IntuneAssignmentChecker

4.3.0

Analyze and audit Microsoft Intune policy assignments. Check user, group, and device assignments, simulate group membership changes, search policies and settings, generate HTML reports, and more.

Minimum PowerShell version

7.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name IntuneAssignmentChecker

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name IntuneAssignmentChecker

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) Ugur Koc. All rights reserved.

Package Details

Author(s)

  • Ugur Koc

Tags

Intune MEM Endpoint Assignment Policy Settings Audit Microsoft Graph

Functions

Invoke-IntuneAssignmentChecker Connect-IntuneAssignmentChecker Get-IntuneUserAssignment Get-IntuneGroupAssignment Get-IntuneDeviceAssignment Get-IntuneUserDeviceAssignment Get-IntuneAllPolicies Get-IntuneAllUsersAssignment Get-IntuneAllDevicesAssignment New-IntuneHTMLReport Get-IntuneUnassignedPolicy Get-IntuneEmptyGroup Compare-IntuneGroupAssignment Get-IntuneFailedAssignment Test-IntuneGroupMembership Test-IntuneGroupRemoval Search-IntunePolicy Search-IntuneSetting Update-IntuneSettingDefinition

Dependencies

Release Notes

Version 4.3.0:
- Show applications where the checked group is excluded in Get-IntuneGroupAssignment; Compare-IntuneGroupAssignment now marks excluded apps with [EXCLUDED] (issue #126).
- Rebuild the ten category-walk cmdlets on a shared scan engine: entity sets are fetched once per run (dozens fewer Graph calls), transient per-category failures no longer abort a run, and errors are raised on the error stream for automation (issue #123).
- Fix App Protection policies showing for every user regardless of group membership, app intent misclassification, broken multi-device input, junk rows in CSV exports, missing pagination past 100 items in group memberships / comparisons / assignment failures, and Get-IntuneEmptyGroup categories that were displayed but never checked.
- Security hardening: HTML-encode report values, escape OData group-name filters, URL-encode guest UPNs, add -ClientSecretCredential (PSCredential) as the preferred client secret input.
- Fix EDR policies missing from HTML reports due to a template mapping typo.
- Switch-Tenant now connects with the correct permission scopes and refreshes cached filter and group lookups.
- Register-IntuneAssignmentCheckerApp grants all documented permissions, uses a cross-platform temp path, and cleans up its temporary client secret on failure (issue #124).

Version 4.2.0:
- Add -AccessToken (SecureString) parameter for non-interactive authentication using a pre-fetched Microsoft Graph token (Azure Automation managed identities, Azure Functions, federated credentials, parent-script Connect-MgGraph sessions).
- Extend Test-IntuneGroupMembership and Test-IntuneGroupRemoval to accept a Device in addition to a User. The simulation now unions user-side and device-side group memberships.
- Add Option 16: What-If for a User on a specific Device. Lists every policy and app that would apply to that user/device pair, with a Source column indicating whether each assignment came from the user, the device, or both.

Version 4.1.0:
- Show Intune assignment filters on all assignments (issue #122). Filter name and include/exclude type now appear in console output, CSV exports, and HTML reports across all assignment, simulation, and search cmdlets.
- Add Get-AssignmentFilterLookup to cache filter metadata at connection time.

Version 4.0.0:
- BREAKING: Converted from script to PowerShell module (use Install-Module instead of Install-Script)
- Add Option 12: Simulate Group Membership Impact
- Add Option 13: Simulate Removing User from Group
- Add Option 14: Search Policy Assignments (reverse lookup)
- Add Option 15: Search for Specific Settings (across Settings Catalog and Endpoint Security)
- Add terminal-width-aware separators
- Add UPN format validation before network calls
- Normalize y/n prompts to accept Y/y/Yes/yes
- Fix app platform detection showing Windows apps (win32LobApp, winGetApp, microsoftStoreForBusinessApp, officeSuiteApp) as Multi-Platform in HTML report
- Remove deprecated groupPolicyConfigurations (Administrative Templates) policy type
- Migrate deviceStatuses API endpoints
- Fix hardcoded Graph URLs to use dynamic GraphEndpoint
- All features available as individual cmdlets (e.g., Get-IntuneUserAssignment, Search-IntuneSetting)

FileList

Version History

Version Downloads Last updated
4.3.0 (current version) 20 7/3/2026
4.2.0 1,892 4/28/2026
4.1.0 85 4/27/2026
4.0.0 188 4/21/2026