Skip to content

eddie-jimenez/IntuneBackup

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

11 Commits
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

IntuneBackup Solution

Automated Intune backup solution to be run inside an Azure Automation Runbook. This solution grabs Intune data and copies it to a SharePoint Online location.

πŸ“‹ Overview

This runbook performs the following:

  • Authenticates to Microsoft Graph using Managed Identity
  • Backs up key Microsoft Intune configuration categories (no module dependency)
  • Organizes backup files by category and app platform (Windows, macOS, etc.)
  • Uploads extracted files to a SharePoint Online folder
    https://<your-tenant>.sharepoint.com/sites/<YourSite>/Shared Documents/Intune Backups/YYYY/MM
  • Sends detailed HTML summary reports (Success or Failure) to specified recipients
  • Fully scheduled via Azure Automation to run monthly

πŸ”§ How It Works

  • Uses native Invoke-RestMethod with Graph endpoints to pull data
  • Backs up each category into a timestamped temp folder
  • Mobile apps are sorted by platform using the app’s @odata.type
  • Uploads all extracted files (not zipped) to SharePoint via Microsoft Graph
  • Sends HTML-formatted email status reports from a configurable sender address
  • Cleans up local temp files after execution

πŸ—‚οΈ Backed-Up Categories

Category Graph Endpoint
Device Configurations /deviceConfigurations
Compliance Policies /deviceCompliancePolicies
Configuration Policies /configurationPolicies?$expand=settings
Device Scripts /deviceManagementScripts
App Policies & Configs /mobileApps, /managedAppPolicies, /mobileAppConfigurations, /policySets
Autopilot Profiles /windowsAutopilotDeploymentProfiles, /deviceEnrollmentConfigurations
Settings Catalog /configurationPolicies?$expand=settings
Feature/Quality/Driver Updates /windowsFeatureUpdateProfiles, etc.
Conditional Access Policies /identity/conditionalAccess/policies, etc.
Mac Scripts & Custom Attributes /deviceShellScripts, /deviceCustomAttributeShellScripts
Miscellaneous Notification Templates, Role Tags, Terms & Conditions, Intune Branding, etc.

❌ Groups are intentionally excluded to avoid backing up thousands of unnecessary AAD objects.


βž• Modifying Backup Categories

To add or remove a category from the backup logic:

  1. Locate the $categories hashtable inside the script:

    $categories = @{
        "DeviceConfigurations" = "/deviceConfigurations"
        "CompliancePolicies"   = "/deviceCompliancePolicies"
        ...
    }
  2. To add a category, insert a new key-value pair using the correct Graph endpoint:

    "EnrollmentStatusPageProfiles" = "/deviceEnrollmentConfigurations"
  3. To remove a category, delete or comment out its entry:

    # "ManagedAppPolicies" = "/managedAppPolicies"
  4. If the category requires query parameters such as $expand or $filter, include them in the value:

    "MobileApps" = "/deviceAppManagement/mobileApps?\$expand=assignments,categories"

πŸ’‘ All updates will apply during the next scheduled or manual backup run.
⚠️ Make sure each endpoint is valid and that the Azure Automation Managed Identity has the necessary Graph permissions.


πŸ•’ Schedule

The runbook can be configured to run whenever works best for you.

For example:

πŸ—“ 1st of every month at 10:00 AM EST

This schedule can be adjusted in the Azure Automation account under Schedules.


πŸ“§ Email Reports

Emails include:

  • βœ… Backup Success status

  • ❌ Backup Failure with error details

  • ⏱️ Runtime duration

  • πŸ“ SharePoint link to uploaded backup

  • πŸ“Š Category item counts

  • ⚠️ Failure reports with troubleshooting steps

    image image

πŸ”§ Usage

Before using this runbook in your environment, review and replace the following placeholders in the script:

Placeholder Description
YOUR SITE URI Full Microsoft Graph API URI for your SharePoint site. Example: https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/{site-name}
YOUR SHAREPOINT PATH Folder path inside the SharePoint document library where backups are uploaded. Example: ITadmins/Intune Backups
YOUR SHAREPOINT URL Base SharePoint site web URL used to construct clickable folder links in email reports. Example: https://{tenant}.sharepoint.com/sites/{site-name}/
YOUR TEST EMAIL Default fallback email recipient for test runs. Update this to your own address or distribution list. Example: 'you@example.com'
YOUR AUTOMATION ACCOUNT EMAIL Email address used to send status emails from Azure Automation. Must be a valid Entra ID user. Example: automation@yourdomain.com

βœ… If you're running this inside Azure Automation, only YOUR SITE URI, YOUR SHAREPOINT PATH, YOUR SHAREPOINT URL, and 'YOUR TEST EMAIL' need to be updated.
⚠️ Local testing requires valid Microsoft Graph authentication using Connect-MgGraph with a certificate or client secret.

πŸ§ͺ Testing

You can test this script locally by providing custom parameters β€” but note that authentication is required since Managed Identity is only available in Azure-hosted environments.

πŸ” Required for Manual Testing

You must authenticate using an App Registration in Entra ID (Azure AD) with one of the following:

Note: This logic is not baked into the script.

βœ… Recommended: Certificate Authentication

Connect-MgGraph -ClientId "<your-client-id>" `
                -TenantId "<your-tenant-id>" `
                -CertificateThumbprint "<your-cert-thumbprint>"

⚠️ Temporary (Not Secure): Client Secret Authentication

Connect-MgGraph -ClientId "<your-client-id>" `
                -TenantId "<your-tenant-id>" `
                -ClientSecret "<your-client-secret>"

ℹ️ Make sure the App Registration has all necessary Microsoft Graph API permissions.

See Required Permissions below...


πŸ§ͺ Test Parameters

Once authenticated, you can run the backup manually with:

param (
    [string]$EmailRecipient = "you@example.com"
)

Override the $EmailRecipient value if you'd like to receive a test HTML summary email.


πŸ” Required Permissions

The Azure Automation Managed Identity or App Registration must have the following Microsoft Graph API permissions:

DeviceManagementConfiguration.Read.All  
DeviceManagementApps.Read.All  
DeviceManagementRBAC.Read.All  
DeviceManagementManagedDevices.Read.All  
Mail.Send  
Sites.ReadWrite.All  
Directory.Read.All  
Policy.Read.All

πŸ“š Resources


πŸ› οΈ Troubleshooting

See the failure email report for built-in diagnostics, or use these common checks:

  • βœ… Authentication – Verify Managed Identity or App Registration is authorized
  • πŸ“¦ Modules – Ensure Microsoft.Graph is imported (if using modules)
  • 🌐 Connectivity – Validate access to Microsoft Graph and SharePoint
  • πŸ” Permissions – Confirm all Graph and SharePoint permissions are granted
  • βš™οΈ Resources – Check runbook limits, job quotas, and timeout settings
  • πŸ“„ Logs – Review detailed runbook logs in Azure for stack traces and errors

🧾 License

This project is licensed under the GNU General Public License v3.0.
See the LICENSE file for details.

PowerShell
License: GPL v3


πŸ‘€ Author

Eddie Jimenez
GitHub
LinkedIn

Although this script has been tested extensively and successfully, PLEASE ensure you are thoroughly testing this on your own prior to introducing this into production. You are free to use this script at your own risk. Please credit me if you do πŸ™‚


⭐ If this project helps you, please give it a star! ⭐

About

Automated Intune backup solution to be run inside an Azure runbook

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors