse.'@odata.nextLink' -Method Get
                    $allApps += $appResponse.value
                }
                $totalApps = $allApps.Count

                foreach ($app in $allApps) {
                    # Filter out irrelevant apps
                    if ($app.isFeatured -or $app.isBuiltIn) {
                        continue
                    }

                    $appId = $app.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps('$appId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    $isExcluded = $false
                    $isIncluded = $false
                    $inclusionReason = ""
                    $exclusionReason = ""

                    foreach ($assignment in $assignmentResponse.value) {
                        if ($assignment.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' -and
                            $groupMemberships.id -contains $assignment.target.groupId) {
                            $isExcluded = $true
                            $groupInfo = Get-GroupInfo -GroupId $assignment.target.groupId
                            $exclusionReason = "Excluded via group: $($groupInfo.DisplayName)"
                            break
                        }
                        elseif ($assignment.target.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget') {
                            $isIncluded = $true
                            $inclusionReason = "All Devices"
                        }
                        elseif ($assignment.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and
                            $groupMemberships.id -contains $assignment.target.groupId) {
                            $isIncluded = $true
                            $groupInfo = Get-GroupInfo -GroupId $assignment.target.groupId
                            $inclusionReason = "Group Assignment - $($groupInfo.DisplayName)"
                        }
                    }

                    if ($isExcluded) {
                        $appWithReason = $app.PSObject.Copy()
                        $appWithReason | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $exclusionReason -Force
                        switch ($assignment.intent) {
                            "required" { $relevantPolicies.AppsRequired += $appWithReason; break }
                            "available" { $relevantPolicies.AppsAvailable += $appWithReason; break }
                            "uninstall" { $relevantPolicies.AppsUninstall += $appWithReason; break }
                        }
                    }
                    elseif ($isIncluded) {
                        $appWithReason = $app.PSObject.Copy()
                        $appWithReason | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue $inclusionReason -Force
                        switch ($assignment.intent) {
                            "required" { $relevantPolicies.AppsRequired += $appWithReason; break }
                            "available" { $relevantPolicies.AppsAvailable += $appWithReason; break }
                            "uninstall" { $relevantPolicies.AppsUninstall += $appWithReason; break }
                        }
                    }
                }
 
                # Display results
                Write-Host "`nAssignments for Device: $deviceName" -ForegroundColor Green

                # Function to format and display policy table
                function Format-PolicyTable {
                    param (
                        [string]$Title,
                        [object[]]$Policies,
                        [scriptblock]$GetName,
                        [scriptblock]$GetExtra = { param($p) "" }
                    )
                    $tableSeparator = "-" * 120 # Define at the start for use in empty case

                    # Create prominent section header
                    $headerSeparator = "-" * ($Title.Length + 16)
                    Write-Host "`n$headerSeparator" -ForegroundColor Cyan
                    Write-Host "------- $Title -------" -ForegroundColor Cyan
                    Write-Host "$headerSeparator" -ForegroundColor Cyan
                    
                    if ($Policies.Count -eq 0) {
                        Write-Host "No $Title found for this device." -ForegroundColor Gray
                        Write-Host $tableSeparator -ForegroundColor Gray # Print bottom line for empty table
                        Write-Host ""
                        return
                    }

                    # Create table header with custom formatting (this is for when policies exist)
                    $headerFormat = "{0,-50} {1,-40} {2,-30}" -f "Policy Name", "ID", "Assignment"
                    
                    Write-Host $headerFormat -ForegroundColor Yellow
                    Write-Host $tableSeparator -ForegroundColor Gray # This is the line under the headers
                    
                    # Display each policy in table format
                    foreach ($policy in $Policies) {
                        $name = & $GetName $policy
                        $extra = & $GetExtra $policy
                        
                        # Truncate long names and add ellipsis
                        if ($name.Length -gt 47) {
                            $name = $name.Substring(0, 44) + "..."
                        }
                        
                        # Format ID
                        $id = $policy.id
                        if ($id.Length -gt 37) {
                            $id = $id.Substring(0, 34) + "..."
                        }
                        
                        # Format assignment reason
                        $assignment = if ($policy.AssignmentReason) { $policy.AssignmentReason } else { "No Assignment" }
                        if ($assignment.Length -gt 27) {
                            $assignment = $assignment.Substring(0, 24) + "..."
                        }
                        
                        # Output formatted row
                        $rowFormat = "{0,-50} {1,-40} {2,-30}" -f $name, $id, $assignment
                        if ($assignment -eq "Excluded" -or $assignment -like "*Exclusion*") {
                            Write-Host $rowFormat -ForegroundColor Red
                        }
                        else {
                            Write-Host $rowFormat -ForegroundColor White
                        }
                    }
                    
                    Write-Host $tableSeparator -ForegroundColor Gray # This is the closing line of the table
                }

                # Display Device Configurations
                Format-PolicyTable -Title "Device Configurations" -Policies $relevantPolicies.DeviceConfigs -GetName {
                    param($config)
                    if ([string]::IsNullOrWhiteSpace($config.name)) { $config.displayName } else { $config.name }
                }

                # Display Settings Catalog Policies
                Format-PolicyTable -Title "Settings Catalog Policies" -Policies $relevantPolicies.SettingsCatalog -GetName {
                    param($policy)
                    if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                }

                # Display Administrative Templates
                Format-PolicyTable -Title "Administrative Templates" -Policies $relevantPolicies.AdminTemplates -GetName {
                    param($template)
                    if ([string]::IsNullOrWhiteSpace($template.name)) { $template.displayName } else { $template.name }
                }

                # Display Compliance Policies
                Format-PolicyTable -Title "Compliance Policies" -Policies $relevantPolicies.CompliancePolicies -GetName {
                    param($policy)
                    if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                }

                # Display App Protection Policies
                Format-PolicyTable -Title "App Protection Policies" -Policies $relevantPolicies.AppProtectionPolicies -GetName {
                    param($policy)
                    $policy.displayName
                } -GetExtra {
                    param($policy)
                    @{
                        Label = 'Platform'
                        Value = switch ($policy.'@odata.type') {
                            "#microsoft.graph.androidManagedAppProtection" { "Android" }
                            "#microsoft.graph.iosManagedAppProtection" { "iOS" }
                            "#microsoft.graph.windowsManagedAppProtection" { "Windows" }
                            default { "Unknown" }
                        }
                    }
                }

                # Display App Configuration Policies
                Format-PolicyTable -Title "App Configuration Policies" -Policies $relevantPolicies.AppConfigurationPolicies -GetName {
                    param($policy)
                    if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                }

                # Display Platform Scripts
                Format-PolicyTable -Title "Platform Scripts" -Policies $relevantPolicies.PlatformScripts -GetName {
                    param($script)
                    if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                }

                # Display Proactive Remediation Scripts
                Format-PolicyTable -Title "Proactive Remediation Scripts" -Policies $relevantPolicies.HealthScripts -GetName {
                    param($script)
                    if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                }

                # Display Required Apps
                Format-PolicyTable -Title "Required Apps" -Policies $relevantPolicies.AppsRequired -GetName {
                    param($app)
                    $app.displayName
                }

                # Display Available Apps
                Format-PolicyTable -Title "Available Apps" -Policies $relevantPolicies.AppsAvailable -GetName {
                    param($app)
                    $app.displayName
                }

                # Display Uninstall Apps
                Format-PolicyTable -Title "Uninstall Apps" -Policies $relevantPolicies.AppsUninstall -GetName {
                    param($app)
                    $app.displayName
                }

                # Display Endpoint Security - Antivirus Profiles
                Format-PolicyTable -Title "Endpoint Security - Antivirus Profiles" -Policies $relevantPolicies.AntivirusProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }
                
                # Display Endpoint Security - Disk Encryption Profiles
                Format-PolicyTable -Title "Endpoint Security - Disk Encryption Profiles" -Policies $relevantPolicies.DiskEncryptionProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }
                
                # Display Endpoint Security - Firewall Profiles
                Format-PolicyTable -Title "Endpoint Security - Firewall Profiles" -Policies $relevantPolicies.FirewallProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }
                
                # Display Endpoint Security - Endpoint Detection and Response Profiles
                Format-PolicyTable -Title "Endpoint Security - EDR Profiles" -Policies $relevantPolicies.EndpointDetectionProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }
                
                # Display Endpoint Security - Attack Surface Reduction Profiles
                Format-PolicyTable -Title "Endpoint Security - ASR Profiles" -Policies $relevantPolicies.AttackSurfaceProfiles -GetName { param($profile) if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed Profile" } }

                # Add to export data
                Add-ExportData -ExportData $exportData -Category "Device" -Items @([PSCustomObject]@{
                        displayName      = $deviceName
                        id               = $deviceInfo.Id
                        AssignmentReason = "N/A"
                    }

                    Add-ExportData -ExportData $exportData -Category "Device Configuration" -Items $relevantPolicies.DeviceConfigs -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Settings Catalog Policy" -Items $relevantPolicies.SettingsCatalog -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Administrative Template" -Items $relevantPolicies.AdminTemplates -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Compliance Policy" -Items $relevantPolicies.CompliancePolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "App Protection Policy" -Items $relevantPolicies.AppProtectionPolicies -AssignmentReason { param($item) $item.AssignmentSummary }
                    Add-ExportData -ExportData $exportData -Category "App Configuration Policy" -Items $relevantPolicies.AppConfigurationPolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Platform Scripts" -Items $relevantPolicies.PlatformScripts -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Proactive Remediation Scripts" -Items $relevantPolicies.HealthScripts -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Antivirus" -Items $relevantPolicies.AntivirusProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Disk Encryption" -Items $relevantPolicies.DiskEncryptionProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Firewall" -Items $relevantPolicies.FirewallProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - EDR" -Items $relevantPolicies.EndpointDetectionProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - ASR" -Items $relevantPolicies.AttackSurfaceProfiles -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Windows 365 Cloud PC Provisioning Policy" -Items $relevantPolicies.CloudPCProvisioningPolicies -AssignmentReason { param($item) $item.AssignmentReason }
                    Add-ExportData -ExportData $exportData -Category "Windows 365 Cloud PC User Setting" -Items $relevantPolicies.CloudPCUserSettings -AssignmentReason { param($item) $item.AssignmentReason }
                )
            }

            # Export results if requested
            Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneDeviceAssignments.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath
        }
        '4' {
            Write-Host "Fetching all policies and their assignments..." -ForegroundColor Green
            $exportData = [System.Collections.ArrayList]::new()

            # Initialize collections for all policies
            $allPolicies = @{
                DeviceConfigs               = @()
                SettingsCatalog             = @()
                AdminTemplates              = @()
                CompliancePolicies          = @()
                AppProtectionPolicies       = @()
                AppConfigurationPolicies    = @()
                PlatformScripts             = @()
                HealthScripts               = @()
                AntivirusProfiles           = @()
                DiskEncryptionProfiles      = @()
                FirewallProfiles            = @()
                EndpointDetectionProfiles   = @()
                AttackSurfaceProfiles       = @()
                DeploymentProfiles          = @()
                ESPProfiles                 = @()
                CloudPCProvisioningPolicies = @()
                CloudPCUserSettings         = @()
            }

            # Function to process and display policy assignments
            function Process-PolicyAssignments {
                param (
                    [Parameter(Mandatory = $true)]
                    [string]$PolicyType,
                    
                    [Parameter(Mandatory = $false)] # Changed from $true
                    [object[]]$Policies,
                    
                    [Parameter(Mandatory = $true)]
                    [string]$DisplayName
                )

                if ($null -eq $Policies -or $Policies.Count -eq 0) {
                    Write-Host "`n------- $DisplayName -------" -ForegroundColor Cyan
                    Write-Host "No policies found for this category." -ForegroundColor Gray
                    Write-Host ""
                    return
                }
                
                Write-Host "`n------- $DisplayName -------" -ForegroundColor Cyan
                foreach ($policy in $Policies) {
                    $policyName = if (-not [string]::IsNullOrWhiteSpace($policy.displayName)) { $policy.displayName } elseif (-not [string]::IsNullOrWhiteSpace($policy.name)) { $policy.name } else { "Unnamed Profile" }
                    Write-Host "Policy Name: $policyName" -ForegroundColor White
                    Write-Host "Policy ID: $($policy.id)" -ForegroundColor Gray
                    if ($policy.AssignmentSummary) {
                        Write-Host "Assignments: $($policy.AssignmentSummary)" -ForegroundColor Gray
                    }
                    else {
                        Write-Host "No assignments found" -ForegroundColor Yellow
                    }
                    Write-Host ""
                }
            }

            # Get Device Configurations
            Write-Host "Fetching Device Configurations..." -ForegroundColor Yellow
            $deviceConfigs = Get-IntuneEntities -EntityType "deviceConfigurations"
            foreach ($config in $deviceConfigs) {
                $assignments = Get-IntuneAssignments -EntityType "deviceConfigurations" -EntityId $config.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else {
                        $_.Reason
                    }
                }
                $config | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.DeviceConfigs += $config
            }

            # Get Settings Catalog Policies
            Write-Host "Fetching Settings Catalog Policies..." -ForegroundColor Yellow
            $settingsCatalog = Get-IntuneEntities -EntityType "configurationPolicies"
            foreach ($policy in $settingsCatalog) {
                $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else {
                        $_.Reason
                    }
                }
                $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.SettingsCatalog += $policy
            }

            # Get Administrative Templates
            Write-Host "Fetching Administrative Templates..." -ForegroundColor Yellow
            $adminTemplates = Get-IntuneEntities -EntityType "groupPolicyConfigurations"
            foreach ($template in $adminTemplates) {
                $assignments = Get-IntuneAssignments -EntityType "groupPolicyConfigurations" -EntityId $template.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else {
                        $_.Reason
                    }
                }
                $template | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.AdminTemplates += $template
            }

            # Get Compliance Policies
            Write-Host "Fetching Compliance Policies..." -ForegroundColor Yellow
            $compliancePolicies = Get-IntuneEntities -EntityType "deviceCompliancePolicies"
            foreach ($policy in $compliancePolicies) {
                $assignments = Get-IntuneAssignments -EntityType "deviceCompliancePolicies" -EntityId $policy.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else {
                        $_.Reason
                    }
                }
                $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.CompliancePolicies += $policy
            }

            # Get App Protection Policies
            Write-Host "Fetching App Protection Policies..." -ForegroundColor Yellow
            $appProtectionPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/managedAppPolicies"
            foreach ($policy in $appProtectionPolicies) {
                $policyType = $policy.'@odata.type'
                $assignmentsUri = switch ($policyType) {
                    "#microsoft.graph.androidManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/androidManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.iosManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/iosManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.windowsManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/windowsManagedAppProtections('$($policy.id)')/assignments" }
                    default { $null }
                }

                if ($assignmentsUri) {
                    try {
                        $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
                        $assignments = @()
                        foreach ($assignment in $assignmentResponse.value) {
                            $assignmentReason = $null
                            switch ($assignment.target.'@odata.type') {
                                '#microsoft.graph.allLicensedUsersAssignmentTarget' {
                                    $assignmentReason = "All Users"
                                }
                                '#microsoft.graph.groupAssignmentTarget' {
                                    if (!$GroupId -or $assignment.target.groupId -eq $GroupId) {
                                        $assignmentReason = "Group Assignment"
                                    }
                                }
                                '#microsoft.graph.exclusionGroupAssignmentTarget' {
                                    if (!$GroupId -or $assignment.target.groupId -eq $GroupId) {
                                        $assignmentReason = "Group Exclusion"
                                    }
                                }
                            }

                            if ($assignmentReason) {
                                $assignments += $assignmentReason
                            }
                        }

                        if ($assignments.Count -gt 0) {
                            $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignments -join "; ") -Force
                            $allPolicies.AppProtectionPolicies += $policy
                        }
                    }
                    catch {
                        Write-Host "Error fetching assignments for policy $($policy.displayName): $($_.Exception.Message)" -ForegroundColor Red
                    }
                }
            }

            # Get App Configuration Policies
            Write-Host "Fetching App Configuration Policies..." -ForegroundColor Yellow
            $appConfigPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/mobileAppConfigurations"
            foreach ($policy in $appConfigPolicies) {
                $assignments = Get-IntuneAssignments -EntityType "mobileAppConfigurations" -EntityId $policy.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else {
                        $_.Reason
                    }
                }
                $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.AppConfigurationPolicies += $policy
            }

            # Get Platform Scripts
            Write-Host "Fetching Platform Scripts..." -ForegroundColor Yellow
            $platformScripts = Get-IntuneEntities -EntityType "deviceManagementScripts"
            foreach ($script in $platformScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceManagementScripts" -EntityId $script.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else {
                        $_.Reason
                    }
                }
                $script | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.PlatformScripts += $script
            }

