v4.2.0 - Bearer-Token Auth, Device What-If, User+Device Preview

What's new

Three additions in this release, all driven by user feedback. None of them break existing scripts.

1. Pre-fetched access-token authentication

A new -AccessToken parameter accepts a [SecureString] Microsoft Graph token, so the tool runs cleanly in non-interactive contexts that already hold a token: Azure Automation managed identities, Azure Functions, GitHub Actions with federated credentials, or any parent script that already called Connect-MgGraph. No cert or client-secret juggling required.

$tok = ConvertTo-SecureString $env:GRAPH_TOKEN -AsPlainText -Force
Invoke-IntuneAssignmentChecker -AccessToken $tok -ShowAllPolicies

If a Graph session is already established in the current shell, the tool reuses it as before.

2. Device What-If on existing simulations

Test-IntuneGroupMembership and Test-IntuneGroupRemoval (menu options 12 and 13) now accept a Device in addition to a User. Pass either, or both. Group memberships are unioned; the impact analysis evaluates the combined set.

# Device only
Invoke-IntuneAssignmentChecker -SimulateGroupMembership -DeviceNames LAB-PC-01 -SimulateTargetGroup PilotDevices

# User and device together
Invoke-IntuneAssignmentChecker -SimulateGroupMembership -UserPrincipalNames alice@contoso.com -DeviceNames ALICE-LAPTOP -SimulateTargetGroup PilotDevices

3. New menu option 16 - What-If for a User on a specific Device

Get-IntuneUserDeviceAssignment (or menu option 16) lists every policy and app that would apply to a given user on a given device, mirroring what Intune itself deploys for an Autopilot scenario. Each row carries a Source column indicating where the assignment came from:

• User group - assignment comes from a group containing only the user
• Device group - assignment comes from a group containing only the device
• User+Device group - assignment comes from a group containing both
• All Users / All Devices - tenant-wide assignment
• Excluded - exclusion overrode an inclusion

Invoke-IntuneAssignmentChecker -CheckUserAndDevice -UserPrincipalNames alice@contoso.com -DeviceNames ALICE-LAPTOP

This eliminates the back-and-forth of provisioning a device, checking the deployment report, adjusting groups, and reprovisioning to discover what ends up applying.

Note: assignment filter rules are listed but not evaluated against device properties. Filter evaluation happens server-side in Intune at deployment time.

Other

• Inverted color in the removal-impact summary so conflicts now render Red and lost-only renders Yellow (was the other way around).

Install

Install-Module IntuneAssignmentChecker -Scope CurrentUser
IntuneAssignmentChecker

To upgrade:

Update-Module IntuneAssignmentChecker

Migration

No breaking changes. All existing parameter-mode invocations work unchanged. The -DeviceNames parameter on options 12 and 13 is optional; UPN-only behavior is identical to v4.1.0.

Full Changelog: v4.1.0...v4.2.0

v4.1.0 - Assignment Filters

What's new

You can now see Intune assignment filters wherever assignments are shown. Closes #122.

Filters in Intune scope an assignment to a subset of devices based on properties (OS version, model, ownership, manufacturer, etc.). Until now, the only way to know whether a filter was attached to an assignment was to open the Intune portal and click into each one. v4.1.0 surfaces this directly in every output.

Where filters appear

Every assignment now shows the filter name and include/exclude type when one is attached. Format: <target> (Filter: <name> [Include|Exclude]).

• Console output for Get-IntuneUserAssignment, Get-IntuneGroupAssignment, Get-IntuneDeviceAssignment, Get-IntuneAllUsersAssignment, Get-IntuneAllDevicesAssignment, Get-IntuneAllPolicies
• Simulation results from Test-IntuneGroupMembership and Test-IntuneGroupRemoval
• Comparison output from Compare-IntuneGroupAssignment
• Reverse search from Search-IntunePolicy
• CSV exports get dedicated FilterName and FilterType columns
• HTML reports from New-IntuneHTMLReport get a new Filter column on every assignment table

Coverage includes: Configuration Profiles, Settings Catalog, Compliance Policies, App Protection, App Configuration, Mobile Apps, Platform and Remediation Scripts, Autopilot Deployment Profiles, Enrollment Status Page, Endpoint Security (Antivirus, Disk Encryption, Firewall, EDR, ASR, Account Protection), and Windows 365 Cloud PC Provisioning Policies and User Settings.

