bulk-delete-intune.ps1
|
[System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Scope='Function', Target='Get-MSGraphAllPages')] <#PSScriptInfo .VERSION 2.0.0 .GUID 35fb7c4b-4114-42a0-a2dd-09a6085cb542 .AUTHOR AndrewTaylor .DESCRIPTION Bulk Deletes Intune policies, Conditional Access, AAD Groups, Proactive Remediations and more .COMPANYNAME .COPYRIGHT GPL .TAGS intune endpoint MEM environment .LICENSEURI https://github.com/andrew-s-taylor/public/blob/main/LICENSE .PROJECTURI https://github.com/andrew-s-taylor/public .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .SYNOPSIS Deleted Intune Policies .DESCRIPTION Bulk Deletes Intune policies, Conditional Access, AAD Groups, Proactive Remediations and more .INPUTS None .OUTPUTS Creates a log file in %Temp% .NOTES Version: 2.0.0 Author: Andrew Taylor Twitter: @AndrewTaylor_2 WWW: andrewstaylor.com Creation Date: 16/09/2022 Amended Date: 06/10/2022 Amended Date: 30/10/2022 Purpose/Change: Initial script development Change: Added support for PowerShell script deletion Change: Switched to MS Graph API .EXAMPLE N/A #> $ErrorActionPreference = "Continue" ##Start Logging to %TEMP%\intune.log $date = get-date -format yyyyMMddTHHmmssffff Start-Transcript -Path $env:TEMP\intune-delete-$date.log Write-Host "Installing Microsoft Graph modules if required (current user scope)" #Install MS Graph if not available if (Get-Module -ListAvailable -Name Microsoft.Graph) { Write-Host "Microsoft Graph Already Installed" } else { try { Install-Module -Name Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force } catch [Exception] { $_.message exit } } # Load the Graph module Import-Module microsoft.graph.intune import-module microsoft.graph.authentication #Connect to Graph Select-MgProfile -Name Beta Connect-MgGraph -Scopes RoleAssignmentSchedule.ReadWrite.Directory, Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All, Policy.ReadWrite.ConditionalAccess, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, openid, profile, email, offline_access Connect-MSGraph ############################################################################################################### ###### Add Functions ###### ############################################################################################################### ############################################################################################################### function Get-MSGraphAllPages { [CmdletBinding( ConfirmImpact = 'Medium', DefaultParameterSetName = 'SearchResult' )] param ( [Parameter(Mandatory = $true, ParameterSetName = 'NextLink', ValueFromPipelineByPropertyName = $true)] [ValidateNotNullOrEmpty()] [Alias('@odata.nextLink')] [string]$NextLink, [Parameter(Mandatory = $true, ParameterSetName = 'SearchResult', ValueFromPipeline = $true)] [ValidateNotNull()] [PSObject]$SearchResult ) begin {} process { if ($PSCmdlet.ParameterSetName -eq 'SearchResult') { # Set the current page to the search result provided $page = $SearchResult # Extract the NextLink $currentNextLink = $page.'@odata.nextLink' # We know this is a wrapper object if it has an "@odata.context" property if (Get-Member -InputObject $page -Name '@odata.context' -Membertype Properties) { $values = $page.value } else { $values = $page } # Output the values if ($values) { $values | Write-Output } } while (-Not ([string]::IsNullOrWhiteSpace($currentNextLink))) { # Make the call to get the next page try { $page = Get-MSGraphNextPage -NextLink $currentNextLink } catch { throw } # Extract the NextLink $currentNextLink = $page.'@odata.nextLink' # Output the items in the page $values = $page.value if ($values) { $values | Write-Output } } } end {} } ############################################################################################################# Function Get-DeviceConfigurationPolicyGP(){ <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface - Group Policies .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-DeviceConfigurationPolicyGP #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/groupPolicyConfigurations" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ############################################################################################################# Function Get-ConditionalAccessPolicy(){ <# .SYNOPSIS This function is used to get conditional access policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any conditional access policies .EXAMPLE Get-ConditionalAccessPolicy Returns any conditional access policies in Azure .NOTES NAME: Get-ConditionalAccessPolicy #> [cmdletbinding()] param ( $id ) try { if($id){ Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $id } else { Get-MgIdentityConditionalAccessPolicy } } catch { } } #################################################### Function Get-DeviceConfigurationPolicy(){ <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-DeviceConfigurationPolicy #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/deviceConfigurations" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ########################################################################################## Function Get-GroupPolicyConfigurationsDefinitionValues() { <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-GroupPolicyConfigurations #> [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationID ) $graphApiVersion = "Beta" #$DCP_resource = "deviceManagement/groupPolicyConfigurations/$GroupPolicyConfigurationID/definitionValues?