            # Get Proactive Remediation Scripts
            Write-Host "Fetching Proactive Remediation Scripts..." -ForegroundColor Yellow
            $healthScripts = Get-IntuneEntities -EntityType "deviceHealthScripts"
            foreach ($script in $healthScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceHealthScripts" -EntityId $script.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else {
                        $_.Reason
                    }
                }
                $script | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.HealthScripts += $script
            }

            # Get Autopilot Deployment Profiles
            Write-Host "Fetching Autopilot Deployment Profiles..." -ForegroundColor Yellow
            $autoProfilesAll = Get-IntuneEntities -EntityType "windowsAutopilotDeploymentProfiles"
            foreach ($profile in $autoProfilesAll) {
                $assignments = Get-IntuneAssignments -EntityType "windowsAutopilotDeploymentProfiles" -EntityId $profile.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else { $_.Reason }
                }
                $profile | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.DeploymentProfiles += $profile
            }

            # Get Enrollment Status Page Profiles
            Write-Host "Fetching Enrollment Status Page Profiles..." -ForegroundColor Yellow
            $enrollmentConfigsAll = Get-IntuneEntities -EntityType "deviceEnrollmentConfigurations"
            $espProfilesAll = $enrollmentConfigsAll | Where-Object { $_.'@odata.type' -match 'EnrollmentCompletionPageConfiguration' }
            foreach ($esp in $espProfilesAll) {
                $assignments = Get-IntuneAssignments -EntityType "deviceEnrollmentConfigurations" -EntityId $esp.id
                $assignmentSummary = $assignments | ForEach-Object {
                    if ($_.Reason -eq "Group Assignment") {
                        $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                        "$($_.Reason) - $($groupInfo.DisplayName)"
                    }
                    else { $_.Reason }
                }
                $esp | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                $allPolicies.ESPProfiles += $esp
            }

            # Get Windows 365 Cloud PC Provisioning Policies
            Write-Host "Fetching Windows 365 Cloud PC Provisioning Policies..." -ForegroundColor Yellow
            try {
                $cloudPCProvisioningPoliciesAll = Get-IntuneEntities -EntityType "virtualEndpoint/provisioningPolicies"
                foreach ($policy in $cloudPCProvisioningPoliciesAll) {
                    $assignments = Get-IntuneAssignments -EntityType "virtualEndpoint/provisioningPolicies" -EntityId $policy.id
                    $assignmentSummary = $assignments | ForEach-Object {
                        if ($_.Reason -eq "Group Assignment") {
                            $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                            "$($_.Reason) - $($groupInfo.DisplayName)"
                        }
                        else { $_.Reason }
                    }
                    $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                    $allPolicies.CloudPCProvisioningPolicies += $policy
                }
            }
            catch {
                Write-Warning "Unable to fetch Windows 365 Cloud PC Provisioning Policies: $($_.Exception.Message)"
            }

            # Get Windows 365 Cloud PC User Settings
            Write-Host "Fetching Windows 365 Cloud PC User Settings..." -ForegroundColor Yellow
            try {
                $cloudPCUserSettingsAll = Get-IntuneEntities -EntityType "virtualEndpoint/userSettings"
                foreach ($setting in $cloudPCUserSettingsAll) {
                    $assignments = Get-IntuneAssignments -EntityType "virtualEndpoint/userSettings" -EntityId $setting.id
                    $assignmentSummary = $assignments | ForEach-Object {
                        if ($_.Reason -eq "Group Assignment") {
                            $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                            "$($_.Reason) - $($groupInfo.DisplayName)"
                        }
                        else { $_.Reason }
                    }
                    $setting | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                    $allPolicies.CloudPCUserSettings += $setting
                }
            }
            catch {
                Write-Warning "Unable to fetch Windows 365 Cloud PC User Settings: $($_.Exception.Message)"
            }

            # Get Endpoint Security - Antivirus Policies
            Write-Host "Fetching Antivirus Policies..." -ForegroundColor Yellow
            $antivirusPoliciesFoundAll = [System.Collections.ArrayList]::new()
            $processedAntivirusIdsAll = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies
            $configPoliciesForAntivirusAll = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesAntivirusAll = $configPoliciesForAntivirusAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }

            if ($matchingConfigPoliciesAntivirusAll) {
                foreach ($policy in $matchingConfigPoliciesAntivirusAll) {
                    if ($processedAntivirusIdsAll.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        $assignmentSummary = $assignments | ForEach-Object {
                            if ($_.Reason -eq "Group Assignment" -or $_.Reason -eq "Group Exclusion") {
                                $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                                "$($_.Reason) - $($groupInfo.DisplayName)"
                            }
                            else { $_.Reason }
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$antivirusPoliciesFoundAll.Add($policy)
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForAntivirusAll = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsAntivirusAll = $allIntentsForAntivirusAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }
            
            if ($matchingIntentsAntivirusAll) {
                foreach ($policy in $matchingIntentsAntivirusAll) {
                    if ($processedAntivirusIdsAll.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        $assignmentSummary = $assignmentsResponse.value | ForEach-Object {
                            $reasonText = switch ($_.target.'@odata.type') {
                                '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                '#microsoft.graph.groupAssignmentTarget' { "Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                '#microsoft.graph.exclusionGroupAssignmentTarget' { "Exclude Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                default { "Unknown" }
                            }
                            $reasonText
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$antivirusPoliciesFoundAll.Add($policy)
                    }
                }
            }
            $allPolicies.AntivirusProfiles = $antivirusPoliciesFoundAll

            # Get Endpoint Security - Disk Encryption Policies
            Write-Host "Fetching Disk Encryption Policies..." -ForegroundColor Yellow
            $diskEncryptionPoliciesFoundAll = [System.Collections.ArrayList]::new()
            $processedDiskEncryptionIdsAll = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies
            $configPoliciesForDiskEncAll = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesDiskEncAll = $configPoliciesForDiskEncAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }

            if ($matchingConfigPoliciesDiskEncAll) {
                foreach ($policy in $matchingConfigPoliciesDiskEncAll) {
                    if ($processedDiskEncryptionIdsAll.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        $assignmentSummary = $assignments | ForEach-Object {
                            if ($_.Reason -eq "Group Assignment" -or $_.Reason -eq "Group Exclusion") {
                                $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                                "$($_.Reason) - $($groupInfo.DisplayName)"
                            }
                            else { $_.Reason }
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$diskEncryptionPoliciesFoundAll.Add($policy)
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForDiskEncAll = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsDiskEncAll = $allIntentsForDiskEncAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }

            if ($matchingIntentsDiskEncAll) {
                foreach ($policy in $matchingIntentsDiskEncAll) {
                    if ($processedDiskEncryptionIdsAll.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        $assignmentSummary = $assignmentsResponse.value | ForEach-Object {
                            $reasonText = switch ($_.target.'@odata.type') {
                                '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                '#microsoft.graph.groupAssignmentTarget' { "Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                '#microsoft.graph.exclusionGroupAssignmentTarget' { "Exclude Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                default { "Unknown" }
                            }
                            $reasonText
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$diskEncryptionPoliciesFoundAll.Add($policy)
                    }
                }
            }
            $allPolicies.DiskEncryptionProfiles = $diskEncryptionPoliciesFoundAll

            # Get Endpoint Security - Firewall Policies
            Write-Host "Fetching Firewall Policies..." -ForegroundColor Yellow
            $firewallPoliciesFoundAll = [System.Collections.ArrayList]::new()
            $processedFirewallIdsAll = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies
            $configPoliciesForFirewallAll = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesFirewallAll = $configPoliciesForFirewallAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }
            
            if ($matchingConfigPoliciesFirewallAll) {
                foreach ($policy in $matchingConfigPoliciesFirewallAll) {
                    if ($processedFirewallIdsAll.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        $assignmentSummary = $assignments | ForEach-Object {
                            if ($_.Reason -eq "Group Assignment" -or $_.Reason -eq "Group Exclusion") {
                                $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                                "$($_.Reason) - $($groupInfo.DisplayName)"
                            }
                            else { $_.Reason }
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$firewallPoliciesFoundAll.Add($policy)
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForFirewallAll = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsFirewallAll = $allIntentsForFirewallAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }

            if ($matchingIntentsFirewallAll) {
                foreach ($policy in $matchingIntentsFirewallAll) {
                    if ($processedFirewallIdsAll.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        $assignmentSummary = $assignmentsResponse.value | ForEach-Object {
                            $reasonText = switch ($_.target.'@odata.type') {
                                '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                '#microsoft.graph.groupAssignmentTarget' { "Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                '#microsoft.graph.exclusionGroupAssignmentTarget' { "Exclude Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                default { "Unknown" }
                            }
                            $reasonText
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$firewallPoliciesFoundAll.Add($policy)
                    }
                }
            }
            $allPolicies.FirewallProfiles = $firewallPoliciesFoundAll

            # Get Endpoint Security - Endpoint Detection and Response Policies
            Write-Host "Fetching EDR Policies..." -ForegroundColor Yellow
            $edrPoliciesFoundAll = [System.Collections.ArrayList]::new()
            $processedEDRIdsAll = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies
            $configPoliciesForEDRAll = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesEDRAll = $configPoliciesForEDRAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }

            if ($matchingConfigPoliciesEDRAll) {
                foreach ($policy in $matchingConfigPoliciesEDRAll) {
                    if ($processedEDRIdsAll.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        $assignmentSummary = $assignments | ForEach-Object {
                            if ($_.Reason -eq "Group Assignment" -or $_.Reason -eq "Group Exclusion") {
                                $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                                "$($_.Reason) - $($groupInfo.DisplayName)"
                            }
                            else { $_.Reason }
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$edrPoliciesFoundAll.Add($policy)
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForEDRAll = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsEDRAll = $allIntentsForEDRAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }

            if ($matchingIntentsEDRAll) {
                foreach ($policy in $matchingIntentsEDRAll) {
                    if ($processedEDRIdsAll.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        $assignmentSummary = $assignmentsResponse.value | ForEach-Object {
                            $reasonText = switch ($_.target.'@odata.type') {
                                '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                '#microsoft.graph.groupAssignmentTarget' { "Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                '#microsoft.graph.exclusionGroupAssignmentTarget' { "Exclude Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                default { "Unknown" }
                            }
                            $reasonText
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$edrPoliciesFoundAll.Add($policy)
                    }
                }
            }
            $allPolicies.EndpointDetectionProfiles = $edrPoliciesFoundAll

            # Get Endpoint Security - Attack Surface Reduction Policies
            Write-Host "Fetching ASR Policies..." -ForegroundColor Yellow
            $asrPoliciesFoundAll = [System.Collections.ArrayList]::new()
            $processedASRIdsAll = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies
            $configPoliciesForASRAll = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesASRAll = $configPoliciesForASRAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }

            if ($matchingConfigPoliciesASRAll) {
                foreach ($policy in $matchingConfigPoliciesASRAll) {
                    if ($processedASRIdsAll.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        $assignmentSummary = $assignments | ForEach-Object {
                            if ($_.Reason -eq "Group Assignment" -or $_.Reason -eq "Group Exclusion") {
                                $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                                "$($_.Reason) - $($groupInfo.DisplayName)"
                            }
                            else { $_.Reason }
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$asrPoliciesFoundAll.Add($policy)
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForASRAll = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsASRAll = $allIntentsForASRAll | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }

            if ($matchingIntentsASRAll) {
                foreach ($policy in $matchingIntentsASRAll) {
                    if ($processedASRIdsAll.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        $assignmentSummary = $assignmentsResponse.value | ForEach-Object {
                            $reasonText = switch ($_.target.'@odata.type') {
                                '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" }
                                '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" }
                                '#microsoft.graph.groupAssignmentTarget' { "Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                '#microsoft.graph.exclusionGroupAssignmentTarget' { "Exclude Group: " + (Get-GroupInfo -GroupId $_.target.groupId).DisplayName }
                                default { "Unknown" }
                            }
                            $reasonText
                        }
                        $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                        [void]$asrPoliciesFoundAll.Add($policy)
                    }
                }
            }
            $allPolicies.AttackSurfaceProfiles = $asrPoliciesFoundAll

            # Display all policies and their assignments
            Process-PolicyAssignments -PolicyType "deviceConfigurations" -Policies $allPolicies.DeviceConfigs -DisplayName "Device Configurations"
            Process-PolicyAssignments -PolicyType "configurationPolicies" -Policies $allPolicies.SettingsCatalog -DisplayName "Settings Catalog Policies"
            Process-PolicyAssignments -PolicyType "groupPolicyConfigurations" -Policies $allPolicies.AdminTemplates -DisplayName "Administrative Templates"
            Process-PolicyAssignments -PolicyType "deviceCompliancePolicies" -Policies $allPolicies.CompliancePolicies -DisplayName "Compliance Policies"
            Process-PolicyAssignments -PolicyType "managedAppPolicies" -Policies $allPolicies.AppProtectionPolicies -DisplayName "App Protection Policies"
            Process-PolicyAssignments -PolicyType "mobileAppConfigurations" -Policies $allPolicies.AppConfigurationPolicies -DisplayName "App Configuration Policies"
            Process-PolicyAssignments -PolicyType "deviceManagementScripts" -Policies $allPolicies.PlatformScripts -DisplayName "Platform Scripts"
            Process-PolicyAssignments -PolicyType "deviceHealthScripts" -Policies $allPolicies.HealthScripts -DisplayName "Proactive Remediation Scripts"
            Process-PolicyAssignments -PolicyType "windowsAutopilotDeploymentProfiles" -Policies $allPolicies.DeploymentProfiles -DisplayName "Autopilot Deployment Profiles"
            Process-PolicyAssignments -PolicyType "deviceEnrollmentConfigurations" -Policies $allPolicies.ESPProfiles -DisplayName "Enrollment Status Page Profiles"
            Process-PolicyAssignments -PolicyType "virtualEndpoint/provisioningPolicies" -Policies $allPolicies.CloudPCProvisioningPolicies -DisplayName "Windows 365 Cloud PC Provisioning Policies"
            Process-PolicyAssignments -PolicyType "virtualEndpoint/userSettings" -Policies $allPolicies.CloudPCUserSettings -DisplayName "Windows 365 Cloud PC User Settings"
            Process-PolicyAssignments -PolicyType "deviceManagementIntents" -Policies $allPolicies.AntivirusProfiles -DisplayName "Endpoint Security - Antivirus Profiles"
            Process-PolicyAssignments -PolicyType "deviceManagementIntents" -Policies $allPolicies.DiskEncryptionProfiles -DisplayName "Endpoint Security - Disk Encryption Profiles"
            Process-PolicyAssignments -PolicyType "deviceManagementIntents" -Policies $allPolicies.FirewallProfiles -DisplayName "Endpoint Security - Firewall Profiles"
            Process-PolicyAssignments -PolicyType "deviceManagementIntents" -Policies $allPolicies.EndpointDetectionProfiles -DisplayName "Endpoint Security - EDR Profiles"
            Process-PolicyAssignments -PolicyType "deviceManagementIntents" -Policies $allPolicies.AttackSurfaceProfiles -DisplayName "Endpoint Security - ASR Profiles"

            # Add to export data
            Add-ExportData -ExportData $exportData -Category "Device Configuration" -Items $allPolicies.DeviceConfigs -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Settings Catalog Policy" -Items $allPolicies.SettingsCatalog -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Administrative Template" -Items $allPolicies.AdminTemplates -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Compliance Policy" -Items $allPolicies.CompliancePolicies -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "App Protection Policy" -Items $allPolicies.AppProtectionPolicies -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "App Configuration Policy" -Items $allPolicies.AppConfigurationPolicies -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Platform Scripts" -Items $allPolicies.PlatformScripts -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Proactive Remediation Scripts" -Items $allPolicies.HealthScripts -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Autopilot Deployment Profile" -Items $allPolicies.DeploymentProfiles -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Enrollment Status Page" -Items $allPolicies.ESPProfiles -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Windows 365 Cloud PC Provisioning Policy" -Items $allPolicies.CloudPCProvisioningPolicies -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Windows 365 Cloud PC User Setting" -Items $allPolicies.CloudPCUserSettings -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Endpoint Security - Antivirus" -Items $allPolicies.AntivirusProfiles -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Endpoint Security - Disk Encryption" -Items $allPolicies.DiskEncryptionProfiles -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Endpoint Security - Firewall" -Items $allPolicies.FirewallProfiles -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Endpoint Security - EDR" -Items $allPolicies.EndpointDetectionProfiles -AssignmentReason { param($item) $item.AssignmentSummary }
            Add-ExportData -ExportData $exportData -Category "Endpoint Security - ASR" -Items $allPolicies.AttackSurfaceProfiles -AssignmentReason { param($item) $item.AssignmentSummary }

