Automated Intune backup solution to be run inside an Azure Automation Runbook. This solution grabs Intune data and copies it to a SharePoint Online location.
This runbook performs the following:
- Authenticates to Microsoft Graph using Managed Identity
- Backs up key Microsoft Intune configuration categories (no module dependency)
- Organizes backup files by category and app platform (Windows, macOS, etc.)
- Uploads extracted files to a SharePoint Online folder
https://<your-tenant>.sharepoint.com/sites/<YourSite>/Shared Documents/Intune Backups/YYYY/MM - Sends detailed HTML summary reports (Success or Failure) to specified recipients
- Fully scheduled via Azure Automation to run monthly
- Uses native
Invoke-RestMethodwith Graph endpoints to pull data - Backs up each category into a timestamped temp folder
- Mobile apps are sorted by platform using the appβs
@odata.type - Uploads all extracted files (not zipped) to SharePoint via Microsoft Graph
- Sends HTML-formatted email status reports from a configurable sender address
- Cleans up local temp files after execution
| Category | Graph Endpoint |
|---|---|
| Device Configurations | /deviceConfigurations |
| Compliance Policies | /deviceCompliancePolicies |
| Configuration Policies | /configurationPolicies?$expand=settings |
| Device Scripts | /deviceManagementScripts |
| App Policies & Configs | /mobileApps, /managedAppPolicies, /mobileAppConfigurations, /policySets |
| Autopilot Profiles | /windowsAutopilotDeploymentProfiles, /deviceEnrollmentConfigurations |
| Settings Catalog | /configurationPolicies?$expand=settings |
| Feature/Quality/Driver Updates | /windowsFeatureUpdateProfiles, etc. |
| Conditional Access Policies | /identity/conditionalAccess/policies, etc. |
| Mac Scripts & Custom Attributes | /deviceShellScripts, /deviceCustomAttributeShellScripts |
| Miscellaneous | Notification Templates, Role Tags, Terms & Conditions, Intune Branding, etc. |
β Groups are intentionally excluded to avoid backing up thousands of unnecessary AAD objects.
To add or remove a category from the backup logic:
-
Locate the
$categorieshashtable inside the script:$categories = @{ "DeviceConfigurations" = "/deviceConfigurations" "CompliancePolicies" = "/deviceCompliancePolicies" ... }
-
To add a category, insert a new key-value pair using the correct Graph endpoint:
"EnrollmentStatusPageProfiles" = "/deviceEnrollmentConfigurations"
-
To remove a category, delete or comment out its entry:
# "ManagedAppPolicies" = "/managedAppPolicies" -
If the category requires query parameters such as
$expandor$filter, include them in the value:"MobileApps" = "/deviceAppManagement/mobileApps?\$expand=assignments,categories"
π‘ All updates will apply during the next scheduled or manual backup run.
β οΈ Make sure each endpoint is valid and that the Azure Automation Managed Identity has the necessary Graph permissions.
The runbook can be configured to run whenever works best for you.
For example:
π 1st of every month at 10:00 AM EST
This schedule can be adjusted in the Azure Automation account under Schedules.
Emails include:
-
β Backup Success status
-
β Backup Failure with error details
-
β±οΈ Runtime duration
-
π SharePoint link to uploaded backup
-
π Category item counts
-
β οΈ Failure reports with troubleshooting steps
Before using this runbook in your environment, review and replace the following placeholders in the script:
| Placeholder | Description |
|---|---|
YOUR SITE URI |
Full Microsoft Graph API URI for your SharePoint site. Example: https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/{site-name} |
YOUR SHAREPOINT PATH |
Folder path inside the SharePoint document library where backups are uploaded. Example: ITadmins/Intune Backups |
YOUR SHAREPOINT URL |
Base SharePoint site web URL used to construct clickable folder links in email reports. Example: https://{tenant}.sharepoint.com/sites/{site-name}/ |
YOUR TEST EMAIL |
Default fallback email recipient for test runs. Update this to your own address or distribution list. Example: 'you@example.com' |
YOUR AUTOMATION ACCOUNT EMAIL |
Email address used to send status emails from Azure Automation. Must be a valid Entra ID user. Example: automation@yourdomain.com |
β If you're running this inside Azure Automation, only
YOUR SITE URI,YOUR SHAREPOINT PATH,YOUR SHAREPOINT URL, and'YOUR TEST EMAIL'need to be updated.
β οΈ Local testing requires valid Microsoft Graph authentication usingConnect-MgGraphwith a certificate or client secret.
You can test this script locally by providing custom parameters β but note that authentication is required since Managed Identity is only available in Azure-hosted environments.
You must authenticate using an App Registration in Entra ID (Azure AD) with one of the following:
Note: This logic is not baked into the script.
Connect-MgGraph -ClientId "<your-client-id>" `
-TenantId "<your-tenant-id>" `
-CertificateThumbprint "<your-cert-thumbprint>"Connect-MgGraph -ClientId "<your-client-id>" `
-TenantId "<your-tenant-id>" `
-ClientSecret "<your-client-secret>"βΉοΈ Make sure the App Registration has all necessary Microsoft Graph API permissions.
See Required Permissions below...
Once authenticated, you can run the backup manually with:
param (
[string]$EmailRecipient = "you@example.com"
)Override the $EmailRecipient value if you'd like to receive a test HTML summary email.
The Azure Automation Managed Identity or App Registration must have the following Microsoft Graph API permissions:
DeviceManagementConfiguration.Read.All
DeviceManagementApps.Read.All
DeviceManagementRBAC.Read.All
DeviceManagementManagedDevices.Read.All
Mail.Send
Sites.ReadWrite.All
Directory.Read.All
Policy.Read.All
- Microsoft Graph API Documentation
- Managed Identity Auth for Azure Automation
- Microsoft Graph REST API Permissions
- PowerShell - Upload to SharePoint via Graph
See the failure email report for built-in diagnostics, or use these common checks:
- β Authentication β Verify Managed Identity or App Registration is authorized
- π¦ Modules β Ensure Microsoft.Graph is imported (if using modules)
- π Connectivity β Validate access to Microsoft Graph and SharePoint
- π Permissions β Confirm all Graph and SharePoint permissions are granted
- βοΈ Resources β Check runbook limits, job quotas, and timeout settings
- π Logs β Review detailed runbook logs in Azure for stack traces and errors
This project is licensed under the GNU General Public License v3.0.
See the LICENSE file for details.
Although this script has been tested extensively and successfully, PLEASE ensure you are thoroughly testing this on your own prior to introducing this into production. You are free to use this script at your own risk. Please credit me if you do π
β If this project helps you, please give it a star! β