`$filter=enabled eq true" $DCP_resource = "deviceManagement/groupPolicyConfigurations/$GroupPolicyConfigurationID/definitionValues" try { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } } #################################################### Function Get-GroupPolicyConfigurationsDefinitionValuesPresentationValues() { <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-GroupPolicyConfigurations #> [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationID, [string]$GroupPolicyConfigurationsDefinitionValueID ) $graphApiVersion = "Beta" $DCP_resource = "deviceManagement/groupPolicyConfigurations/$GroupPolicyConfigurationID/definitionValues/$GroupPolicyConfigurationsDefinitionValueID/presentationValues" try { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } } Function Get-GroupPolicyConfigurationsDefinitionValuesdefinition () { <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-GroupPolicyConfigurations #> [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationID, [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationsDefinitionValueID ) $graphApiVersion = "Beta" $DCP_resource = "deviceManagement/groupPolicyConfigurations/$GroupPolicyConfigurationID/definitionValues/$GroupPolicyConfigurationsDefinitionValueID/definition" try { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" $responseBody = Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } $responseBody } Function Get-GroupPolicyDefinitionsPresentations () { <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-GroupPolicyConfigurations #> [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] [string]$groupPolicyDefinitionsID, [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationsDefinitionValueID ) $graphApiVersion = "Beta" $DCP_resource = "deviceManagement/groupPolicyConfigurations/$groupPolicyDefinitionsID/definitionValues/$GroupPolicyConfigurationsDefinitionValueID/presentationValues?`$expand=presentation" try { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value.presentation } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } } #################################################### Function Get-DeviceConfigurationPolicySC(){ <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface - SETTINGS CATALOG .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicySC Returns any device configuration policies configured in Intune .NOTES NAME: Get-DeviceConfigurationPolicySC #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/configurationPolicies" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } #################################################### Function Get-MobileApps(){ <# .SYNOPSIS This function is used to get applications from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any mobile applications .EXAMPLE Get-MobileApps Returns any applications configured in Intune .NOTES NAME: Get-MobileApps #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceAppManagement/mobileApps" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)/$id" Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } } catch { } } ################################################################################################ #################################################### Function Get-DeviceProactiveRemediations(){ <# .SYNOPSIS This function is used to get device proactive remediations from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device proactive remediations .EXAMPLE Get-DeviceproactiveRemediations Returns any device proactive remediations configured in Intune .NOTES NAME: Get-Deviceproactiveremediations #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/devicehealthscripts" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)/$id" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject) } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); #Write-Host "Response content:`n$responseBody" -f Red #Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" #write-host } } ################################################################################################ Function Get-DeviceCompliancePolicy(){ <# .SYNOPSIS This function is used to get device compliance policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device compliance policies .EXAMPLE Get-DeviceCompliancepolicy Returns any device compliance policies configured in Intune .NOTES NAME: Get-devicecompliancepolicy #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/deviceCompliancePolicies" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################# Function Get-DeviceSecurityPolicy(){ <# .SYNOPSIS This function is used to get device security policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device security policies .EXAMPLE Get-DeviceSecurityPolicy Returns any device compliance policies configured in Intune .NOTES NAME: Get-DeviceSecurityPolicy #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/intents" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################# Function Get-ManagedAppProtectionAndroid(){ <# .SYNOPSIS This function is used to get managed app protection configuration from the Graph API REST interface Android .DESCRIPTION The function connects to the Graph API Interface and gets any managed app protection policy Android .EXAMPLE Get-ManagedAppProtectionAndroid .NOTES NAME: Get-ManagedAppProtectionAndroid #> param ( $id ) $graphApiVersion = "Beta" try { $Resource = "deviceAppManagement/androidManagedAppProtections" if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource('$id')" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject) } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject } } catch { } } ################################################################################################# Function