            # Export results if requested
            Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneAllPolicies.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath
        }
        '5' {
            Write-Host "Fetching all 'All Users' assignments..." -ForegroundColor Green
            $exportData = [System.Collections.ArrayList]::new()

            # Initialize collections for policies with "All Users" assignments
            $allUsersAssignments = @{
                DeviceConfigs            = @()
                SettingsCatalog          = @()
                AdminTemplates           = @()
                CompliancePolicies       = @()
                AppProtectionPolicies    = @()
                AppConfigurationPolicies = @()
                PlatformScripts          = @()
                HealthScripts            = @()
                RequiredApps             = @()
                AvailableApps            = @()
                UninstallApps            = @()
                DeploymentProfiles       = @()
                ESPProfiles              = @()
            }

            # Get Device Configurations
            Write-Host "Fetching Device Configurations..." -ForegroundColor Yellow
            $deviceConfigs = Get-IntuneEntities -EntityType "deviceConfigurations"
            foreach ($config in $deviceConfigs) {
                $assignments = Get-IntuneAssignments -EntityType "deviceConfigurations" -EntityId $config.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $config | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.DeviceConfigs += $config
                }
            }

            # Get Settings Catalog Policies
            Write-Host "Fetching Settings Catalog Policies..." -ForegroundColor Yellow
            $settingsCatalog = Get-IntuneEntities -EntityType "configurationPolicies"
            foreach ($policy in $settingsCatalog) {
                $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.SettingsCatalog += $policy
                }
            }

            # Get Administrative Templates
            Write-Host "Fetching Administrative Templates..." -ForegroundColor Yellow
            $adminTemplates = Get-IntuneEntities -EntityType "groupPolicyConfigurations"
            foreach ($template in $adminTemplates) {
                $assignments = Get-IntuneAssignments -EntityType "groupPolicyConfigurations" -EntityId $template.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $template | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.AdminTemplates += $template
                }
            }

            # Get Compliance Policies
            Write-Host "Fetching Compliance Policies..." -ForegroundColor Yellow
            $compliancePolicies = Get-IntuneEntities -EntityType "deviceCompliancePolicies"
            foreach ($policy in $compliancePolicies) {
                $assignments = Get-IntuneAssignments -EntityType "deviceCompliancePolicies" -EntityId $policy.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.CompliancePolicies += $policy
                }
            }

            # Get App Protection Policies
            Write-Host "Fetching App Protection Policies..." -ForegroundColor Yellow
            $appProtectionPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/managedAppPolicies"
            foreach ($policy in $appProtectionPolicies) {
                $policyType = $policy.'@odata.type'
                $assignmentsUri = switch ($policyType) {
                    "#microsoft.graph.androidManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/androidManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.iosManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/iosManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.windowsManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/windowsManagedAppProtections('$($policy.id)')/assignments" }
                    default { $null }
                }

                if ($assignmentsUri) {
                    try {
                        $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
                        $hasAllUsers = $false
                        foreach ($assignment in $assignmentResponse.value) {
                            if ($assignment.target.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget') {
                                $hasAllUsers = $true
                                break
                            }
                        }
                        if ($hasAllUsers) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            $allUsersAssignments.AppProtectionPolicies += $policy
                        }
                    }
                    catch {
                        Write-Host "Error fetching assignments for policy $($policy.displayName): $($_.Exception.Message)" -ForegroundColor Red
                    }
                }
            }

            # Get App Configuration Policies
            Write-Host "Fetching App Configuration Policies..." -ForegroundColor Yellow
            $appConfigPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/mobileAppConfigurations"
            foreach ($policy in $appConfigPolicies) {
                $assignments = Get-IntuneAssignments -EntityType "mobileAppConfigurations" -EntityId $policy.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.AppConfigurationPolicies += $policy
                }
            }

            # Get Applications
            Write-Host "Fetching Applications..." -ForegroundColor Yellow
            # Fetch Applications
            $appUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps?`$filter=isAssigned eq true"
            $appResponse = Invoke-MgGraphRequest -Uri $appUri -Method Get
            $allApps = $appResponse.value
            while ($appResponse.'@odata.nextLink') {
                $appResponse = Invoke-MgGraphRequest -Uri $appResponse.'@odata.nextLink' -Method Get
                $allApps += $appResponse.value
            }
            $totalApps = $allApps.Count

            foreach ($app in $allApps) {
                # Filter out irrelevant apps
                if ($app.isFeatured -or $app.isBuiltIn) {
                    continue
                }

                $appId = $app.id
                $assignmentsUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps('$appId')/assignments"
                $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                foreach ($assignment in $assignmentResponse.value) {
                    if ($assignment.target.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget') {
                        $appWithReason = $app.PSObject.Copy()
                        $appWithReason | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                        switch ($assignment.intent) {
                            "required" { $allUsersAssignments.RequiredApps += $appWithReason; break }
                            "available" { $allUsersAssignments.AvailableApps += $appWithReason; break }
                            "uninstall" { $allUsersAssignments.UninstallApps += $appWithReason; break }
                        }
                        break
                    }
                }
            }   

            # Get Platform Scripts
            Write-Host "Fetching Platform Scripts..." -ForegroundColor Yellow
            $platformScripts = Get-IntuneEntities -EntityType "deviceManagementScripts"
            foreach ($script in $platformScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceManagementScripts" -EntityId $script.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.PlatformScripts += $script
                }
            }

            # Get Proactive Remediation Scripts
            Write-Host "Fetching Proactive Remediation Scripts..." -ForegroundColor Yellow
            $healthScripts = Get-IntuneEntities -EntityType "deviceHealthScripts"
            foreach ($script in $healthScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceHealthScripts" -EntityId $script.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.HealthScripts += $script
                }
            }

            # Get Endpoint Security - Antivirus Policies
            Write-Host "Fetching Antivirus Policies assigned to All Users..." -ForegroundColor Yellow
            $antivirusPoliciesFound_AllUsers = [System.Collections.ArrayList]::new()
            $processedAntivirusIds_AllUsers = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies
            $configPoliciesForAntivirus_AllUsers = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesAntivirus_AllUsers = $configPoliciesForAntivirus_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }

            if ($matchingConfigPoliciesAntivirus_AllUsers) {
                foreach ($policy in $matchingConfigPoliciesAntivirus_AllUsers) {
                    if ($processedAntivirusIds_AllUsers.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$antivirusPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForAntivirus_AllUsers = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsAntivirus_AllUsers = $allIntentsForAntivirus_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }

            if ($matchingIntentsAntivirus_AllUsers) {
                foreach ($policy in $matchingIntentsAntivirus_AllUsers) {
                    if ($processedAntivirusIds_AllUsers.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$antivirusPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }
            $allUsersAssignments.AntivirusProfiles = $antivirusPoliciesFound_AllUsers

            # Get Endpoint Security - Disk Encryption Policies
            Write-Host "Fetching Disk Encryption Policies assigned to All Users..." -ForegroundColor Yellow
            $diskEncryptionPoliciesFound_AllUsers = [System.Collections.ArrayList]::new()
            # Note: Re-using $processedDiskEncryptionIds_AllUsers from Antivirus for simplicity,
            # assuming policy IDs are unique across ES types or we want to process once per ID overall for this menu option.
            # If IDs can overlap meaningfully between ES types and need separate tracking, declare a new HashSet here.
            # For this context (All Users assignments), it's likely fine.
            $processedDiskEncryptionIds_AllUsers = [System.Collections.Generic.HashSet[string]]::new()


            # 1. Check configurationPolicies
            $configPoliciesForDiskEnc_AllUsers = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesDiskEnc_AllUsers = $configPoliciesForDiskEnc_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }
            
            if ($matchingConfigPoliciesDiskEnc_AllUsers) {
                foreach ($policy in $matchingConfigPoliciesDiskEnc_AllUsers) {
                    if ($processedDiskEncryptionIds_AllUsers.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$diskEncryptionPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForDiskEnc_AllUsers = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsDiskEnc_AllUsers = $allIntentsForDiskEnc_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }

            if ($matchingIntentsDiskEnc_AllUsers) {
                foreach ($policy in $matchingIntentsDiskEnc_AllUsers) {
                    if ($processedDiskEncryptionIds_AllUsers.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$diskEncryptionPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }
            $allUsersAssignments.DiskEncryptionProfiles = $diskEncryptionPoliciesFound_AllUsers

            # Get Endpoint Security - Firewall Policies
            Write-Host "Fetching Firewall Policies assigned to All Users..." -ForegroundColor Yellow
            $firewallPoliciesFound_AllUsers = [System.Collections.ArrayList]::new()
            $processedFirewallIds_AllUsers = [System.Collections.Generic.HashSet[string]]::new() # Reset for this type

            # 1. Check configurationPolicies
            $configPoliciesForFirewall_AllUsers = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesFirewall_AllUsers = $configPoliciesForFirewall_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }

            if ($matchingConfigPoliciesFirewall_AllUsers) {
                foreach ($policy in $matchingConfigPoliciesFirewall_AllUsers) {
                    if ($processedFirewallIds_AllUsers.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$firewallPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForFirewall_AllUsers = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsFirewall_AllUsers = $allIntentsForFirewall_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }

            if ($matchingIntentsFirewall_AllUsers) {
                foreach ($policy in $matchingIntentsFirewall_AllUsers) {
                    if ($processedFirewallIds_AllUsers.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$firewallPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }
            $allUsersAssignments.FirewallProfiles = $firewallPoliciesFound_AllUsers

            # Get Endpoint Security - Endpoint Detection and Response Policies
            Write-Host "Fetching EDR Policies assigned to All Users..." -ForegroundColor Yellow
            $edrPoliciesFound_AllUsers = [System.Collections.ArrayList]::new()
            $processedEDRIds_AllUsers = [System.Collections.Generic.HashSet[string]]::new() # Reset for this type

            # 1. Check configurationPolicies
            $configPoliciesForEDR_AllUsers = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesEDR_AllUsers = $configPoliciesForEDR_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }

            if ($matchingConfigPoliciesEDR_AllUsers) {
                foreach ($policy in $matchingConfigPoliciesEDR_AllUsers) {
                    if ($processedEDRIds_AllUsers.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$edrPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForEDR_AllUsers = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsEDR_AllUsers = $allIntentsForEDR_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }

            if ($matchingIntentsEDR_AllUsers) {
                foreach ($policy in $matchingIntentsEDR_AllUsers) {
                    if ($processedEDRIds_AllUsers.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$edrPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }
            $allUsersAssignments.EndpointDetectionProfiles = $edrPoliciesFound_AllUsers

            # Get Endpoint Security - Attack Surface Reduction Policies
            Write-Host "Fetching ASR Policies assigned to All Users..." -ForegroundColor Yellow
            $asrPoliciesFound_AllUsers = [System.Collections.ArrayList]::new()
            $processedASRIds_AllUsers = [System.Collections.Generic.HashSet[string]]::new() # Reset for this type

            # 1. Check configurationPolicies
            $configPoliciesForASR_AllUsers = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesASR_AllUsers = $configPoliciesForASR_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }

            if ($matchingConfigPoliciesASR_AllUsers) {
                foreach ($policy in $matchingConfigPoliciesASR_AllUsers) {
                    if ($processedASRIds_AllUsers.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$asrPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents
            $allIntentsForASR_AllUsers = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsASR_AllUsers = $allIntentsForASR_AllUsers | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }

            if ($matchingIntentsASR_AllUsers) {
                foreach ($policy in $matchingIntentsASR_AllUsers) {
                    if ($processedASRIds_AllUsers.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allLicensedUsersAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                            [void]$asrPoliciesFound_AllUsers.Add($policy)
                        }
                    }
                }
            }
            $allUsersAssignments.AttackSurfaceProfiles = $asrPoliciesFound_AllUsers
            
            # Get Autopilot Deployment Profiles
            Write-Host "Fetching Autopilot Deployment Profiles assigned to All Users..." -ForegroundColor Yellow
            $autoProfilesAU = Get-IntuneEntities -EntityType "windowsAutopilotDeploymentProfiles"
            foreach ($profile in $autoProfilesAU) {
                $assignments = Get-IntuneAssignments -EntityType "windowsAutopilotDeploymentProfiles" -EntityId $profile.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $profile | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.DeploymentProfiles += $profile
                }
            }

            # Get Enrollment Status Page Profiles
            Write-Host "Fetching Enrollment Status Page Profiles assigned to All Users..." -ForegroundColor Yellow
            $enrollmentConfigsAU = Get-IntuneEntities -EntityType "deviceEnrollmentConfigurations"
            $espProfilesAU = $enrollmentConfigsAU | Where-Object { $_.'@odata.type' -match 'EnrollmentCompletionPageConfiguration' }
            foreach ($esp in $espProfilesAU) {
                $assignments = Get-IntuneAssignments -EntityType "deviceEnrollmentConfigurations" -EntityId $esp.id
                if ($assignments | Where-Object { $_.Reason -eq "All Users" }) {
                    $esp | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Users" -Force
                    $allUsersAssignments.ESPProfiles += $esp
                }
            }

            # Display results
            Write-Host "`nPolicies Assigned to All Users:" -ForegroundColor Green

            # Display Device Configurations
            Write-Host "`n------- Device Configurations -------" -ForegroundColor Cyan
            if ($allUsersAssignments.DeviceConfigs.Count -eq 0) {
                Write-Host "No Device Configurations assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($config in $allUsersAssignments.DeviceConfigs) {
                    $configName = if ([string]::IsNullOrWhiteSpace($config.name)) { $config.displayName } else { $config.name }
                    Write-Host "Device Configuration Name: $configName, Configuration ID: $($config.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Device Configuration" -Items @($config) -AssignmentReason "All Users"
                }
            }

            # Display Settings Catalog Policies
            Write-Host "`n------- Settings Catalog Policies -------" -ForegroundColor Cyan
            if ($allUsersAssignments.SettingsCatalog.Count -eq 0) {
                Write-Host "No Settings Catalog Policies assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $allUsersAssignments.SettingsCatalog) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "Settings Catalog Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Settings Catalog Policy" -Items @($policy) -AssignmentReason "All Users"
                }
            }

            # Display Administrative Templates
            Write-Host "`n------- Administrative Templates -------" -ForegroundColor Cyan
            if ($allUsersAssignments.AdminTemplates.Count -eq 0) {
                Write-Host "No Administrative Templates assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($template in $allUsersAssignments.AdminTemplates) {
                    $templateName = if ([string]::IsNullOrWhiteSpace($template.name)) { $template.displayName } else { $template.name }
                    Write-Host "Administrative Template Name: $templateName, Template ID: $($template.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Administrative Template" -Items @($template) -AssignmentReason "All Users"
                }
            }

            # Display Compliance Policies
            Write-Host "`n------- Compliance Policies -------" -ForegroundColor Cyan
            if ($allUsersAssignments.CompliancePolicies.Count -eq 0) {
                Write-Host "No Compliance Policies assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $allUsersAssignments.CompliancePolicies) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "Compliance Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Compliance Policy" -Items @($policy) -AssignmentReason "All Users"
                }
            }

            # Display App Protection Policies
            Write-Host "`n------- App Protection Policies -------" -ForegroundColor Cyan
            if ($allUsersAssignments.AppProtectionPolicies.Count -eq 0) {
                Write-Host "No App Protection Policies assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $allUsersAssignments.AppProtectionPolicies) {
                    $policyName = $policy.displayName
                    $policyType = switch ($policy.'@odata.type') {
                        "#microsoft.graph.androidManagedAppProtection" { "Android" }
                        "#microsoft.graph.iosManagedAppProtection" { "iOS" }
                        "#microsoft.graph.windowsManagedAppProtection" { "Windows" }
                        default { "Unknown" }
                    }
                    Write-Host "App Protection Policy Name: $policyName, Policy ID: $($policy.id), Type: $policyType" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "App Protection Policy" -Items @($policy) -AssignmentReason "All Users"
                }
            }

            # Display App Configuration Policies
            Write-Host "`n------- App Configuration Policies -------" -ForegroundColor Cyan
            if ($allUsersAssignments.AppConfigurationPolicies.Count -eq 0) {
                Write-Host "No App Configuration Policies assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $allUsersAssignments.AppConfigurationPolicies) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "App Configuration Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "App Configuration Policy" -Items @($policy) -AssignmentReason "All Users"
                }
            }

            # Display Platform Scripts
            Write-Host "`n------- Platform Scripts -------" -ForegroundColor Cyan
            if ($allUsersAssignments.PlatformScripts.Count -eq 0) {
                Write-Host "No Platform Scripts assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($script in $allUsersAssignments.PlatformScripts) {
                    $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                    Write-Host "Script Name: $scriptName, Script ID: $($script.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Platform Scripts" -Items @($script) -AssignmentReason "All Users"
                }
            }

