Code Quality: Hardcoded Graph URLs break USGov, stale parameter docs, missing error handling

[ugurkocde]

Summary

Weekly code quality review found several issues across security, error handling, and code quality categories.

---

Security

1. Hardcoded Graph API URLs in Get-AssignmentFailures bypass environment configuration

File: IntuneAssignmentChecker.ps1, lines 1509, 1513, 1541, 1545

The Get-AssignmentFailures function uses hardcoded https://graph.microsoft.com URLs instead of $script:GraphEndpoint. This completely breaks the "Show Failed Assignments" feature (option 11) for USGov and USGovDoD tenants.

Current code (line 1509):

$configPoliciesUri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations"

Suggested fix:

$configPoliciesUri = "$script:GraphEndpoint/beta/deviceManagement/deviceConfigurations"

All four hardcoded URLs in this function (lines 1509, 1513, 1541, 1545) need the same treatment. The commented-out app failure block (lines 1468, 1473) also has the same issue and should be fixed before re-enabling.

---

Error Handling

2. Get-GroupMemberships lacks try/catch around API call

File: IntuneAssignmentChecker.ps1, line 1278

This function calls Invoke-MgGraphRequest without any error handling. If the API call fails (e.g., permission denied, network error), an unhandled exception will surface to the user.

Current code:

function Get-GroupMemberships {
    param (
        [Parameter(Mandatory = $true)]
        [string]$ObjectId,
        [Parameter(Mandatory = $true)]
        [ValidateSet("User", "Device")]
        [string]$ObjectType
    )

    $uri = "$GraphEndpoint/v1.0/$($ObjectType.ToLower())s/$ObjectId/transitiveMemberOf?`$select=id,displayName"
    $response = Invoke-MgGraphRequest -Uri $uri -Method Get

    return $response.value
}

Suggested fix: Wrap in try/catch consistent with other functions like Get-TransitiveGroupMembership (line 1283) which handles the same pattern correctly.

---

Code Quality

3. Ghost ShowAdminTemplates parameter in help documentation

File: IntuneAssignmentChecker.ps1, line 247

The .PARAMETER ShowAdminTemplates entry exists in the comment-based help, but this parameter was removed from the param() block in v3.4.0. This misleads users reading Get-Help.

Fix: Remove the .PARAMETER ShowAdminTemplates block (line 247-248).

4. PSScriptInfo RELEASENOTES missing v3.10.0 entry

File: IntuneAssignmentChecker.ps1, lines 4-12

The .VERSION is 3.10.0 but .RELEASENOTES starts at Version 3.9.1. There is no release notes entry for 3.10.0, which describes what changed in the current version (the _v3 filename fix and auto-update URL correction).

Fix: Add a Version 3.10.0: block at the top of .RELEASENOTES describing the filename and URL fixes.

---

Priority

1. Hardcoded URLs - Functional breakage for USGov/USGovDoD tenants
2. Missing error handling - Unhandled exceptions in group membership lookup
3. Stale docs - User confusion from removed parameter
4. Missing release notes - Minor but affects PSGallery metadata

[ugurkocde]

Analysis & Suggested Fixes

1. Hardcoded Graph API URLs in Get-AssignmentFailures (Priority: High)

Confirmed all four hardcoded URLs at lines 1509, 1513, 1541, and 1545. These bypass $script:GraphEndpoint which is properly set at lines 432/438/444 for Global, USGov, and USGovDoD environments. This completely breaks Option 11 for sovereign cloud tenants.

