mmckinnon/IntunePolicies
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: update settings for Edge and Defender policies

Browse Source
This commit is contained in:
Matthew McKinnon
2025-03-12 21:36:16 +10:00
parent 40c7895196
commit 39b6a1272d
4 changed files with 270 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
ImportPolicies.ps1
View File

@ -27,7 +27,7 @@ ForEach ($policie in $policies) {
try { try {
$uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version
# $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10) $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
Write-Host "$PolicieName - successfully imported!" Write-Host "$PolicieName - successfully imported!"
#$response #$response
} catch { } catch {
@ -39,10 +39,9 @@ ForEach ($policie in $policies) {
# Define the dynamic membership rule # Define the dynamic membership rule
$dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -eq true) and (device.managementType -eq "MDM")' $dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -eq true) and (device.managementType -eq "MDM")'
# Create the security group with dynamic membership # Create the security group with dynamic membership
$groupBody = @{ $groupBody = @{
displayName = "Intune - All Windows Workstations Dynamic Membership" displayName = "Intune - All Windows Workstations MDM"
mailEnabled = $false mailEnabled = $false
mailNickname = "IntuneWindowsDevices" mailNickname = "IntuneWindowsDevices"
securityEnabled = $true securityEnabled = $true
@ -57,4 +56,26 @@ $groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
# Create the group using Invoke-MgGraphRequest # Create the group using Invoke-MgGraphRequest
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json" Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
# Define the dynamic membership rule
$dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")'
# Create the security group with dynamic membership
$groupBody = @{
displayName = "Intune - All Windows Computers"
mailEnabled = $false
mailNickname = "IntuneWindowsDevices"
securityEnabled = $true
groupTypes = @("DynamicMembership")
membershipRule = $dynamicRule
membershipRuleProcessingState = "On"
}
# Convert the body to JSON
$groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
# Create the group using Invoke-MgGraphRequest
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
$null = Disconnect-Graph -ErrorAction SilentlyContinue $null = Disconnect-Graph -ErrorAction SilentlyContinue

178
NewAppReg.ps1 Normal file
View File

@ -0,0 +1,178 @@
# Ensure Microsoft.Graph module is installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
Write-Host "Installing Microsoft.Graph module..."
Install-Module -Name Microsoft.Graph -Force -AllowClobber
}
# Ensure ExchangeOnlineManagement module is installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
Write-Host "Installing ExchangeOnlineManagement Module..."
Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber
}
# Import necessary modules
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
Import-Module ExchangeOnlineManagement
# Connect to Microsoft Graph with required permissions
Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" -NoWelcome
# Application details
$Name = "GraphAPI"
$Scope = "Application.ReadWrite.All", "DeviceManagementApps.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Group.ReadWrite.All", "Policy.ReadWrite.ApplicationConfiguration", "User.ReadWrite.All"
# Fetch Microsoft Graph Service Principal
$graphSp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
$graphRoles = $graphSp.AppRoles
# Debugging: Confirm AppRoles permissions
# Write-Host "`n🔍 Retrieved AppRoles from Microsoft Graph:"
# $graphRoles | Format-Table DisplayName, Id, Value -AutoSize
# Build required resource access list
$resourceAccess = @()
foreach ($perm in $Scope) {
$permId = ($graphRoles | Where-Object { $_.Value -eq $perm }).Id
if ($permId) {
$resourceAccess += @{
"id" = $permId
"Type" = "Role" # Use "Scope" if using delegated permissions
}
} else {
Write-Host "⚠️ Skipping $perm - Role ID not found in Microsoft Graph."
}
}
# Debugging: Confirm matched permissions
# Write-Host "`n✅ Final Mapped Permissions:"
# $resourceAccess | Format-Table -AutoSize
# Define app creation body
$body = @{
DisplayName = $Name
SignInAudience = "AzureADMyOrg"
RequiredResourceAccess = @(
@{
ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
ResourceAccess = $resourceAccess
}
)
}
# Convert body to JSON
$payload = $body | ConvertTo-Json -Depth 4
# Create the application
Write-Host "Creating Azure AD application..."
$app = New-MgApplication -BodyParameter $payload
if (-not $app) {
Write-Host "❌ Failed to create application. Exiting."
exit
}
Write-Host "✅ Application Created: $($app.Id)"
# Wait for the application to propagate
Start-Sleep -Seconds 10
Write-Host "⏳ Waiting for application propagation..."
# Create Service Principal
Write-Host "Creating Service Principal..."
$servicePrincipal = New-MgServicePrincipal -AppId $app.AppId
if (-not $servicePrincipal) {
Write-Host "❌ Failed to create Service Principal. Exiting."
exit
}
Write-Host "✅ Service Principal created: $($servicePrincipal.Id)"
# Wait for service principal to propagate
Start-Sleep -Seconds 10
Write-Host "⏳ Waiting for application permissions to propagate..."
# Grant Admin Consent
foreach ($access in $resourceAccess) {
# Write-Host "`n🔹 About to grant admin consent for:"
# Write-Host " ➜ AppRoleId: $($access.id)"
# Write-Host " ➜ ServicePrincipalId: $($servicePrincipal.Id)"
# Write-Host " ➜ PrincipalId: $($servicePrincipal.Id)"
# Write-Host " ➜ ResourceId: $($graphSp.Id)"
try {
$null = New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -PrincipalId $servicePrincipal.Id -ResourceId $graphSp.Id -AppRoleId $access.id
Write-Host "✅ Successfully granted admin consent for AppRoleId: $($access.id)"
} catch {
Write-Host "❌ Failed to grant admin consent for AppRoleId: $($access.id) - $_"
}
}
Write-Host "`n🎉 Admin consent process completed!"
# -------------------------------
# CREATE CLIENT SECRET
# -------------------------------
Write-Host "`n🔐 Creating Client Secret..."
$secretStartDate = Get-Date
$secretEndDate = $secretStartDate.AddYears(1) # Secret valid for 1 year
$clientSecret = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential @{
DisplayName = "GraphAPI-ClientSecret"
StartDateTime = $secretStartDate
EndDateTime = $secretEndDate
}
if (-not $clientSecret) {
Write-Host "❌ Failed to create client secret. Exiting."
exit
}
Write-Host "✅ Client Secret Created!"
# -------------------------------
# PRINT CREDENTIALS (STORE SECURELY!)
# -------------------------------
$tenantId = (Get-MgOrganization).Id
Write-Host "`n🚀 **Application Credentials**"
Write-Host "----------------------------------"
Write-Host "🌐 Tenant ID: $tenantId"
Write-Host "🔑 Client ID: $($app.AppId)"
Write-Host "🕵️‍♂️ Client Secret: $($clientSecret.SecretText)"
Write-Host "----------------------------------"
#Connect-ExchangeOnline -ShowBanner:$false
$scope = "https://graph.microsoft.com/.default"
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
# Create the body for the token request
$body = @{
client_id = "$($app.AppId)"
scope = $scope
client_secret = "$($clientSecret.SecretText)"
grant_type = "client_credentials"
}
# Request the token
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $body
$accessToken = $tokenResponse.access_token
# Use the token in subsequent requests
$headers = @{
Authorization = "Bearer $accessToken"
}
$templates = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/beta/deviceManagement/templates" -Headers $headers
# Output the templates
$templates
$null = Disconnect-Graph -ErrorAction SilentlyContinue
$null = Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue

82
policies/LAPS.json
View File

@ -1,81 +1,59 @@
{ {
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", "name": "Windows LAPS",
"createdDateTime": "2025-03-03T10:40:15.8588089Z", "description": "created by ourcloudnetwork.com",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:15.8588089Z",
"name": "LAPS",
"platforms": "windows10", "platforms": "windows10",
"priorityMetaData": null, "technologies": "mdm",
"roleScopeTagIds": [ "roleScopeTagIds": [
"0" "0"
], ],
"settingCount": 2,
"technologies": "mdm",
"id": "e7c1fcf8-13fb-42c7-a09a-3f43d7bd5cc9",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [ "settings": [
{ {
"id": "0", "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": { "settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd", "settingDefinitionId": "device_vendor_msft_laps_policies_backupdirectory",
"settingInstanceTemplateReference": null,
"choiceSettingValue": { "choiceSettingValue": {
"settingValueTemplateReference": null, "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
"value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1", "value": "device_vendor_msft_laps_policies_backupdirectory_1",
"children": [ "children": [
{ {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays", "settingDefinitionId": "device_vendor_msft_laps_policies_passwordagedays_aad",
"settingInstanceTemplateReference": null,
"simpleSettingValue": { "simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
"settingValueTemplateReference": null,
"value": 14
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength",
"settingInstanceTemplateReference": null,
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
"settingValueTemplateReference": null,
"value": 14 "value": 14
} }
} }
] ],
"settingValueTemplateReference": {
"settingValueTemplateId": "4d90f03d-e14c-43c4-86da-681da96a2f92"
}
},
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "a3270f64-e493-499d-8900-90290f61ed8a"
} }
} }
}, },
{ {
"id": "1", "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": { "settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus", "settingDefinitionId": "device_vendor_msft_laps_policies_passwordcomplexity",
"settingInstanceTemplateReference": null,
"choiceSettingValue": { "choiceSettingValue": {
"settingValueTemplateReference": null, "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
"value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1", "value": "device_vendor_msft_laps_policies_passwordcomplexity_4",
"children": [] "children": [],
"settingValueTemplateReference": {
"settingValueTemplateId": "aa883ab5-625e-4e3b-b830-a37a4bb8ce01"
}
},
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "8a7459e8-1d1c-458a-8906-7b27d216de52"
} }
} }
} }
] ],
"templateReference": {
"templateId": "adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1"
}
} }

37
policies/LAPSAdmin.json Normal file
View File

@ -0,0 +1,37 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-02-05T23:10:06.2132942Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-02-05T23:10:06.2132942Z",
"name": "Windows LAPS - Enable Administrator Account",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 1,
"technologies": "mdm",
"id": "388fbf31-619d-42e9-a481-7c09c64d2266",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1",
"children": []
}
}
}
]
}