Get-ManagedAppProtectionIOS(){ <# .SYNOPSIS This function is used to get managed app protection configuration from the Graph API REST interface IOS .DESCRIPTION The function connects to the Graph API Interface and gets any managed app protection policy IOS .EXAMPLE Get-ManagedAppProtectionIOS .NOTES NAME: Get-ManagedAppProtectionIOS #> param ( $id ) $graphApiVersion = "Beta" try { $Resource = "deviceAppManagement/iOSManagedAppProtections" if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource('$id')" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject) } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject } } catch { } } #################################################### Function Get-GraphAADGroups(){ <# .SYNOPSIS This function is used to get AAD Groups from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any AAD Groups .EXAMPLE Get-GraphAADGroups Returns any AAD Groups .NOTES NAME: Get-GraphAADGroups #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "Groups" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)/$id" Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$Filter=onPremisesSyncEnabled ne true&`$count=true" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); #Write-Host "Response content:`n$responseBody" -f Red #Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" #write-host } } ################################################################################################# Function Get-AutoPilotProfile(){ <# .SYNOPSIS This function is used to get autopilot profiles from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any autopilot profiles .EXAMPLE Get-AutoPilotProfile Returns any autopilot profiles configured in Intune .NOTES NAME: Get-AutoPilotProfile #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/windowsAutopilotDeploymentProfiles" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################# Function Get-PowerShellScripts(){ <# .SYNOPSIS This function is used to get PowerShell Scripts from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any PowerShell Scripts .EXAMPLE Get-PowerShellScripts Returns any PowerShell Scripts configured in Intune .NOTES NAME: Get-PowerShellScripts #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/deviceManagementScripts" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)/$id" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject) } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { } } ################################################################################################# Function Get-AutoPilotESP(){ <# .SYNOPSIS This function is used to get autopilot ESP from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any autopilot ESP .EXAMPLE Get-AutoPilotESP Returns any autopilot ESPs configured in Intune .NOTES NAME: Get-AutoPilotESP #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/deviceEnrollmentConfigurations" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################# Function Get-DecryptedDeviceConfigurationPolicy(){ <# .SYNOPSIS This function is used to decrypt device configuration policies from an json array with the use of the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and decrypt Windows custom device configuration policies that is encrypted .EXAMPLE Decrypt-DeviceConfigurationPolicy -dcps $DCPs Returns any device configuration policies configured in Intune in clear text without encryption .NOTES NAME: Decrypt-DeviceConfigurationPolicy #> [cmdletbinding()] param ( $dcpid ) $graphApiVersion = "Beta" $DCP_resource = "deviceManagement/deviceConfigurations" $dcp = Get-DeviceConfigurationPolicy -id $dcpid if ($dcp.'@odata.type' -eq "#microsoft.graph.windows10CustomConfiguration") { # Convert policy of type windows10CustomConfiguration foreach ($omaSetting in $dcp.omaSettings) { try { if ($omaSetting.isEncrypted -eq $true) { $DCP_resource_function = "$($DCP_resource)/$($dcp.id)/getOmaSettingPlainTextValue(secretReferenceValueId='$($omaSetting.secretReferenceValueId)')" $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource_function)" $value = ((Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value) #Remove any unnecessary properties $omaSetting.PsObject.Properties.Remove("isEncrypted") $omaSetting.PsObject.Properties.Remove("secretReferenceValueId") $omaSetting.value = $value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } } } $dcp } ############################################################################################################### ###### MS Graph Implementations ###### ############################################################################################################### ############################################################################################################### ###### Grab the Profiles ###### ############################################################################################################### ##Connect to Azure AD for Conditional Access Policies $profiles = @() $configuration = @() ##Get Config Policies $configuration += Get-DeviceConfigurationPolicy | Select-Object ID, DisplayName, Description, @{N='Type';E={"Config Policy"}} ##Get Admin Template Policies $configuration += Get-DeviceConfigurationPolicyGP | Select-Object ID, DisplayName, Description, @{N='Type';E={"Admin Template"}} ##Get Settings Catalog Policies $configuration += Get-DeviceConfigurationPolicySC | Select-Object ID, @{N='DisplayName';E={$_.Name}}, Description , @{N='Type';E={"Settings Catalog"}} ##Get Compliance Policies $configuration += Get-DeviceCompliancePolicy | Select-Object