            # Display Proactive Remediation Scripts
            Write-Host "`n------- Proactive Remediation Scripts -------" -ForegroundColor Cyan
            if ($allUsersAssignments.HealthScripts.Count -eq 0) {
                Write-Host "No Proactive Remediation Scripts assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($script in $allUsersAssignments.HealthScripts) {
                    $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                    Write-Host "Script Name: $scriptName, Script ID: $($script.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Proactive Remediation Scripts" -Items @($script) -AssignmentReason "All Users"
                }
            }

            # Display Required Apps
            Write-Host "`n------- Required Apps -------" -ForegroundColor Cyan
            if ($allUsersAssignments.RequiredApps.Count -eq 0) {
                Write-Host "No Required Apps assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($app in $allUsersAssignments.RequiredApps) {
                    $appName = $app.displayName
                    Write-Host "App Name: $appName, App ID: $($app.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Required Apps" -Items @($app) -AssignmentReason "All Users"
                }
            }

            # Display Available Apps
            Write-Host "`n------- Available Apps -------" -ForegroundColor Cyan
            if ($allUsersAssignments.AvailableApps.Count -eq 0) {
                Write-Host "No Available Apps assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($app in $allUsersAssignments.AvailableApps) {
                    $appName = $app.displayName
                    Write-Host "App Name: $appName, App ID: $($app.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Available Apps" -Items @($app) -AssignmentReason "All Users"
                }
            }

            # Display Uninstall Apps
            Write-Host "`n------- Uninstall Apps -------" -ForegroundColor Cyan
            if ($allUsersAssignments.UninstallApps.Count -eq 0) {
                Write-Host "No Uninstall Apps assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($app in $allUsersAssignments.UninstallApps) {
                    $appName = $app.displayName
                    Write-Host "App Name: $appName, App ID: $($app.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Uninstall Apps" -Items @($app) -AssignmentReason "All Users"
                }
            }

            # Display Endpoint Security - Antivirus Profiles
            Write-Host "`n------- Endpoint Security - Antivirus Profiles -------" -ForegroundColor Cyan
            if ($allUsersAssignments.AntivirusProfiles.Count -eq 0) {
                Write-Host "No Antivirus Profiles assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allUsersAssignments.AntivirusProfiles) {
                    $profileNameForDisplay = if ($profile.displayName) { $profile.displayName } else { $profile.name }
                    Write-Host "Antivirus Profile Name: $profileNameForDisplay, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Antivirus" -Items @($profile) -AssignmentReason "All Users"
                }
            }

            # Display Endpoint Security - Disk Encryption Profiles
            Write-Host "`n------- Endpoint Security - Disk Encryption Profiles -------" -ForegroundColor Cyan
            if ($allUsersAssignments.DiskEncryptionProfiles.Count -eq 0) {
                Write-Host "No Disk Encryption Profiles assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allUsersAssignments.DiskEncryptionProfiles) {
                    $profileNameForDisplay = if ($profile.displayName) { $profile.displayName } else { $profile.name }
                    Write-Host "Disk Encryption Profile Name: $profileNameForDisplay, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Disk Encryption" -Items @($profile) -AssignmentReason "All Users"
                }
            }

            # Display Endpoint Security - Firewall Profiles
            Write-Host "`n------- Endpoint Security - Firewall Profiles -------" -ForegroundColor Cyan
            if ($allUsersAssignments.FirewallProfiles.Count -eq 0) {
                Write-Host "No Firewall Profiles assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allUsersAssignments.FirewallProfiles) {
                    $profileNameForDisplay = if ($profile.displayName) { $profile.displayName } else { $profile.name }
                    Write-Host "Firewall Profile Name: $profileNameForDisplay, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Firewall" -Items @($profile) -AssignmentReason "All Users"
                }
            }

            # Display Endpoint Security - Endpoint Detection and Response Profiles
            Write-Host "`n------- Endpoint Security - EDR Profiles -------" -ForegroundColor Cyan
            if ($allUsersAssignments.EndpointDetectionProfiles.Count -eq 0) {
                Write-Host "No EDR Profiles assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allUsersAssignments.EndpointDetectionProfiles) {
                    $profileNameForDisplay = if ($profile.displayName) { $profile.displayName } else { $profile.name }
                    Write-Host "EDR Profile Name: $profileNameForDisplay, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - EDR" -Items @($profile) -AssignmentReason "All Users"
                }
            }

            # Display Endpoint Security - Attack Surface Reduction Profiles
            Write-Host "`n------- Endpoint Security - ASR Profiles -------" -ForegroundColor Cyan
            if ($allUsersAssignments.AttackSurfaceProfiles.Count -eq 0) {
                Write-Host "No ASR Profiles assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allUsersAssignments.AttackSurfaceProfiles) {
                    $profileNameForDisplay = if ($profile.displayName) { $profile.displayName } else { $profile.name }
                    Write-Host "ASR Profile Name: $profileNameForDisplay, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - ASR" -Items @($profile) -AssignmentReason "All Users"
                }
            }

            # Display Autopilot Deployment Profiles
            Write-Host "`n------- Autopilot Deployment Profiles -------" -ForegroundColor Cyan
            if ($allUsersAssignments.DeploymentProfiles.Count -eq 0) {
                Write-Host "No Autopilot Deployment Profiles assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allUsersAssignments.DeploymentProfiles) {
                    $profileName = if ([string]::IsNullOrWhiteSpace($profile.name)) { $profile.displayName } else { $profile.name }
                    Write-Host "Autopilot Deployment Profile Name: $profileName, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Autopilot Deployment Profile" -Items @($profile) -AssignmentReason "All Users"
                }
            }

            # Display Enrollment Status Page Profiles
            Write-Host "`n------- Enrollment Status Page Profiles -------" -ForegroundColor Cyan
            if ($allUsersAssignments.ESPProfiles.Count -eq 0) {
                Write-Host "No Enrollment Status Page Profiles assigned to All Users" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allUsersAssignments.ESPProfiles) {
                    $profileName = if ([string]::IsNullOrWhiteSpace($profile.name)) { $profile.displayName } else { $profile.name }
                    Write-Host "Enrollment Status Page Profile Name: $profileName, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Enrollment Status Page Profile" -Items @($profile) -AssignmentReason "All Users"
                }
            }

            # Export results if requested
            Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneAllUsersAssignments.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath
        }     
        '6' {
            Write-Host "Fetching all 'All Devices' assignments..." -ForegroundColor Green
            $exportData = [System.Collections.ArrayList]::new()

            # Initialize collections for policies with "All Devices" assignments
            $allDevicesAssignments = @{
                DeviceConfigs             = @()
                SettingsCatalog           = @()
                AdminTemplates            = @()
                CompliancePolicies        = @()
                AppProtectionPolicies     = @()
                AppConfigurationPolicies  = @()
                PlatformScripts           = @()
                HealthScripts             = @()
                RequiredApps              = @()
                AvailableApps             = @()
                UninstallApps             = @()
                DeploymentProfiles        = @()
                ESPProfiles               = @()
                AntivirusProfiles         = @()
                DiskEncryptionProfiles    = @()
                FirewallProfiles          = @()
                EndpointDetectionProfiles = @()
                AttackSurfaceProfiles     = @()
            }

            # Get Device Configurations
            Write-Host "Fetching Device Configurations..." -ForegroundColor Yellow
            $deviceConfigs = Get-IntuneEntities -EntityType "deviceConfigurations"
            foreach ($config in $deviceConfigs) {
                $assignments = Get-IntuneAssignments -EntityType "deviceConfigurations" -EntityId $config.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $config | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.DeviceConfigs += $config
                }
            }

            # Get Settings Catalog Policies
            Write-Host "Fetching Settings Catalog Policies..." -ForegroundColor Yellow
            $settingsCatalog = Get-IntuneEntities -EntityType "configurationPolicies"
            foreach ($policy in $settingsCatalog) {
                $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.SettingsCatalog += $policy
                }
            }

            # Get Administrative Templates
            Write-Host "Fetching Administrative Templates..." -ForegroundColor Yellow
            $adminTemplates = Get-IntuneEntities -EntityType "groupPolicyConfigurations"
            foreach ($template in $adminTemplates) {
                $assignments = Get-IntuneAssignments -EntityType "groupPolicyConfigurations" -EntityId $template.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $template | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.AdminTemplates += $template
                }
            }

            # Get Compliance Policies
            Write-Host "Fetching Compliance Policies..." -ForegroundColor Yellow
            $compliancePolicies = Get-IntuneEntities -EntityType "deviceCompliancePolicies"
            foreach ($policy in $compliancePolicies) {
                $assignments = Get-IntuneAssignments -EntityType "deviceCompliancePolicies" -EntityId $policy.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.CompliancePolicies += $policy
                }
            }

            # Get App Protection Policies
            Write-Host "Fetching App Protection Policies..." -ForegroundColor Yellow
            $appProtectionPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/managedAppPolicies"
            foreach ($policy in $appProtectionPolicies) {
                $policyType = $policy.'@odata.type'
                $assignmentsUri = switch ($policyType) {
                    "#microsoft.graph.androidManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/androidManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.iosManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/iosManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.windowsManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/windowsManagedAppProtections('$($policy.id)')/assignments" }
                    default { $null }
                }

                if ($assignmentsUri) {
                    try {
                        $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
                        $hasAllDevices = $false
                        foreach ($assignment in $assignmentResponse.value) {
                            if ($assignment.target.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget') {
                                $hasAllDevices = $true
                                break
                            }
                        }
                        if ($hasAllDevices) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            $allDevicesAssignments.AppProtectionPolicies += $policy
                        }
                    }
                    catch {
                        Write-Host "Error fetching assignments for policy $($policy.displayName): $($_.Exception.Message)" -ForegroundColor Red
                    }
                }
            }

            # Get App Configuration Policies
            Write-Host "Fetching App Configuration Policies..." -ForegroundColor Yellow
            $appConfigPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/mobileAppConfigurations"
            foreach ($policy in $appConfigPolicies) {
                $assignments = Get-IntuneAssignments -EntityType "mobileAppConfigurations" -EntityId $policy.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.AppConfigurationPolicies += $policy
                }
            }

            # Get Applications
            Write-Host "Fetching Applications..." -ForegroundColor Yellow
            $appUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps?`$filter=isAssigned eq true"
            $appResponse = Invoke-MgGraphRequest -Uri $appUri -Method Get
            $allApps = $appResponse.value
            while ($appResponse.'@odata.nextLink') {
                $appResponse = Invoke-MgGraphRequest -Uri $appResponse.'@odata.nextLink' -Method Get
                $allApps += $appResponse.value
            }
            $totalApps = $allApps.Count

            foreach ($app in $allApps) {
                # Filter out irrelevant apps
                if ($app.isFeatured -or $app.isBuiltIn) {
                    continue
                }

                $appId = $app.id
                $assignmentsUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps('$appId')/assignments"
                $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                foreach ($assignment in $assignmentResponse.value) {
                    if ($assignment.target.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget') {
                        $appWithReason = $app.PSObject.Copy()
                        $appWithReason | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                        switch ($assignment.intent) {
                            "required" { $allDevicesAssignments.RequiredApps += $appWithReason; break }
                            "available" { $allDevicesAssignments.AvailableApps += $appWithReason; break }
                            "uninstall" { $allDevicesAssignments.UninstallApps += $appWithReason; break }
                        }
                        break
                    }
                }
            }

            # Get Platform Scripts
            Write-Host "Fetching Platform Scripts..." -ForegroundColor Yellow
            $platformScripts = Get-IntuneEntities -EntityType "deviceManagementScripts"
            foreach ($script in $platformScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceManagementScripts" -EntityId $script.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.PlatformScripts += $script
                }
            }

            # Get Proactive Remediation Scripts
            Write-Host "Fetching Proactive Remediation Scripts..." -ForegroundColor Yellow
            $healthScripts = Get-IntuneEntities -EntityType "deviceHealthScripts"
            foreach ($script in $healthScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceHealthScripts" -EntityId $script.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $script | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.HealthScripts += $script
                }
            }

            # Get Autopilot Deployment Profiles
            Write-Host "Fetching Autopilot Deployment Profiles assigned to All Devices..." -ForegroundColor Yellow
            $autoProfilesAD = Get-IntuneEntities -EntityType "windowsAutopilotDeploymentProfiles"
            foreach ($profile in $autoProfilesAD) {
                $assignments = Get-IntuneAssignments -EntityType "windowsAutopilotDeploymentProfiles" -EntityId $profile.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $profile | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.DeploymentProfiles += $profile
                }
            }

            # Get Enrollment Status Page Profiles
            Write-Host "Fetching Enrollment Status Page Profiles assigned to All Devices..." -ForegroundColor Yellow
            $enrollmentConfigsAD = Get-IntuneEntities -EntityType "deviceEnrollmentConfigurations"
            $espProfilesAD = $enrollmentConfigsAD | Where-Object { $_.'@odata.type' -match 'EnrollmentCompletionPageConfiguration' }
            foreach ($esp in $espProfilesAD) {
                $assignments = Get-IntuneAssignments -EntityType "deviceEnrollmentConfigurations" -EntityId $esp.id
                if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                    $esp | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                    $allDevicesAssignments.ESPProfiles += $esp
                }
            }

            # Get Endpoint Security - Antivirus Policies (Dual Check)
            Write-Host "Fetching Antivirus Policies assigned to All Devices..." -ForegroundColor Yellow
            $antivirusPoliciesFound_AllDevices = [System.Collections.ArrayList]::new()
            $processedAntivirusIds_AllDevices = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies for Antivirus
            $configPoliciesForAntivirus_AllDevices = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesAntivirus_AllDevices = $configPoliciesForAntivirus_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }
            if ($matchingConfigPoliciesAntivirus_AllDevices) {
                foreach ($policy in $matchingConfigPoliciesAntivirus_AllDevices) {
                    if ($processedAntivirusIds_AllDevices.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$antivirusPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents for Antivirus
            $allIntentsForAntivirus_AllDevices = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsAntivirus_AllDevices = $allIntentsForAntivirus_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }
            if ($matchingIntentsAntivirus_AllDevices) {
                foreach ($policy in $matchingIntentsAntivirus_AllDevices) {
                    if ($processedAntivirusIds_AllDevices.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$antivirusPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }
            $allDevicesAssignments.AntivirusProfiles = $antivirusPoliciesFound_AllDevices

            # Get Endpoint Security - Disk Encryption Policies (Dual Check)
            Write-Host "Fetching Disk Encryption Policies assigned to All Devices..." -ForegroundColor Yellow
            $diskEncryptionPoliciesFound_AllDevices = [System.Collections.ArrayList]::new()
            $processedDiskEncryptionIds_AllDevices = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies for Disk Encryption
            $configPoliciesForDiskEnc_AllDevices = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesDiskEnc_AllDevices = $configPoliciesForDiskEnc_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }
            if ($matchingConfigPoliciesDiskEnc_AllDevices) {
                foreach ($policy in $matchingConfigPoliciesDiskEnc_AllDevices) {
                    if ($processedDiskEncryptionIds_AllDevices.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$diskEncryptionPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents for Disk Encryption
            $allIntentsForDiskEnc_AllDevices = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsDiskEnc_AllDevices = $allIntentsForDiskEnc_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }
            if ($matchingIntentsDiskEnc_AllDevices) {
                foreach ($policy in $matchingIntentsDiskEnc_AllDevices) {
                    if ($processedDiskEncryptionIds_AllDevices.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$diskEncryptionPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }
            $allDevicesAssignments.DiskEncryptionProfiles = $diskEncryptionPoliciesFound_AllDevices

            # Get Endpoint Security - Firewall Policies (Dual Check)
            Write-Host "Fetching Firewall Policies assigned to All Devices..." -ForegroundColor Yellow
            $firewallPoliciesFound_AllDevices = [System.Collections.ArrayList]::new()
            $processedFirewallIds_AllDevices = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies for Firewall
            $configPoliciesForFirewall_AllDevices = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesFirewall_AllDevices = $configPoliciesForFirewall_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }
            if ($matchingConfigPoliciesFirewall_AllDevices) {
                foreach ($policy in $matchingConfigPoliciesFirewall_AllDevices) {
                    if ($processedFirewallIds_AllDevices.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$firewallPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents for Firewall
            $allIntentsForFirewall_AllDevices = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsFirewall_AllDevices = $allIntentsForFirewall_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }
            if ($matchingIntentsFirewall_AllDevices) {
                foreach ($policy in $matchingIntentsFirewall_AllDevices) {
                    if ($processedFirewallIds_AllDevices.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$firewallPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }
            $allDevicesAssignments.FirewallProfiles = $firewallPoliciesFound_AllDevices