Fix — replace all four occurrences:

# Line 1509: Device Configuration Policies
-$configPoliciesUri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations"
+$configPoliciesUri = "$script:GraphEndpoint/beta/deviceManagement/deviceConfigurations"

# Line 1513: Device Configuration Statuses
-$statusUri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$($policy.id)')/deviceStatuses"
+$statusUri = "$script:GraphEndpoint/beta/deviceManagement/deviceConfigurations('$($policy.id)')/deviceStatuses"

# Line 1541: Compliance Policies
-$compliancePoliciesUri = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies"
+$compliancePoliciesUri = "$script:GraphEndpoint/beta/deviceManagement/deviceCompliancePolicies"

# Line 1545: Compliance Policy Statuses
-$statusUri = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies('$($policy.id)')/deviceStatuses"
+$statusUri = "$script:GraphEndpoint/beta/deviceManagement/deviceCompliancePolicies('$($policy.id)')/deviceStatuses"

---

2. Missing Error Handling in Get-GroupMemberships (Priority: Medium)

Confirmed the function at lines 1267–1281 has no try/catch. The neighboring Get-TransitiveGroupMembership (line 1283) handles this correctly and can serve as a pattern. Suggested fix:

function Get-GroupMemberships {
    param (
        [Parameter(Mandatory = $true)]
        [string]$ObjectId,
        [Parameter(Mandatory = $true)]
        [ValidateSet("User", "Device")]
        [string]$ObjectType
    )

    try {
        $uri = "$GraphEndpoint/v1.0/$($ObjectType.ToLower())s/$ObjectId/transitiveMemberOf?`$select=id,displayName"
        $response = Invoke-MgGraphRequest -Uri $uri -Method Get
        return $response.value
    }
    catch {
        Write-Host "Error retrieving group memberships for $ObjectType $ObjectId : $_" -ForegroundColor Red
        return @()
    }
}

---

3. Ghost .PARAMETER ShowAdminTemplates in Help (Priority: Low)

Confirmed at line 247. The parameter was removed from the param() block (lines 93–172) but the help doc entry remains. Simply delete lines 247–248:

# Remove these lines:
.PARAMETER ShowAdminTemplates
    Show all Administrative Templates.

---

4. Missing v3.10.0 Release Notes (Priority: Low)

.VERSION at line 5 is 3.10.0 but .RELEASENOTES (lines 11–12) starts at Version 3.9.1. Add a new entry at the top of the release notes block describing the _v3 filename fix and auto-update URL correction.

[ugurkocde]

Additional Findings (2026-03-24)

Two new issues found that are not covered above.

---

5. Comment-based help missing 4 parameters

File: IntuneAssignmentChecker.ps1, lines 196-308 (.SYNOPSIS/.PARAMETER block)

The param() block (lines 93-172) defines these parameters, but they have no corresponding .PARAMETER entry in the comment-based help. Users running Get-Help IntuneAssignmentChecker.ps1 -Full will not see documentation for them.

Missing entries:

• ShowFailedAssignments (param block line 136)
• IncludeNestedGroups (param block line 167)
• ScopeTagFilter (param block line 170)
• SkipExecution (param block line 121) -- internal/testing, but still undocumented

Fix: Add .PARAMETER blocks after line 248 (or after removing the ghost ShowAdminTemplates entry):

.PARAMETER ShowFailedAssignments
    Show all failed policy deployment assignments.

.PARAMETER IncludeNestedGroups
    Include assignments inherited from parent groups.

.PARAMETER ScopeTagFilter
    Filter results by scope tag name.

(SkipExecution can optionally be documented as internal/testing.)

---

6. Register-IntuneAssignmentCheckerApp.ps1 missing 3 required permissions

File: Register-IntuneAssignmentCheckerApp.ps1, lines 43-53

The automated app registration helper only assigns 7 permissions, but the main script requires 9. Users following the "Automated Setup" path in the README will get 403 errors for features that depend on the missing scopes.

Missing permissions:

Permission	Purpose
DeviceManagementScripts.Read.All	Device management and health scripts
CloudPC.Read.All	Windows 365 Cloud PC provisioning policies
DeviceManagementRBAC.Read.All	Role scope tags for display and filtering

Additionally, the helper script includes DeviceManagementServiceConfig.Read.All (line 52) which is not in the main script's required permissions list (lines 512-548), suggesting it may be a leftover.

Fix: Update the $permissions array in Register-IntuneAssignmentCheckerApp.ps1 to match the main script's $requiredPermissions. The Graph API permission IDs for the missing scopes need to be looked up from the Microsoft Graph permissions reference.