ID, DisplayName, Description, @{N='Type';E={"Compliance Policy"}} ##Get Proactive Remediations $configuration += Get-DeviceProactiveRemediations | Select-Object ID, DisplayName, Description, @{N='Type';E={"Proactive Remediation"}} ##Get PowerShell Scripts $configuration += Get-PowerShellScripts | Select-Object ID, DisplayName, Description, @{N='Type';E={"PowerShell Script"}} ##Get Security Policies $configuration += Get-DeviceSecurityPolicy | Select-Object ID, DisplayName, Description, @{N='Type';E={"Security Policy"}} ##Get Autopilot Profiles $configuration += Get-AutoPilotProfile | Select-Object ID, DisplayName, Description, @{N='Type';E={"Autopilot Profile"}} ##Get AAD Groups $configuration += Get-GraphAADGroups | Select-Object ID, DisplayName, Description, @{N='Type';E={"AAD Group"}} ##Get Autopilot ESP $configuration += Get-AutoPilotESP | Select-Object ID, DisplayName, Description, @{N='Type';E={"Autopilot ESP"}} ##Get Mobile Apps $configuration += Get-MobileApps | Select-Object ID, DisplayName, Description, @{N='Type';E={$_.'@odata.type'}} ##Get App Protection Policies #Android $androidapp = Get-ManagedAppProtectionAndroid | Select-Object -expandproperty Value $configuration += $androidapp | Select-Object ID, DisplayName, Description, @{N='Type';E={"Android App Protection"}} #IOS $iosapp = Get-ManagedAppProtectionios | Select-Object -expandproperty Value $configuration += $iosapp | Select-Object ID, DisplayName, Description, @{N='Type';E={"iOS App Protection"}} ##Get Conditional Access Policies $configuration += Get-ConditionalAccessPolicy | Select-Object ID, DisplayName, @{N='Type';E={"Conditional Access Policy"}} $configuration | Out-GridView -PassThru -Title "What would you like to delete?" | ForEach-Object { ##Find out what it is $id = $_.ID write-host $id $policy = Get-DeviceConfigurationPolicy -id $id $catalog = Get-DeviceConfigurationPolicysc -id $id $compliance = Get-DeviceCompliancePolicy -id $id $security = Get-DeviceSecurityPolicy -id $id $autopilot = Get-AutoPilotProfile -id $id $esp = Get-AutoPilotESP -id $id $android = Get-ManagedAppProtectionAndroid -id $id $ios = Get-ManagedAppProtectionios -id $id $gp = Get-DeviceConfigurationPolicyGP -id $id $ca = Get-ConditionalAccessPolicy -id $id $proac = Get-DeviceProactiveRemediations -id $id $aad = Get-GraphAADGroups -id $id $apps = Get-MobileApps -id $id $psscripts = Get-PowerShellScripts -id $id # Delete it if ($null -ne $policy) { # Standard Device Configuratio Policy write-host "It's a policy" $id = $policy.id $Resource = "deviceManagement/deviceConfigurations" $profiles+= ,(@($id,$resource)) } if ($null -ne $gp) { # Standard Device Configuratio Policy write-host "It's an Admin Template" $id = $gp.id $Resource = "deviceManagement/groupPolicyConfigurations" $profiles+= ,(@($id,$resource)) } if ($null -ne $catalog) { # Settings Catalog Policy write-host "It's a Settings Catalog" $id = $catalog.id $Resource = "deviceManagement/configurationPolicies" $profiles+= ,(@($id,$resource)) } if ($null -ne $compliance) { # Compliance Policy write-host "It's a Compliance Policy" $id = $compliance.id $Resource = "deviceManagement/deviceCompliancePolicies" $profiles+= ,(@($id,$resource)) } if ($null -ne $proac) { # Proactive Remediations write-host "It's a Proactive Remediation" $id = $proac.id $Resource = "deviceManagement/devicehealthscripts" $profiles+= ,(@($id,$resource)) } if ($null -ne $psscripts) { # PowerShell Script write-host "It's a PowerShell Script" $id = $psscripts.id $Resource = "deviceManagement/deviceManagementScripts" $profiles+= ,(@($id,$resource)) } if ($null -ne $security) { # Security Policy write-host "It's a Security Policy" $id = $security.id $Resource = "deviceManagement/intents" $profiles+= ,(@($id,$resource)) } if ($null -ne $autopilot) { # Autopilot Profile write-host "It's an Autopilot Profile" $id = $autopilot.id $Resource = "deviceManagement/windowsAutopilotDeploymentProfiles" $profiles+= ,(@($id,$resource)) } if ($null -ne $esp) { # Autopilot ESP write-host "It's an AutoPilot ESP" $id = $esp.id $Resource = "deviceManagement/deviceEnrollmentConfigurations" $profiles+= ,(@($id,$resource)) } if ($null -ne $android) { # Android App Protection write-host "It's an Android App Protection Policy" $id = $android.id $Resource = "deviceAppManagement/managedAppPoliciesandroid" $profiles+= ,(@($id,$resource)) } if ($null -ne $ios) { # iOS App Protection write-host "It's an iOS App Protection Policy" $id = $ios.id $Resource = "deviceAppManagement/managedAppPoliciesios" $profiles+= ,(@($id,$resource)) } if ($null -ne $aad) { # AAD Groups write-host "It's an AAD Group" $id = $aad.id $Resource = "groups" $profiles+= ,(@($id,$resource)) } if ($null -ne $apps) { # Application write-host "It's an application" $id = $apps.id $Resource = "deviceAppManagement/mobileApps" $profiles+= ,(@($id,$resource)) } if ($null -ne $ca) { # Conditional Access write-host "It's a Conditional Access Policy" $id = $ca.id $Resource = "ConditionalAccess" $profiles+= ,(@($id,$resource)) } } ##Loop through array and Delete Profiles foreach ($toupload in $profiles) { $id = $toupload[0] $resource = $toupload[1] ##If policy is conditional access, we need special config if ($resource -eq "conditionalaccess") { write-host "Deleting Conditional Access Policy" Remove-MgIdentityConditionalAccessPolicy -conditionalaccesspolicyid $id } else { $uripart1 = "https://graph.microsoft.com/beta/" $uri = $uripart1 + $resource + "/" + $id # Delete the policy Invoke-MgGraphRequest -uri $uri -method Delete write-host "Deleted" } } ##Clear Tenant Connections Disconnect-MgGraph Stop-Transcript |