            # Get Endpoint Security - Endpoint Detection and Response Policies (Dual Check)
            Write-Host "Fetching EDR Policies assigned to All Devices..." -ForegroundColor Yellow
            $edrPoliciesFound_AllDevices = [System.Collections.ArrayList]::new()
            $processedEDRIds_AllDevices = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies for EDR
            $configPoliciesForEDR_AllDevices = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesEDR_AllDevices = $configPoliciesForEDR_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }
            if ($matchingConfigPoliciesEDR_AllDevices) {
                foreach ($policy in $matchingConfigPoliciesEDR_AllDevices) {
                    if ($processedEDRIds_AllDevices.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$edrPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents for EDR
            $allIntentsForEDR_AllDevices = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsEDR_AllDevices = $allIntentsForEDR_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }
            if ($matchingIntentsEDR_AllDevices) {
                foreach ($policy in $matchingIntentsEDR_AllDevices) {
                    if ($processedEDRIds_AllDevices.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$edrPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }
            $allDevicesAssignments.EndpointDetectionProfiles = $edrPoliciesFound_AllDevices

            # Get Endpoint Security - Attack Surface Reduction Policies (Dual Check)
            Write-Host "Fetching ASR Policies assigned to All Devices..." -ForegroundColor Yellow
            $asrPoliciesFound_AllDevices = [System.Collections.ArrayList]::new()
            $processedASRIds_AllDevices = [System.Collections.Generic.HashSet[string]]::new()

            # 1. Check configurationPolicies for ASR
            $configPoliciesForASR_AllDevices = Get-IntuneEntities -EntityType "configurationPolicies"
            $matchingConfigPoliciesASR_AllDevices = $configPoliciesForASR_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }
            if ($matchingConfigPoliciesASR_AllDevices) {
                foreach ($policy in $matchingConfigPoliciesASR_AllDevices) {
                    if ($processedASRIds_AllDevices.Add($policy.id)) {
                        $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                        if ($assignments | Where-Object { $_.Reason -eq "All Devices" }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$asrPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }

            # 2. Check deviceManagement/intents for ASR
            $allIntentsForASR_AllDevices = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $matchingIntentsASR_AllDevices = $allIntentsForASR_AllDevices | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }
            if ($matchingIntentsASR_AllDevices) {
                foreach ($policy in $matchingIntentsASR_AllDevices) {
                    if ($processedASRIds_AllDevices.Add($policy.id)) {
                        $assignmentsResponse = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignmentsResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.allDevicesAssignmentTarget' }) {
                            $policy | Add-Member -NotePropertyName 'AssignmentReason' -NotePropertyValue "All Devices" -Force
                            [void]$asrPoliciesFound_AllDevices.Add($policy)
                        }
                    }
                }
            }
            $allDevicesAssignments.AttackSurfaceProfiles = $asrPoliciesFound_AllDevices

            # Display results
            Write-Host "`nPolicies Assigned to All Devices:" -ForegroundColor Green

            # Display Device Configurations
            Write-Host "`n------- Device Configurations -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.DeviceConfigs.Count -eq 0) {
                Write-Host "No Device Configurations assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($config in $allDevicesAssignments.DeviceConfigs) {
                    $configName = if ([string]::IsNullOrWhiteSpace($config.name)) { $config.displayName } else { $config.name }
                    Write-Host "Device Configuration Name: $configName, Configuration ID: $($config.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Device Configuration" -Items @($config) -AssignmentReason "All Devices"
                }
            }

            # Display Settings Catalog Policies
            Write-Host "`n------- Settings Catalog Policies -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.SettingsCatalog.Count -eq 0) {
                Write-Host "No Settings Catalog Policies assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $allDevicesAssignments.SettingsCatalog) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "Settings Catalog Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Settings Catalog Policy" -Items @($policy) -AssignmentReason "All Devices"
                }
            }

            # Display Administrative Templates
            Write-Host "`n------- Administrative Templates -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.AdminTemplates.Count -eq 0) {
                Write-Host "No Administrative Templates assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($template in $allDevicesAssignments.AdminTemplates) {
                    $templateName = if ([string]::IsNullOrWhiteSpace($template.name)) { $template.displayName } else { $template.name }
                    Write-Host "Administrative Template Name: $templateName, Template ID: $($template.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Administrative Template" -Items @($template) -AssignmentReason "All Devices"
                }
            }

            # Display Compliance Policies
            Write-Host "`n------- Compliance Policies -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.CompliancePolicies.Count -eq 0) {
                Write-Host "No Compliance Policies assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $allDevicesAssignments.CompliancePolicies) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "Compliance Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Compliance Policy" -Items @($policy) -AssignmentReason "All Devices"
                }
            }

            # Display App Protection Policies
            Write-Host "`n------- App Protection Policies -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.AppProtectionPolicies.Count -eq 0) {
                Write-Host "No App Protection Policies assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $allDevicesAssignments.AppProtectionPolicies) {
                    $policyName = $policy.displayName
                    $policyType = switch ($policy.'@odata.type') {
                        "#microsoft.graph.androidManagedAppProtection" { "Android" }
                        "#microsoft.graph.iosManagedAppProtection" { "iOS" }
                        "#microsoft.graph.windowsManagedAppProtection" { "Windows" }
                        default { "Unknown" }
                    }
                    Write-Host "App Protection Policy Name: $policyName, Policy ID: $($policy.id), Type: $policyType" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "App Protection Policy" -Items @($policy) -AssignmentReason "All Devices"
                }
            }

            # Display App Configuration Policies
            Write-Host "`n------- App Configuration Policies -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.AppConfigurationPolicies.Count -eq 0) {
                Write-Host "No App Configuration Policies assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $allDevicesAssignments.AppConfigurationPolicies) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "App Configuration Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "App Configuration Policy" -Items @($policy) -AssignmentReason "All Devices"
                }
            }

            # Display Platform Scripts
            Write-Host "`n------- Platform Scripts -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.PlatformScripts.Count -eq 0) {
                Write-Host "No Platform Scripts assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($script in $allDevicesAssignments.PlatformScripts) {
                    $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                    Write-Host "Script Name: $scriptName, Script ID: $($script.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Platform Scripts" -Items @($script) -AssignmentReason "All Devices"
                }
            }

            # Display Proactive Remediation Scripts
            Write-Host "`n------- Proactive Remediation Scripts -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.HealthScripts.Count -eq 0) {
                Write-Host "No Proactive Remediation Scripts assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($script in $allDevicesAssignments.HealthScripts) {
                    $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                    Write-Host "Script Name: $scriptName, Script ID: $($script.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Proactive Remediation Scripts" -Items @($script) -AssignmentReason "All Devices"
                }
            }

            # Display Required Apps
            Write-Host "`n------- Required Apps -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.RequiredApps.Count -eq 0) {
                Write-Host "No Required Apps assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($app in $allDevicesAssignments.RequiredApps) {
                    $appName = $app.displayName
                    Write-Host "App Name: $appName, App ID: $($app.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Required Apps" -Items @($app) -AssignmentReason "All Devices"
                }
            }

            # Display Available Apps
            Write-Host "`n------- Available Apps -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.AvailableApps.Count -eq 0) {
                Write-Host "No Available Apps assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($app in $allDevicesAssignments.AvailableApps) {
                    $appName = $app.displayName
                    Write-Host "App Name: $appName, App ID: $($app.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Available Apps" -Items @($app) -AssignmentReason "All Devices"
                }
            }

            # Display Uninstall Apps
            Write-Host "`n------- Uninstall Apps -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.UninstallApps.Count -eq 0) {
                Write-Host "No Uninstall Apps assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($app in $allDevicesAssignments.UninstallApps) {
                    $appName = $app.displayName
                    Write-Host "App Name: $appName, App ID: $($app.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Uninstall Apps" -Items @($app) -AssignmentReason "All Devices"
                }
            }

            # Display Endpoint Security - Antivirus Profiles
            Write-Host "`n------- Endpoint Security - Antivirus Profiles -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.AntivirusProfiles.Count -eq 0) {
                Write-Host "No Antivirus Profiles assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allDevicesAssignments.AntivirusProfiles) {
                    Write-Host "Antivirus Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Antivirus" -Items @($profile) -AssignmentReason "All Devices"
                }
            }

            # Display Endpoint Security - Disk Encryption Profiles
            Write-Host "`n------- Endpoint Security - Disk Encryption Profiles -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.DiskEncryptionProfiles.Count -eq 0) {
                Write-Host "No Disk Encryption Profiles assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allDevicesAssignments.DiskEncryptionProfiles) {
                    Write-Host "Disk Encryption Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Disk Encryption" -Items @($profile) -AssignmentReason "All Devices"
                }
            }

            # Display Endpoint Security - Firewall Profiles
            Write-Host "`n------- Endpoint Security - Firewall Profiles -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.FirewallProfiles.Count -eq 0) {
                Write-Host "No Firewall Profiles assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allDevicesAssignments.FirewallProfiles) {
                    Write-Host "Firewall Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Firewall" -Items @($profile) -AssignmentReason "All Devices"
                }
            }

            # Display Endpoint Security - Endpoint Detection and Response Profiles
            Write-Host "`n------- Endpoint Security - EDR Profiles -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.EndpointDetectionProfiles.Count -eq 0) {
                Write-Host "No EDR Profiles assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allDevicesAssignments.EndpointDetectionProfiles) {
                    $profileNameForDisplay = if (-not [string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.displayName } elseif (-not [string]::IsNullOrWhiteSpace($profile.name)) { $profile.name } else { "Unnamed EDR Profile" }
                    Write-Host "EDR Profile Name: $profileNameForDisplay, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - EDR" -Items @($profile) -AssignmentReason "All Devices"
                }
            }

            # Display Endpoint Security - Attack Surface Reduction Profiles
            Write-Host "`n------- Endpoint Security - ASR Profiles -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.AttackSurfaceProfiles.Count -eq 0) {
                Write-Host "No ASR Profiles assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allDevicesAssignments.AttackSurfaceProfiles) {
                    Write-Host "ASR Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - ASR" -Items @($profile) -AssignmentReason "All Devices"
                }
            }

            # Display Autopilot Deployment Profiles
            Write-Host "`n------- Autopilot Deployment Profiles -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.DeploymentProfiles.Count -eq 0) {
                Write-Host "No Autopilot Deployment Profiles assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allDevicesAssignments.DeploymentProfiles) {
                    $profileName = if ([string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.name } else { $profile.displayName }
                    Write-Host "Deployment Profile Name: $profileName, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Autopilot Deployment Profile" -Items @($profile) -AssignmentReason "All Devices"
                }
            }
            
            # Display Enrollment Status Page Profiles
            Write-Host "`n------- Enrollment Status Page Profiles -------" -ForegroundColor Cyan
            if ($allDevicesAssignments.ESPProfiles.Count -eq 0) {
                Write-Host "No Enrollment Status Page Profiles assigned to All Devices" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $allDevicesAssignments.ESPProfiles) {
                    $profileName = if ([string]::IsNullOrWhiteSpace($profile.displayName)) { $profile.name } else { $profile.displayName }
                    Write-Host "Enrollment Status Page Name: $profileName, Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Enrollment Status Page" -Items @($profile) -AssignmentReason "All Devices"
                }
            }

            # Export results if requested
            Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneAllDevicesAssignments.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath
        }
        '7' {
            Write-Host "Generating HTML Report..." -ForegroundColor Green

            # Download html-export.ps1 from GitHub
            $htmlExportUrl = "https://raw.githubusercontent.com/ugurkocde/IntuneAssignmentChecker/main/html-export.ps1"
            $scriptPath = Join-Path $env:TEMP 'html-export.ps1'
            
            try {
                Write-Host "Downloading html-export.ps1 from GitHub..." -ForegroundColor Yellow
                Invoke-WebRequest -Uri $htmlExportUrl -OutFile $scriptPath -UseBasicParsing
                Write-Host "Download complete." -ForegroundColor Green
                
                . $scriptPath

                # Generate the report with a fixed filename in the same directory
                $filePath = Join-Path (Get-Location) "IntuneAssignmentReport.html"
                Export-HTMLReport -FilePath $filePath

                # Ask if user wants to open the report
                $openReport = Read-Host "Would you like to open the report now? (y/n)"
                if ($openReport -eq 'y') {
                    Start-Process $filePath
                }

            }
            catch {
                Write-Host "Error: Failed to generate the HTML report. $($_.Exception.Message)" -ForegroundColor Red
            }
            finally {
                # Clean up the downloaded script
                if (Test-Path $scriptPath) {
                    Remove-Item $scriptPath -Force
                    Write-Host "Cleaned up temporary files." -ForegroundColor Gray
                }
            }
        }
        '8' {
            Write-Host "Fetching policies without assignments..." -ForegroundColor Green
            $exportData = [System.Collections.ArrayList]::new()

            # Initialize collections for policies without assignments
            $unassignedPolicies = @{
                DeviceConfigs            = @()
                SettingsCatalog          = @()
                AdminTemplates           = @()
                CompliancePolicies       = @()
                AppProtectionPolicies    = @()
                AppConfigurationPolicies = @()
                PlatformScripts          = @()
                HealthScripts            = @()
            }

            # Get Device Configurations
            Write-Host "Fetching Device Configurations..." -ForegroundColor Yellow
            $deviceConfigs = Get-IntuneEntities -EntityType "deviceConfigurations"
            foreach ($config in $deviceConfigs) {
                $assignments = Get-IntuneAssignments -EntityType "deviceConfigurations" -EntityId $config.id
                if ($assignments.Count -eq 0) {
                    $unassignedPolicies.DeviceConfigs += $config
                }
            }

            # Get Settings Catalog Policies
            Write-Host "Fetching Settings Catalog Policies..." -ForegroundColor Yellow
            $settingsCatalog = Get-IntuneEntities -EntityType "configurationPolicies"
            foreach ($policy in $settingsCatalog) {
                $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                if ($assignments.Count -eq 0) {
                    $unassignedPolicies.SettingsCatalog += $policy
                }
            }

            # Get Administrative Templates
            Write-Host "Fetching Administrative Templates..." -ForegroundColor Yellow
            $adminTemplates = Get-IntuneEntities -EntityType "groupPolicyConfigurations"
            foreach ($template in $adminTemplates) {
                $assignments = Get-IntuneAssignments -EntityType "groupPolicyConfigurations" -EntityId $template.id
                if ($assignments.Count -eq 0) {
                    $unassignedPolicies.AdminTemplates += $template
                }
            }

            # Get Compliance Policies
            Write-Host "Fetching Compliance Policies..." -ForegroundColor Yellow
            $compliancePolicies = Get-IntuneEntities -EntityType "deviceCompliancePolicies"
            foreach ($policy in $compliancePolicies) {
                $assignments = Get-IntuneAssignments -EntityType "deviceCompliancePolicies" -EntityId $policy.id
                if ($assignments.Count -eq 0) {
                    $unassignedPolicies.CompliancePolicies += $policy
                }
            }

            # Get App Protection Policies
            Write-Host "Fetching App Protection Policies..." -ForegroundColor Yellow
            $appProtectionPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/managedAppPolicies"
            foreach ($policy in $appProtectionPolicies) {
                $policyType = $policy.'@odata.type'
                $assignmentsUri = switch ($policyType) {
                    "#microsoft.graph.androidManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/androidManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.iosManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/iosManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.windowsManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/windowsManagedAppProtections('$($policy.id)')/assignments" }
                    default { $null }
                }

                if ($assignmentsUri) {
                    try {
                        $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
                        if ($assignmentResponse.value.Count -eq 0) {
                            $unassignedPolicies.AppProtectionPolicies += $policy
                        }
                    }
                    catch {
                        Write-Host "Error fetching assignments for policy $($policy.displayName): $($_.Exception.Message)" -ForegroundColor Red
                    }
                }
            }

            # Get App Configuration Policies
            Write-Host "Fetching App Configuration Policies..." -ForegroundColor Yellow
            $appConfigPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/mobileAppConfigurations"
            foreach ($policy in $appConfigPolicies) {
                $assignments = Get-IntuneAssignments -EntityType "mobileAppConfigurations" -EntityId $policy.id
                if ($assignments.Count -eq 0) {
                    $unassignedPolicies.AppConfigurationPolicies += $policy
                }
            }

            # Get Platform Scripts
            Write-Host "Fetching Platform Scripts..." -ForegroundColor Yellow
            $platformScripts = Get-IntuneEntities -EntityType "deviceManagementScripts"
            foreach ($script in $platformScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceManagementScripts" -EntityId $script.id
                if ($assignments.Count -eq 0) {
                    $unassignedPolicies.PlatformScripts += $script
                }
            }

