MSEndpointMgr
FacebookXRedditLinkedInEmail

Use Intune Graph API export and import Intune ADMX templates

Sandy Zeng
2019-01-17
8 comments
4 min read

Intune ADMX template is now in public preview, please read about the details from Maurice Daly’s post Configure ADMX settings with Microsoft Intune Administrative Templates ,  I have tested 151 settings in my test tenant and want import them to another tenant. But wait.. there is no export or import button? (in this moment). So I think of use Graph API and PowerShell.

I don’t cover the basic of Intune Graph in this post, if this is first time you use Intune Graph API, please take a look Dave Falkus’s PowerShell Intune Samples and Intune PowerShell SDK

And very much thanks for Ben Reader (@powers_hell) and Steven Hosking (@OnPremCloudGuy) who contributed make these scripts work on complex policies.

TL;DR

If you don’t want read this long post and just want to run export and import script, you can find them in my GitHub: https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/DeviceConfiguration

How to use these scripts

  1. Important: Please check you don’t have any ADMX template profiles have same name, if there is please change them.
  2. Run DeviceConfigurationADMX_Export.ps1
  3. Input your Azure AD credentials of tenant A
  4. Input export folder name, you should get results like this

  5. (Optional) Delete those profile folders if you don’t wish to import them, and change folder name if want to change ADMX template profile name
  6. Open another PowerShell command window
  7. Run DeviceConfigurationADMX_Import_FromJSON.ps1
  8. Input your Azure AD credential of tenant B
  9. Input the same folder as export folder in step 4

    You should able to see those ADMX template profiles are created in your tenant.

Now here is a long version of the story

Properties

For start, I need to find out how to get those ADMX templates information, I use my browser developer tool (F12) network monitor to find out what is REST URI and request header when configure ADMX template settings, then I test those commands in Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer

I am using this ADMX – TEST01 as example, and I have configured two settings in this profile:

  • Access data sources across domains is configured as Enabled.
  • Allow cut, copy or paste operation from the clipboard via script is configured as Disabled

When we import ADMX template profile, we need two or three properties, depends if configured as Disable or Enabled

  1. Each single ADMX policy setting has it’s own definition id.
  2. If configured as Enabled and has more options to choose, we will need presentation ID, it presents text box ” *Access data sources across domains”
  3. We need presentation Value property to define which settings we use for Enabled, example Prompt or Enable or Disable, or anything else.

     

Export settings

We will use Graph Explorer to find all those properties that we will need.

  • List all configured ADMX Templates profiles
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/

  • Let’s take this profile “ADMX – TEST01” for example, response of this profile id is 5133abf8-1026-48e7-a59c-0704fb2a9d04 , let’s get only details of this profile
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04

  • List what ADMX policy settings are configured
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues
  • Now that we have policy configuration id, we can list what setting has configured, from this we get the Value property
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4/presentationValues
    If setting has configured as Enabled , you will get response with value results.
    We only need @odata.type and value properties, we don’t need lastModifiedDataTime, createdDateTime and id.

     

    If this setting is configured as disabled, presentation Values response result is empty.

NOTE: Presentation Value can be also empty for those settings that have only disable or enable options, example “Allow printers to be published”

  • If Presentation Value is not empty, we continue get presentation id of this setting
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4/presentationValues?$expand=presentation
  • Now we also need this ADMX setting definition id, and we also get displayName of the setting
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4//definition

    Now that we have everything we need, this is exported json file when using my PowerShell script.

    {
   "enabled":true,
   "presentationValues":[  
      {  
         
    "@odata.type":  "#microsoft.graph.groupPolicyPresentationValueText",
    "value":  "1"
,
         "[email protected]":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('128b67df-30bf-4f5f-80c4-83c60163db05')/presentations('2ec9cd40-8ac8-4c6d-a547-7fda619491b8')"
      }
   ],
   "[email protected]":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('128b67df-30bf-4f5f-80c4-83c60163db05')"
}

Import settings

  • Create new ADMX profile policy
    POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations
    Request body:

    {
  "description": "",
  "displayName": "ADMX - Test02"
}

  • Now we got the id of the new policy configuration we just created
  • Create/Import the settings
    POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/2fd791ad-af52-44ba-9da6-de122c8cda8b/definitionValues
    Request body, here we copy contents of the json file we exported earlier.

Enjoy testing, if you find some settings doesn’t work with my script, please give comments and describe which setting and what configuration. Thanks!

Views: 20,952

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

View all posts

8 comments

  • Really helpful Sandy, thank you very much

    I needed to duplicate all the profiles in the tenant, so was easy to export all, rename the folder then import again, job done.

    Looking forward to more nice work from you.

    Mahmoud

    Reply

  • This is extremely useful, thank you! However, the import does not take into account Scope Tags. That would be easy to resolve by adding “roleScopeTagIds”:[“$ScopeId”] to the $jsonCode block, provided $ScopeId is determined somewhere else in the script. When testing, I did not have access to https://graph.microsoft.com/beta/deviceManagement/roleAssignments. DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All are required for that. As such, I just input the ID I know it to be for the environment I expect.

    Reply

You may also like

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.

ACCEPT MORE INFO