            # Get Proactive Remediation Scripts
            Write-Host "Fetching Proactive Remediation Scripts..." -ForegroundColor Yellow
            $healthScripts = Get-IntuneEntities -EntityType "deviceHealthScripts"
            foreach ($script in $healthScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceHealthScripts" -EntityId $script.id
                if ($assignments.Count -eq 0) {
                    $unassignedPolicies.HealthScripts += $script
                }
            }

            # Get Endpoint Security - Antivirus Policies
            Write-Host "Fetching Antivirus Policies..." -ForegroundColor Yellow
            $allIntentsForAntivirusUnassigned = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $antivirusPolicies = $allIntentsForAntivirusUnassigned | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }
            if ($antivirusPolicies) {
                foreach ($policy in $antivirusPolicies) {
                    $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                    if ($assignments.value.Count -eq 0) {
                        $unassignedPolicies.AntivirusProfiles += $policy
                    }
                }
            }

            # Get Endpoint Security - Disk Encryption Policies
            Write-Host "Fetching Disk Encryption Policies..." -ForegroundColor Yellow
            $allIntentsForDiskEncUnassigned = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $diskEncryptionPolicies = $allIntentsForDiskEncUnassigned | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }
            if ($diskEncryptionPolicies) {
                foreach ($policy in $diskEncryptionPolicies) {
                    $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                    if ($assignments.value.Count -eq 0) {
                        $unassignedPolicies.DiskEncryptionProfiles += $policy
                    }
                }
            }

            # Get Endpoint Security - Firewall Policies
            Write-Host "Fetching Firewall Policies..." -ForegroundColor Yellow
            $allIntentsForFirewallUnassigned = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $firewallPolicies = $allIntentsForFirewallUnassigned | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }
            if ($firewallPolicies) {
                foreach ($policy in $firewallPolicies) {
                    $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                    if ($assignments.value.Count -eq 0) {
                        $unassignedPolicies.FirewallProfiles += $policy
                    }
                }
            }

            # Get Endpoint Security - Endpoint Detection and Response Policies
            Write-Host "Fetching EDR Policies..." -ForegroundColor Yellow
            $allIntentsForEDRUnassigned = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $edrPolicies = $allIntentsForEDRUnassigned | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }
            if ($edrPolicies) {
                foreach ($policy in $edrPolicies) {
                    $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                    if ($assignments.value.Count -eq 0) {
                        $unassignedPolicies.EndpointDetectionProfiles += $policy
                    }
                }
            }

            # Get Endpoint Security - Attack Surface Reduction Policies
            Write-Host "Fetching ASR Policies..." -ForegroundColor Yellow
            $allIntentsForASRUnassigned = Get-IntuneEntities -EntityType "deviceManagement/intents"
            $asrPolicies = $allIntentsForASRUnassigned | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }
            if ($asrPolicies) {
                foreach ($policy in $asrPolicies) {
                    $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                    if ($assignments.value.Count -eq 0) {
                        $unassignedPolicies.AttackSurfaceProfiles += $policy
                    }
                }
            }
            
            # Display results
            Write-Host "`nPolicies Without Assignments:" -ForegroundColor Green

            # Display Device Configurations
            Write-Host "`n------- Device Configurations -------" -ForegroundColor Cyan
            if ($unassignedPolicies.DeviceConfigs.Count -eq 0) {
                Write-Host "No unassigned Device Configurations found" -ForegroundColor Gray
            }
            else {
                foreach ($config in $unassignedPolicies.DeviceConfigs) {
                    $configName = if ([string]::IsNullOrWhiteSpace($config.name)) { $config.displayName } else { $config.name }
                    Write-Host "Device Configuration Name: $configName, Configuration ID: $($config.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Device Configuration" -Items @($config) -AssignmentReason "No Assignment"
                }
            }

            # Display Settings Catalog Policies
            Write-Host "`n------- Settings Catalog Policies -------" -ForegroundColor Cyan
            if ($unassignedPolicies.SettingsCatalog.Count -eq 0) {
                Write-Host "No unassigned Settings Catalog Policies found" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $unassignedPolicies.SettingsCatalog) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "Settings Catalog Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Settings Catalog Policy" -Items @($policy) -AssignmentReason "No Assignment"
                }
            }

            # Display Administrative Templates
            Write-Host "`n------- Administrative Templates -------" -ForegroundColor Cyan
            if ($unassignedPolicies.AdminTemplates.Count -eq 0) {
                Write-Host "No unassigned Administrative Templates found" -ForegroundColor Gray
            }
            else {
                foreach ($template in $unassignedPolicies.AdminTemplates) {
                    $templateName = if ([string]::IsNullOrWhiteSpace($template.name)) { $template.displayName } else { $template.name }
                    Write-Host "Administrative Template Name: $templateName, Template ID: $($template.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Administrative Template" -Items @($template) -AssignmentReason "No Assignment"
                }
            }

            # Display Compliance Policies
            Write-Host "`n------- Compliance Policies -------" -ForegroundColor Cyan
            if ($unassignedPolicies.CompliancePolicies.Count -eq 0) {
                Write-Host "No unassigned Compliance Policies found" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $unassignedPolicies.CompliancePolicies) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "Compliance Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Compliance Policy" -Items @($policy) -AssignmentReason "No Assignment"
                }
            }

            # Display App Protection Policies
            Write-Host "`n------- App Protection Policies -------" -ForegroundColor Cyan
            if ($unassignedPolicies.AppProtectionPolicies.Count -eq 0) {
                Write-Host "No unassigned App Protection Policies found" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $unassignedPolicies.AppProtectionPolicies) {
                    $policyName = $policy.displayName
                    $policyType = switch ($policy.'@odata.type') {
                        "#microsoft.graph.androidManagedAppProtection" { "Android" }
                        "#microsoft.graph.iosManagedAppProtection" { "iOS" }
                        "#microsoft.graph.windowsManagedAppProtection" { "Windows" }
                        default { "Unknown" }
                    }
                    Write-Host "App Protection Policy Name: $policyName, Policy ID: $($policy.id), Type: $policyType" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "App Protection Policy" -Items @($policy) -AssignmentReason "No Assignment"
                }
            }

            # Display App Configuration Policies
            Write-Host "`n------- App Configuration Policies -------" -ForegroundColor Cyan
            if ($unassignedPolicies.AppConfigurationPolicies.Count -eq 0) {
                Write-Host "No unassigned App Configuration Policies found" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $unassignedPolicies.AppConfigurationPolicies) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "App Configuration Policy Name: $policyName, Policy ID: $($policy.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "App Configuration Policy" -Items @($policy) -AssignmentReason "No Assignment"
                }
            }

            # Display Platform Scripts
            Write-Host "`n------- Platform Scripts -------" -ForegroundColor Cyan
            if ($unassignedPolicies.PlatformScripts.Count -eq 0) {
                Write-Host "No unassigned Platform Scripts found" -ForegroundColor Gray
            }
            else {
                foreach ($script in $unassignedPolicies.PlatformScripts) {
                    $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                    Write-Host "Script Name: $scriptName, Script ID: $($script.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Platform Scripts" -Items @($script) -AssignmentReason "No Assignment"
                }
            }

            # Display Proactive Remediation Scripts
            Write-Host "`n------- Proactive Remediation Scripts -------" -ForegroundColor Cyan
            if ($unassignedPolicies.HealthScripts.Count -eq 0) {
                Write-Host "No unassigned Proactive Remediation Scripts found" -ForegroundColor Gray
            }
            else {
                foreach ($script in $unassignedPolicies.HealthScripts) {
                    $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                    Write-Host "Script Name: $scriptName, Script ID: $($script.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Proactive Remediation Scripts" -Items @($script) -AssignmentReason "No Assignment"
                }
            }

            # Display Endpoint Security - Antivirus Profiles
            Write-Host "`n------- Endpoint Security - Antivirus Profiles -------" -ForegroundColor Cyan
            if ($unassignedPolicies.AntivirusProfiles.Count -eq 0) {
                Write-Host "No unassigned Antivirus Profiles found" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $unassignedPolicies.AntivirusProfiles) {
                    Write-Host "Antivirus Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Antivirus" -Items @($profile) -AssignmentReason "No Assignment"
                }
            }

            # Display Endpoint Security - Disk Encryption Profiles
            Write-Host "`n------- Endpoint Security - Disk Encryption Profiles -------" -ForegroundColor Cyan
            if ($unassignedPolicies.DiskEncryptionProfiles.Count -eq 0) {
                Write-Host "No unassigned Disk Encryption Profiles found" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $unassignedPolicies.DiskEncryptionProfiles) {
                    Write-Host "Disk Encryption Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Disk Encryption" -Items @($profile) -AssignmentReason "No Assignment"
                }
            }

            # Display Endpoint Security - Firewall Profiles
            Write-Host "`n------- Endpoint Security - Firewall Profiles -------" -ForegroundColor Cyan
            if ($unassignedPolicies.FirewallProfiles.Count -eq 0) {
                Write-Host "No unassigned Firewall Profiles found" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $unassignedPolicies.FirewallProfiles) {
                    Write-Host "Firewall Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Firewall" -Items @($profile) -AssignmentReason "No Assignment"
                }
            }

            # Display Endpoint Security - Endpoint Detection and Response Profiles
            Write-Host "`n------- Endpoint Security - EDR Profiles -------" -ForegroundColor Cyan
            if ($unassignedPolicies.EndpointDetectionProfiles.Count -eq 0) {
                Write-Host "No unassigned EDR Profiles found" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $unassignedPolicies.EndpointDetectionProfiles) {
                    Write-Host "EDR Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - EDR" -Items @($profile) -AssignmentReason "No Assignment"
                }
            }

            # Display Endpoint Security - Attack Surface Reduction Profiles
            Write-Host "`n------- Endpoint Security - ASR Profiles -------" -ForegroundColor Cyan
            if ($unassignedPolicies.AttackSurfaceProfiles.Count -eq 0) {
                Write-Host "No unassigned ASR Profiles found" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $unassignedPolicies.AttackSurfaceProfiles) {
                    Write-Host "ASR Profile Name: $($profile.displayName), Profile ID: $($profile.id)" -ForegroundColor White
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - ASR" -Items @($profile) -AssignmentReason "No Assignment"
                }
            }

            # Export results if requested
            Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneUnassignedPolicies.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath
        }
       
        '9' {
            Write-Host "Checking for policies assigned to empty groups..." -ForegroundColor Green
            $exportData = [System.Collections.ArrayList]::new()

            # Helper function to check if a group is empty
            function Test-EmptyGroup {
                param (
                    [Parameter(Mandatory = $true)]
                    [string]$GroupId
                )

                try {
                    $membersUri = "$GraphEndpoint/v1.0/groups/$GroupId/members?`$select=id"
                    $response = Invoke-MgGraphRequest -Uri $membersUri -Method Get
                    return $response.value.Count -eq 0
                }
                catch {
                    Write-Host "Error checking members for group $GroupId : $($_.Exception.Message)" -ForegroundColor Red
                    return $false
                }
            }

            # Initialize collections for policies with empty group assignments
            $emptyGroupAssignments = @{
                DeviceConfigs            = @()
                SettingsCatalog          = @()
                AdminTemplates           = @()
                CompliancePolicies       = @()
                AppProtectionPolicies    = @()
                AppConfigurationPolicies = @()
                PlatformScripts          = @()
                HealthScripts            = @()
            }

            # Get Device Configurations
            Write-Host "Fetching Device Configurations..." -ForegroundColor Yellow
            $deviceConfigs = Get-IntuneEntities -EntityType "deviceConfigurations"
            foreach ($config in $deviceConfigs) {
                $assignments = Get-IntuneAssignments -EntityType "deviceConfigurations" -EntityId $config.id
                foreach ($assignment in $assignments) {
                    if ($assignment.Reason -eq "Group Assignment" -and $assignment.GroupId) {
                        $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId
                        if ($groupInfo.Success -and (Test-EmptyGroup -GroupId $assignment.GroupId)) {
                            $config | Add-Member -NotePropertyName 'EmptyGroupInfo' -NotePropertyValue "Assigned to empty group: $($groupInfo.DisplayName)" -Force
                            $emptyGroupAssignments.DeviceConfigs += $config
                            break
                        }
                    }
                }
            }

            # Get Settings Catalog Policies
            Write-Host "Fetching Settings Catalog Policies..." -ForegroundColor Yellow
            $settingsCatalog = Get-IntuneEntities -EntityType "configurationPolicies"
            foreach ($policy in $settingsCatalog) {
                $assignments = Get-IntuneAssignments -EntityType "configurationPolicies" -EntityId $policy.id
                foreach ($assignment in $assignments) {
                    if ($assignment.Reason -eq "Group Assignment" -and $assignment.GroupId) {
                        $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId
                        if ($groupInfo.Success -and (Test-EmptyGroup -GroupId $assignment.GroupId)) {
                            $policy | Add-Member -NotePropertyName 'EmptyGroupInfo' -NotePropertyValue "Assigned to empty group: $($groupInfo.DisplayName)" -Force
                            $emptyGroupAssignments.SettingsCatalog += $policy
                            break
                        }
                    }
                }
            }

            # Get Administrative Templates
            Write-Host "Fetching Administrative Templates..." -ForegroundColor Yellow
            $adminTemplates = Get-IntuneEntities -EntityType "groupPolicyConfigurations"
            foreach ($template in $adminTemplates) {
                $assignments = Get-IntuneAssignments -EntityType "groupPolicyConfigurations" -EntityId $template.id
                foreach ($assignment in $assignments) {
                    if ($assignment.Reason -eq "Group Assignment" -and $assignment.GroupId) {
                        $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId
                        if ($groupInfo.Success -and (Test-EmptyGroup -GroupId $assignment.GroupId)) {
                            $template | Add-Member -NotePropertyName 'EmptyGroupInfo' -NotePropertyValue "Assigned to empty group: $($groupInfo.DisplayName)" -Force
                            $emptyGroupAssignments.AdminTemplates += $template
                            break
                        }
                    }
                }
            }

            # Get Compliance Policies
            Write-Host "Fetching Compliance Policies..." -ForegroundColor Yellow
            $compliancePolicies = Get-IntuneEntities -EntityType "deviceCompliancePolicies"
            foreach ($policy in $compliancePolicies) {
                $assignments = Get-IntuneAssignments -EntityType "deviceCompliancePolicies" -EntityId $policy.id
                foreach ($assignment in $assignments) {
                    if ($assignment.Reason -eq "Group Assignment" -and $assignment.GroupId) {
                        $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId
                        if ($groupInfo.Success -and (Test-EmptyGroup -GroupId $assignment.GroupId)) {
                            $policy | Add-Member -NotePropertyName 'EmptyGroupInfo' -NotePropertyValue "Assigned to empty group: $($groupInfo.DisplayName)" -Force
                            $emptyGroupAssignments.CompliancePolicies += $policy
                            break
                        }
                    }
                }
            }

            # Get App Protection Policies
            Write-Host "Fetching App Protection Policies..." -ForegroundColor Yellow
            $appProtectionPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/managedAppPolicies"
            foreach ($policy in $appProtectionPolicies) {
                $policyType = $policy.'@odata.type'
                $assignmentsUri = switch ($policyType) {
                    "#microsoft.graph.androidManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/androidManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.iosManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/iosManagedAppProtections('$($policy.id)')/assignments" }
                    "#microsoft.graph.windowsManagedAppProtection" { "$GraphEndpoint/beta/deviceAppManagement/windowsManagedAppProtections('$($policy.id)')/assignments" }
                    default { $null }
                }

                if ($assignmentsUri) {
                    try {
                        $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
                        $assignments = @()
                        foreach ($assignment in $assignmentResponse.value) {
                            $assignmentReason = $null
                            switch ($assignment.target.'@odata.type') {
                                '#microsoft.graph.allLicensedUsersAssignmentTarget' { 
                                    $assignmentReason = "All Users"
                                }
                                '#microsoft.graph.groupAssignmentTarget' {
                                    if (!$GroupId -or $assignment.target.groupId -eq $GroupId) {
                                        $assignmentReason = "Group Assignment"
                                    }
                                }
                            }

                            if ($assignmentReason) {
                                $assignments += @{
                                    Reason  = $assignmentReason
                                    GroupId = $assignment.target.groupId
                                }
                            }
                        }

                        if ($assignments.Count -gt 0) {
                            $assignmentSummary = $assignments | ForEach-Object {
                                if ($_.Reason -eq "Group Assignment") {
                                    $groupInfo = Get-GroupInfo -GroupId $_.GroupId
                                    "$($_.Reason) - $($groupInfo.DisplayName)"
                                }
                                else {
                                    $_.Reason
                                }
                            }
                            $policy | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($assignmentSummary -join "; ") -Force
                            $emptyGroupAssignments.AppProtectionPolicies += $policy
                        }
                    }
                    catch {
                        Write-Host "Error fetching assignments for policy $($policy.displayName): $($_.Exception.Message)" -ForegroundColor Red
                    }
                }
            }

            # Get App Configuration Policies
            Write-Host "Fetching App Configuration Policies..." -ForegroundColor Yellow
            $appConfigPolicies = Get-IntuneEntities -EntityType "deviceAppManagement/mobileAppConfigurations"
            foreach ($policy in $appConfigPolicies) {
                $assignments = Get-IntuneAssignments -EntityType "mobileAppConfigurations" -EntityId $policy.id
                foreach ($assignment in $assignments) {
                    if ($assignment.Reason -eq "Group Assignment" -and $assignment.GroupId) {
                        $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId
                        if ($groupInfo.Success -and (Test-EmptyGroup -GroupId $assignment.GroupId)) {
                            $policy | Add-Member -NotePropertyName 'EmptyGroupInfo' -NotePropertyValue "Assigned to empty group: $($groupInfo.DisplayName)" -Force
                            $emptyGroupAssignments.AppConfigurationPolicies += $policy
                            break
                        }
                    }
                }
            }

            # Get Platform Scripts
            Write-Host "Fetching Platform Scripts..." -ForegroundColor Yellow
            $platformScripts = Get-IntuneEntities -EntityType "deviceManagementScripts"
            foreach ($script in $platformScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceManagementScripts" -EntityId $script.id
                foreach ($assignment in $assignments) {
                    if ($assignment.Reason -eq "Group Assignment" -and $assignment.GroupId) {
                        $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId
                        if ($groupInfo.Success -and (Test-EmptyGroup -GroupId $assignment.GroupId)) {
                            $script | Add-Member -NotePropertyName 'EmptyGroupInfo' -NotePropertyValue "Assigned to empty group: $($groupInfo.DisplayName)" -Force
                            $emptyGroupAssignments.PlatformScripts += $script
                            break
                        }
                    }
                }
            }

            # Get Proactive Remediation Scripts
            Write-Host "Fetching Proactive Remediation Scripts..." -ForegroundColor Yellow
            $healthScripts = Get-IntuneEntities -EntityType "deviceHealthScripts"
            foreach ($script in $healthScripts) {
                $assignments = Get-IntuneAssignments -EntityType "deviceHealthScripts" -EntityId $script.id
                foreach ($assignment in $assignments) {
                    if ($assignment.Reason -eq "Group Assignment" -and $assignment.GroupId) {
                        $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId
                        if ($groupInfo.Success -and (Test-EmptyGroup -GroupId $assignment.GroupId)) {
                            $script | Add-Member -NotePropertyName 'EmptyGroupInfo' -NotePropertyValue "Assigned to empty group: $($groupInfo.DisplayName)" -Force
                            $emptyGroupAssignments.HealthScripts += $script
                            break
                        }
                    }
                }
            }

            # Display results
            Write-Host "`nPolicies Assigned to Empty Groups:" -ForegroundColor Green

            # Display Device Configurations
            Write-Host "`n------- Device Configurations -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.DeviceConfigs.Count -eq 0) {
                Write-Host "No Device Configurations assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($config in $emptyGroupAssignments.DeviceConfigs) {
                    $configName = if ([string]::IsNullOrWhiteSpace($config.name)) { $config.displayName } else { $config.name }
                    Write-Host "Device Configuration Name: $configName" -ForegroundColor White
                    Write-Host "Configuration ID: $($config.id)" -ForegroundColor Gray
                    Write-Host "$($config.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Device Configuration" -Items @($config) -AssignmentReason $config.EmptyGroupInfo
                }
            }

            # Display Settings Catalog Policies
            Write-Host "`n------- Settings Catalog Policies -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.SettingsCatalog.Count -eq 0) {
                Write-Host "No Settings Catalog Policies assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $emptyGroupAssignments.SettingsCatalog) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "Settings Catalog Policy Name: $policyName" -ForegroundColor White
                    Write-Host "Policy ID: $($policy.id)" -ForegroundColor Gray
                    Write-Host "$($policy.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Settings Catalog Policy" -Items @($policy) -AssignmentReason $policy.EmptyGroupInfo
                }
            }

            # Display Administrative Templates
            Write-Host "`n------- Administrative Templates -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.AdminTemplates.Count -eq 0) {
                Write-Host "No Administrative Templates assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($template in $emptyGroupAssignments.AdminTemplates) {
                    $templateName = if ([string]::IsNullOrWhiteSpace($template.name)) { $template.displayName } else { $template.name }
                    Write-Host "Administrative Template Name: $templateName" -ForegroundColor White
                    Write-Host "Template ID: $($template.id)" -ForegroundColor Gray
                    Write-Host "$($template.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Administrative Template" -Items @($template) -AssignmentReason $template.EmptyGroupInfo
                }
            }

            # Display Compliance Policies
            Write-Host "`n------- Compliance Policies -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.CompliancePolicies.Count -eq 0) {
                Write-Host "No Compliance Policies assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $emptyGroupAssignments.CompliancePolicies) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "Compliance Policy Name: $policyName" -ForegroundColor White
                    Write-Host "Policy ID: $($policy.id)" -ForegroundColor Gray
                    Write-Host "$($policy.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Compliance Policy" -Items @($policy) -AssignmentReason $policy.EmptyGroupInfo
                }
            }

            # Display App Protection Policies
            Write-Host "`n------- App Protection Policies -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.AppProtectionPolicies.Count -eq 0) {
                Write-Host "No App Protection Policies assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $emptyGroupAssignments.AppProtectionPolicies) {
                    $policyName = $policy.displayName
                    $policyType = switch ($policy.'@odata.type') {
                        "#microsoft.graph.androidManagedAppProtection" { "Android" }
                        "#microsoft.graph.iosManagedAppProtection" { "iOS" }
                        "#microsoft.graph.windowsManagedAppProtection" { "Windows" }
                        default { "Unknown" }
                    }
                    Write-Host "App Protection Policy Name: $policyName" -ForegroundColor White
                    Write-Host "Policy ID: $($policy.id), Type: $policyType" -ForegroundColor Gray
                    Write-Host "$($policy.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "App Protection Policy" -Items @($policy) -AssignmentReason $policy.EmptyGroupInfo
                }
            }

            # Display App Configuration Policies
            Write-Host "`n------- App Configuration Policies -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.AppConfigurationPolicies.Count -eq 0) {
                Write-Host "No App Configuration Policies assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($policy in $emptyGroupAssignments.AppConfigurationPolicies) {
                    $policyName = if ([string]::IsNullOrWhiteSpace($policy.name)) { $policy.displayName } else { $policy.name }
                    Write-Host "App Configuration Policy Name: $policyName" -ForegroundColor White
                    Write-Host "Policy ID: $($policy.id)" -ForegroundColor Gray
                    Write-Host "$($policy.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "App Configuration Policy" -Items @($policy) -AssignmentReason $policy.EmptyGroupInfo
                }
            }

            # Display Platform Scripts
            Write-Host "`n------- Platform Scripts -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.PlatformScripts.Count -eq 0) {
                Write-Host "No Platform Scripts assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($script in $emptyGroupAssignments.PlatformScripts) {
                    $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                    Write-Host "Script Name: $scriptName" -ForegroundColor White
                    Write-Host "Script ID: $($script.id)" -ForegroundColor Gray
                    Write-Host "$($script.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Platform Scripts" -Items @($script) -AssignmentReason $script.EmptyGroupInfo
                }
            }

            # Display Proactive Remediation Scripts
            Write-Host "`n------- Proactive Remediation Scripts -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.HealthScripts.Count -eq 0) {
                Write-Host "No Proactive Remediation Scripts assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($script in $emptyGroupAssignments.HealthScripts) {
                    $scriptName = if ([string]::IsNullOrWhiteSpace($script.name)) { $script.displayName } else { $script.name }
                    Write-Host "Script Name: $scriptName" -ForegroundColor White
                    Write-Host "Script ID: $($script.id)" -ForegroundColor Gray
                    Write-Host "$($script.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Proactive Remediation Scripts" -Items @($script) -AssignmentReason $script.EmptyGroupInfo
                }
            }

            # Display Endpoint Security - Antivirus Profiles
            Write-Host "`n------- Endpoint Security - Antivirus Profiles -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.AntivirusProfiles.Count -eq 0) {
                Write-Host "No Antivirus Profiles assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $emptyGroupAssignments.AntivirusProfiles) {
                    Write-Host "Antivirus Profile Name: $($profile.displayName)" -ForegroundColor White
                    Write-Host "Profile ID: $($profile.id)" -ForegroundColor Gray
                    Write-Host "$($profile.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Antivirus" -Items @($profile) -AssignmentReason $profile.EmptyGroupInfo
                }
            }

            # Display Endpoint Security - Disk Encryption Profiles
            Write-Host "`n------- Endpoint Security - Disk Encryption Profiles -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.DiskEncryptionProfiles.Count -eq 0) {
                Write-Host "No Disk Encryption Profiles assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $emptyGroupAssignments.DiskEncryptionProfiles) {
                    Write-Host "Disk Encryption Profile Name: $($profile.displayName)" -ForegroundColor White
                    Write-Host "Profile ID: $($profile.id)" -ForegroundColor Gray
                    Write-Host "$($profile.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Disk Encryption" -Items @($profile) -AssignmentReason $profile.EmptyGroupInfo
                }
            }

            # Display Endpoint Security - Firewall Profiles
            Write-Host "`n------- Endpoint Security - Firewall Profiles -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.FirewallProfiles.Count -eq 0) {
                Write-Host "No Firewall Profiles assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $emptyGroupAssignments.FirewallProfiles) {
                    Write-Host "Firewall Profile Name: $($profile.displayName)" -ForegroundColor White
                    Write-Host "Profile ID: $($profile.id)" -ForegroundColor Gray
                    Write-Host "$($profile.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - Firewall" -Items @($profile) -AssignmentReason $profile.EmptyGroupInfo
                }
            }

            # Display Endpoint Security - Endpoint Detection and Response Profiles
            Write-Host "`n------- Endpoint Security - EDR Profiles -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.EndpointDetectionProfiles.Count -eq 0) {
                Write-Host "No EDR Profiles assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $emptyGroupAssignments.EndpointDetectionProfiles) {
                    Write-Host "EDR Profile Name: $($profile.displayName)" -ForegroundColor White
                    Write-Host "Profile ID: $($profile.id)" -ForegroundColor Gray
                    Write-Host "$($profile.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - EDR" -Items @($profile) -AssignmentReason $profile.EmptyGroupInfo
                }
            }

            # Display Endpoint Security - Attack Surface Reduction Profiles
            Write-Host "`n------- Endpoint Security - ASR Profiles -------" -ForegroundColor Cyan
            if ($emptyGroupAssignments.AttackSurfaceProfiles.Count -eq 0) {
                Write-Host "No ASR Profiles assigned to empty groups" -ForegroundColor Gray
            }
            else {
                foreach ($profile in $emptyGroupAssignments.AttackSurfaceProfiles) {
                    Write-Host "ASR Profile Name: $($profile.displayName)" -ForegroundColor White
                    Write-Host "Profile ID: $($profile.id)" -ForegroundColor Gray
                    Write-Host "$($profile.EmptyGroupInfo)" -ForegroundColor Yellow
                    Write-Host ""
                    Add-ExportData -ExportData $exportData -Category "Endpoint Security - ASR" -Items @($profile) -AssignmentReason $profile.EmptyGroupInfo
                }
            }

            # Export results if requested
            Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneEmptyGroupAssignments.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath
        }
        '10' {
            Write-Host "Compare Group Assignments chosen" -ForegroundColor Green

            # Get Group names to compare from parameter or prompt
            if ($parameterMode -and $CompareGroupNames) {
                $groupInput = $CompareGroupNames
            }
            else {
                # Prompt for Group names or IDs
                Write-Host "Please enter Group names or Object IDs to compare, separated by commas (,): " -ForegroundColor Cyan
                Write-Host "Example: 'Marketing Team, 12345678-1234-1234-1234-123456789012'" -ForegroundColor Gray
                $groupInput = Read-Host
            }
            
            $groupInputs = $groupInput -split ',' | ForEach-Object { $_.Trim() }

            if ($groupInputs.Count -lt 2) {
                Write-Host "Please provide at least two groups to compare." -ForegroundColor Red
                if ($parameterMode) { exit 1 } else { continue }
            }

            # Before caching starts, initialize the group assignments hashtable
            $groupAssignments = @{}

            # Process each group input
            $resolvedGroups = @{}
            foreach ($input in $groupInputs) {
                Write-Host "`nProcessing input: $input" -ForegroundColor Yellow

                # Initialize variables
                $groupId = $null
                $groupName = $null

                # Check if input is a GUID
                if ($input -match '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$') {
                    try {
                        # Get group info from Graph API
                        $groupUri = "$GraphEndpoint/v1.0/groups/$input"
                        $groupResponse = Invoke-MgGraphRequest -Uri $groupUri -Method Get
                        $groupId = $groupResponse.id
                        $groupName = $groupResponse.displayName
                        $resolvedGroups[$groupId] = $groupName
                
                        # Initialize collections for this group (Add HealthScripts here)
                        $groupAssignments[$groupName] = @{
                            DeviceConfigs      = [System.Collections.ArrayList]::new()
                            SettingsCatalog    = [System.Collections.ArrayList]::new()
                            AdminTemplates     = [System.Collections.ArrayList]::new()
                            CompliancePolicies = [System.Collections.ArrayList]::new()
                            RequiredApps       = [System.Collections.ArrayList]::new()
                            AvailableApps      = [System.Collections.ArrayList]::new()
                            AppsUninstall      = [System.Collections.ArrayList]::new()
                            PlatformScripts    = [System.Collections.ArrayList]::new()
                            HealthScripts      = [System.Collections.ArrayList]::new()
                        }
                
                        Write-Host "Found group by ID: $groupName" -ForegroundColor Green
                    }
                    catch {
                        Write-Host "No group found with ID: $input" -ForegroundColor Red
                        continue
                    }
                }
                else {
                    # Try to find group by display name
                    $groupUri = "$GraphEndpoint/v1.0/groups?`$filter=displayName eq '$input'"
                    $groupResponse = Invoke-MgGraphRequest -Uri $groupUri -Method Get

                    if ($groupResponse.value.Count -eq 0) {
                        Write-Host "No group found with name: $input" -ForegroundColor Red
                        continue
                    }
                    elseif ($groupResponse.value.Count -gt 1) {
                        Write-Host "Multiple groups found with name: $input. Please use the Object ID instead:" -ForegroundColor Red
                        foreach ($group in $groupResponse.value) {
                            Write-Host " - $($group.displayName) (ID: $($group.id))" -ForegroundColor Yellow
                        }
                        continue
                    }

                    $groupId = $groupResponse.value[0].id
                    $groupName = $groupResponse.value[0].displayName
                    $resolvedGroups[$groupId] = $groupName
            
                    # Initialize collections for this group (Add HealthScripts here)
                    $groupAssignments[$groupName] = @{
                        DeviceConfigs      = [System.Collections.ArrayList]::new()
                        SettingsCatalog    = [System.Collections.ArrayList]::new()
                        AdminTemplates     = [System.Collections.ArrayList]::new()
                        CompliancePolicies = [System.Collections.ArrayList]::new()
                        RequiredApps       = [System.Collections.ArrayList]::new()
                        AvailableApps      = [System.Collections.ArrayList]::new()
                        AppsUninstall      = [System.Collections.ArrayList]::new()
                        PlatformScripts    = [System.Collections.ArrayList]::new()
                        HealthScripts      = [System.Collections.ArrayList]::new()
                    }
            
                    Write-Host "Found group by name: $groupName (ID: $groupId)" -ForegroundColor Green
                }

                # Process Device Configurations
                $deviceConfigsUri = "$GraphEndpoint/beta/deviceManagement/deviceConfigurations"
                $deviceConfigsResponse = Invoke-MgGraphRequest -Uri $deviceConfigsUri -Method Get
                $allDeviceConfigs = $deviceConfigsResponse.value
                while ($deviceConfigsResponse.'@odata.nextLink') {
                    $deviceConfigsResponse = Invoke-MgGraphRequest -Uri $deviceConfigsResponse.'@odata.nextLink' -Method Get
                    $allDeviceConfigs += $deviceConfigsResponse.value
                }
                $totalDeviceConfigs = $allDeviceConfigs.Count
                $currentDeviceConfig = 0
                foreach ($config in $allDeviceConfigs) {
                    $currentDeviceConfig++
                    Write-Host "`rFetching Device Configuration $currentDeviceConfig of $totalDeviceConfigs" -NoNewline
                    $configId = $config.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceManagement/deviceConfigurations('$configId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get
            
                    if ($assignmentResponse.value | Where-Object { $_.target.groupId -eq $groupId }) {
                        [void]$groupAssignments[$groupName].DeviceConfigs.Add($config.displayName)
                    }
                }
                Write-Host "`rFetching Device Configuration $totalDeviceConfigs of $totalDeviceConfigs" -NoNewline
                Start-Sleep -Milliseconds 100
                Write-Host ""  # Move to the next line after the loop

                # Process Settings Catalog
                $settingsCatalogUri = "$GraphEndpoint/beta/deviceManagement/configurationPolicies"
                $settingsCatalogResponse = Invoke-MgGraphRequest -Uri $settingsCatalogUri -Method Get

                foreach ($policy in $settingsCatalogResponse.value) {
                    $policyId = $policy.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceManagement/configurationPolicies('$policyId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    if ($assignmentResponse.value | Where-Object { $_.target.groupId -eq $groupId }) {
                        [void]$groupAssignments[$groupName].SettingsCatalog.Add($policy.name)
                    }
                }

                # Process Administrative Templates
                $adminTemplatesUri = "$GraphEndpoint/beta/deviceManagement/groupPolicyConfigurations"
                $adminTemplatesResponse = Invoke-MgGraphRequest -Uri $adminTemplatesUri -Method Get

                foreach ($template in $adminTemplatesResponse.value) {
                    $templateId = $template.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceManagement/groupPolicyConfigurations('$templateId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    if ($assignmentResponse.value | Where-Object { $_.target.groupId -eq $groupId }) {
                        [void]$groupAssignments[$groupName].AdminTemplates.Add($template.displayName)
                    }
                }

                # Process Compliance Policies
                $complianceUri = "$GraphEndpoint/beta/deviceManagement/deviceCompliancePolicies"
                $complianceResponse = Invoke-MgGraphRequest -Uri $complianceUri -Method Get

                foreach ($policy in $complianceResponse.value) {
                    $policyId = $policy.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceManagement/deviceCompliancePolicies('$policyId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    if ($assignmentResponse.value | Where-Object { $_.target.groupId -eq $groupId }) {
                        [void]$groupAssignments[$groupName].CompliancePolicies.Add($policy.displayName)
                    }
                }

                # Process Apps
                $appUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps?`$filter=isAssigned eq true"
                $appResponse = Invoke-MgGraphRequest -Uri $appUri -Method Get

                foreach ($app in $appResponse.value) {
                    # Skip built-in and Microsoft apps
                    if ($app.isFeatured -or $app.isBuiltIn) {
                        continue
                    }

                    $appId = $app.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceAppManagement/mobileApps('$appId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    foreach ($assignment in $assignmentResponse.value) {
                        if ($assignment.target.groupId -eq $groupId) {
                            switch ($assignment.intent) {
                                "required" { [void]$groupAssignments[$groupName].RequiredApps.Add($app.displayName) }
                                "available" { [void]$groupAssignments[$groupName].AvailableApps.Add($app.displayName) }
                                "uninstall" { [void]$groupAssignments[$groupName].UninstallApps.Add($app.displayName) }
                            }
                        }
                    }
                }

                # Process Platform Scripts (PowerShell)
                $scriptsUri = "$GraphEndpoint/beta/deviceManagement/deviceManagementScripts"
                $scriptsResponse = Invoke-MgGraphRequest -Uri $scriptsUri -Method Get
                # For PowerShell scripts, we need to check the script type
                foreach ($script in $scriptsResponse.value) {
                    $scriptId = $script.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceManagement/deviceManagementScripts('$scriptId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    if ($assignmentResponse.value | Where-Object { $_.target.groupId -eq $groupId }) {
                        $scriptInfo = "$($script.displayName) (PowerShell)"
                        [void]$groupAssignments[$groupName].PlatformScripts.Add($scriptInfo)
                    }
                }

                # Process Shell Scripts (macOS)
                $shellScriptsUri = "$GraphEndpoint/beta/deviceManagement/deviceShellScripts"
                $shellScriptsResponse = Invoke-MgGraphRequest -Uri $shellScriptsUri -Method Get
                # For Shell scripts, we need to check the script type
                foreach ($script in $shellScriptsResponse.value) {
                    $scriptId = $script.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceManagement/deviceShellScripts('$scriptId')/groupAssignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    if ($assignmentResponse.value | Where-Object { $_.targetGroupId -eq $groupId }) {
                        $scriptInfo = "$($script.displayName) (Shell)"
                        [void]$groupAssignments[$groupName].PlatformScripts.Add($scriptInfo)
                    }
                }

                # Fetch and process Proactive Remediation Scripts (deviceHealthScripts)
                $healthScriptsUri = "$GraphEndpoint/beta/deviceManagement/deviceHealthScripts"
                $healthScriptsResponse = Invoke-MgGraphRequest -Uri $healthScriptsUri -Method Get
                foreach ($script in $healthScriptsResponse.value) {
                    $scriptId = $script.id
                    $assignmentsUri = "$GraphEndpoint/beta/deviceManagement/deviceHealthScripts('$scriptId')/assignments"
                    $assignmentResponse = Invoke-MgGraphRequest -Uri $assignmentsUri -Method Get

                    if ($assignmentResponse.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and $_.target.groupId -eq $groupId }) {
                        [void]$groupAssignments[$groupName].HealthScripts.Add($script.displayName)
                    }
                }

                # Get Endpoint Security - Antivirus Policies
                $allIntentsForAntivirusCompare = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $antivirusPolicies = $allIntentsForAntivirusCompare | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus' }
                if ($antivirusPolicies) {
                    foreach ($policy in $antivirusPolicies) {
                        $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignments.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and $_.target.groupId -eq $groupId }) {
                            [void]$groupAssignments[$groupName].AntivirusProfiles.Add($policy.displayName)
                        }
                    }
                }

                # Get Endpoint Security - Disk Encryption Policies
                $allIntentsForDiskEncCompare = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $diskEncryptionPolicies = $allIntentsForDiskEncCompare | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityDiskEncryption' }
                if ($diskEncryptionPolicies) {
                    foreach ($policy in $diskEncryptionPolicies) {
                        $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignments.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and $_.target.groupId -eq $groupId }) {
                            [void]$groupAssignments[$groupName].DiskEncryptionProfiles.Add($policy.displayName)
                        }
                    }
                }

                # Get Endpoint Security - Firewall Policies
                $allIntentsForFirewallCompare = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $firewallPolicies = $allIntentsForFirewallCompare | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall' }
                if ($firewallPolicies) {
                    foreach ($policy in $firewallPolicies) {
                        $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignments.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and $_.target.groupId -eq $groupId }) {
                            [void]$groupAssignments[$groupName].FirewallProfiles.Add($policy.displayName)
                        }
                    }
                }

                # Get Endpoint Security - Endpoint Detection and Response Policies
                $allIntentsForEDRCompare = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $edrPolicies = $allIntentsForEDRCompare | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityEndpointDetectionAndResponse' }
                if ($edrPolicies) {
                    foreach ($policy in $edrPolicies) {
                        $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignments.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and $_.target.groupId -eq $groupId }) {
                            [void]$groupAssignments[$groupName].EndpointDetectionProfiles.Add($policy.displayName)
                        }
                    }
                }

                # Get Endpoint Security - Attack Surface Reduction Policies
                $allIntentsForASRCompare = Get-IntuneEntities -EntityType "deviceManagement/intents"
                $asrPolicies = $allIntentsForASRCompare | Where-Object { $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAttackSurfaceReductionRules' }
                if ($asrPolicies) {
                    foreach ($policy in $asrPolicies) {
                        $assignments = Invoke-MgGraphRequest -Uri "$GraphEndpoint/beta/deviceManagement/intents/$($policy.id)/assignments" -Method Get
                        if ($assignments.value | Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' -and $_.target.groupId -eq $groupId }) {
                            [void]$groupAssignments[$groupName].AttackSurfaceProfiles.Add($policy.displayName)
                        }
                    }
                }
            }

            # Comparison Results section
            Write-Host "`nComparison Results:" -ForegroundColor Cyan
            Write-Host "Comparing assignments between groups:" -ForegroundColor White
            foreach ($groupName in $groupAssignments.Keys) {
                Write-Host " • $groupName" -ForegroundColor White
            }
            Write-Host ""

            # Update categories to include "Proactive Remediation Scripts"
            $categories = @{
                "Settings Catalog"                    = "SettingsCatalog"
                "Administrative Templates"            = "AdminTemplates"
                "Compliance Policies"                 = "CompliancePolicies"
                "Available Apps"                      = "AvailableApps"
                "Required Apps"                       = "RequiredApps"
                "Platform Scripts"                    = "PlatformScripts"
                "Device Configurations"               = "DeviceConfigs"
                "Uninstall Apps"                      = "UninstallApps"
                "Proactive Remediation Scripts"       = "HealthScripts"
                "Endpoint Security - Antivirus"       = "AntivirusProfiles"
                "Endpoint Security - Disk Encryption" = "DiskEncryptionProfiles"
                "Endpoint Security - Firewall"        = "FirewallProfiles"
                "Endpoint Security - EDR"             = "EndpointDetectionProfiles"
                "Endpoint Security - ASR"             = "AttackSurfaceProfiles"
            }

            # First pass to collect all unique policies
            $uniquePolicies = [System.Collections.ArrayList]@()
            foreach ($groupName in $groupAssignments.Keys) {
                foreach ($categoryKey in $categories.Values) {
                    foreach ($policy in $groupAssignments[$groupName][$categoryKey]) {
                        if ($uniquePolicies -notcontains $policy) {
                            $null = $uniquePolicies.Add($policy)
                        }
                    }
                }
            }

            Write-Host "Found $($uniquePolicies.Count) unique policies/apps/scripts across all groups`n" -ForegroundColor Yellow

            # Display comparison for each category
            foreach ($category in $categories.Keys) {
                $categoryKey = $categories[$category]

                Write-Host "=== $category ===" -ForegroundColor Cyan
                $foundAssignments = $false

                foreach ($policy in $uniquePolicies) {
                    $assignedGroups = @()
                    foreach ($groupName in $groupAssignments.Keys) {
                        if ($groupAssignments[$groupName][$categoryKey] -contains $policy) {
                            $assignedGroups += $groupName
                        }
                    }

                    if ($assignedGroups.Count -gt 0) {
                        $foundAssignments = $true
                        Write-Host "📋 Policy: " -NoNewline -ForegroundColor White
                        Write-Host "$policy" -ForegroundColor Yellow

                        if ($assignedGroups.Count -gt 1) {
                            Write-Host " 🔗 Shared Assignment!" -ForegroundColor Magenta
                        }

                        Write-Host " ✅ Assigned to: " -NoNewline -ForegroundColor Green
                        Write-Host "$($assignedGroups -join ', ')" -ForegroundColor White

                        $notAssignedGroups = $groupAssignments.Keys | Where-Object { $assignedGroups -notcontains $_ }
                        if ($notAssignedGroups) {
                            Write-Host " ❌ Not assigned to: " -NoNewline -ForegroundColor Red
                            Write-Host "$($notAssignedGroups -join ', ')" -ForegroundColor White
                        }
                        Write-Host ""
                    }
                }

                if (-not $foundAssignments) {
                    Write-Host "No assignments found in this category" -ForegroundColor Gray
                    Write-Host ""
                }
            }

            # Summary section
            Write-Host "=== Summary ===" -ForegroundColor Cyan
            foreach ($groupName in $groupAssignments.Keys) {
                $totalAssignments = 0
                foreach ($categoryKey in $categories.Values) {
                    $totalAssignments += $groupAssignments[$groupName][$categoryKey].Count
                }
                Write-Host "$groupName has $totalAssignments total assignments" -ForegroundColor Yellow
            }
            Write-Host ""

            # Create comparison results
            $comparisonResults = [System.Collections.ArrayList]@()
            foreach ($category in $categories.Keys) {
                $categoryKey = $categories[$category]
                foreach ($policy in $uniquePolicies) {
                    $assignedGroups = @()
                    foreach ($groupName in $groupAssignments.Keys) {
                        if ($groupAssignments[$groupName][$categoryKey] -contains $policy) {
                            $assignedGroups += $groupName
                        }
                    }

                    if ($assignedGroups.Count -gt 0) {
                        [void]$comparisonResults.Add([PSCustomObject]@{
                                Category           = $category
                                PolicyName         = $policy
                                AssignedTo         = $assignedGroups -join '; '
                                NotAssignedTo      = ($groupAssignments.Keys | Where-Object { $assignedGroups -notcontains $_ }) -join '; '
                                IsSharedAssignment = ($assignedGroups.Count -gt 1)
                            })
                    }
                }
            }
            
            # Export results if requested
            if ($ExportToCSV -or -not $parameterMode) {
                $exportPath = if ($ExportPath) {
                    $ExportPath
                }
                elseif (-not $parameterMode) {
                    $export = Read-Host "Would you like to export the comparison results to CSV? (y/n)"
                    if ($export -eq 'y') {
                        Show-SaveFileDialog -DefaultFileName "IntuneGroupAssignmentComparison.csv"
                    }
                    else {
                        $null
                    }
                }
                else {
                    $null
                }
                
                if ($exportPath) {
                    $comparisonResults | Export-Csv -Path $exportPath -NoTypeInformation
                    Write-Host "Results exported to $exportPath" -ForegroundColor Green
                }
            }
        }

        '11' {
            Write-Host "Fetching all failed assignments..." -ForegroundColor Green
            $exportData = [System.Collections.ArrayList]::new()
            
            # Get all failed assignments
            $failedAssignments = Get-AssignmentFailures
            
            if ($failedAssignments.Count -eq 0) {
                Write-Host "`nNo assignment failures found!" -ForegroundColor Green
            }
            else {
                Write-Host "`nFound $($failedAssignments.Count) assignment failures:" -ForegroundColor Yellow
                
                # Group by type for better display
                $groupedFailures = $failedAssignments | Group-Object -Property Type
                
                foreach ($group in $groupedFailures) {
                    Write-Host "`n=== $($group.Name) Failures ($($group.Count)) ===" -ForegroundColor Cyan
                    
                    foreach ($failure in $group.Group) {
                        Write-Host "`nPolicy: $($failure.PolicyName)" -ForegroundColor White
                        Write-Host "Device: $($failure.Target -replace 'Device: ', '')" -ForegroundColor Gray
                        Write-Host "Reason: $($failure.ErrorCode)" -ForegroundColor White
                        if ($failure.LastAttempt -and $failure.LastAttempt -ne "01/01/0001 00:00:00") {
                            Write-Host "Last Attempt: $($failure.LastAttempt)" -ForegroundColor Gray
                        }
                        
                        # Add to export data
                        $null = $exportData.Add([PSCustomObject]@{
                                Type             = $failure.Type
                                PolicyName       = $failure.PolicyName
                                Target           = $failure.Target
                                ErrorCode        = $failure.ErrorCode
                                ErrorDescription = $failure.ErrorDescription
                                LastAttempt      = $failure.LastAttempt
                            })
                    }
                }
                
                # Export if requested
                Export-ResultsIfRequested -ExportData $exportData -ExportPath $ExportPath -ForceExport:$false
            }
        }

        '0' {
            Write-Host "Disconnecting from Microsoft Graph..." -ForegroundColor Yellow
            Disconnect-MgGraph | Out-Null
            Write-Host "Thank you for using IntuneAssignmentChecker! 👋" -ForegroundColor Green
            Write-Host "If you found this tool helpful, please consider:" -ForegroundColor Cyan
            Write-Host "- Starring the repository: https://github.com/ugurkocde/IntuneAssignmentChecker" -ForegroundColor White
            Write-Host "- Supporting the project: https://github.com/sponsors/ugurkocde" -ForegroundColor White
            Write-Host ""
            exit
        }
        '98' {
            Write-Host "Opening GitHub Sponsor Page ..." -ForegroundColor Green
            Start-Process "https://github.com/sponsors/ugurkocde"
        }
        '99' {
            Write-Host "Opening GitHub Repository..." -ForegroundColor Green
            Start-Process "https://github.com/ugurkocde/IntuneAssignmentChecker"
        }
        default {
            Write-Host "Invalid choice, please select 1-11, 98, 99, or 0." -ForegroundColor Red
        }
    }

    # In parameter mode, exit after completing the task
    # In interactive mode, return to the menu unless exit was selected
    if ($selection -ne '0') {
        if ($parameterMode) {
            # Exit after completing the task in parameter mode
            break
        }
        else {
            # Return to menu in interactive mode
            Write-Host "Press any key to return to the main menu..." -ForegroundColor Cyan
            $null = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
        }
    }
} while ($selection -ne '0')