Under the hood

• Get-AssignmentFilterLookup fetches all filters once at connect time and caches them. No extra Graph calls per assignment.
• Format-AssignmentFilter is a single helper used everywhere a filter is rendered, so the format stays consistent.
• Equality checks against Excluded / Included / All Users / All Devices were updated to startswith comparisons so the new filter suffix does not break detection logic in simulations and comparisons.

Tests

• 44 Pester 5 unit tests covering every helper and the CSV regex extractor, running on Ubuntu, Windows, and macOS via GitHub Actions on every PR
• Tests/Smoke/Run-Smoke.ps1 for manual pre-release verification against a live tenant

Install

Install-Module IntuneAssignmentChecker -Scope CurrentUser
IntuneAssignmentChecker

To upgrade from v4.0.0:

Update-Module IntuneAssignmentChecker

Migration

No breaking changes. Existing scripts and runbooks continue to work unchanged. Filter info is additive: assignments without a filter render exactly as before.

Full Changelog: v4.0.0...v4.1.0

v4.0.0

Highlights

v4.0 is a major release that converts the 11K-line monolithic script into a proper PowerShell module, adds four new menu options, and fixes several bugs.

Heads-up: PowerShell Gallery publish is temporarily blocked because IntuneAssignmentChecker is reserved as a Script from v3.x. Until PSGallery frees the namespace for the module, install directly from this GitHub release (Option B below). The Install-PSResource path will work as soon as PSGallery is updated.

Breaking: v4.0 is installed via Install-PSResource (or Install-Module), not Install-Script. If you previously installed v3.x via Install-Script IntuneAssignmentChecker, run Uninstall-Script IntuneAssignmentChecker before upgrading.

Install

Install-Module IntuneAssignmentChecker
IntuneAssignmentChecker

Module conversion

• Script refactored into a PowerShell module with 18 exported cmdlets (Private helpers, Public cmdlets, manifest, loader, HTML export, settings catalog)
• Each feature available as a standalone cmdlet: Get-IntuneUserAssignment, Get-IntuneGroupAssignment, New-IntuneHTMLReport, Search-IntuneSetting, and more
• IntuneAssignmentChecker alias still launches the familiar interactive menu
• PSGallery version check replaces the old GitHub self-update mechanism

New menu options

• [12] Simulate Group Membership Impact - preview what policies and apps a user would receive if added to a group
• [13] Simulate Removing User from Group - preview what policies and apps a user would lose if removed from a group
• [14] Search Policy Assignments - reverse lookup: search by policy name, see all assignment targets
• [15] Search for Specific Settings - search 17,000+ setting definitions across Settings Catalog and Endpoint Security policies, with abbreviation expansion and fuzzy matching

UI / UX improvements

• Terminal-width-aware separators (no more 120-char overflow)
• Sequential menu numbering (1-15, T for Switch Tenant)
• UPN format validation before network calls
• y/n prompts accept Y/y/Yes/yes
• Simulation results use a distinct Yellow banner to differentiate from real reports
• Compact impact summaries with category counts
• Meta-options 98/99 dimmed in DarkGray

Bug fixes

• Fix app platform detection: Windows apps (win32LobApp, winGetApp, microsoftStoreForBusinessApp, officeSuiteApp) were reported as "Multi-Platform" in the HTML report and are now correctly reported as "Windows" (#121)
• Remove deprecated groupPolicyConfigurations (Administrative Templates) API
• Migrate deviceStatuses API endpoints to the supported version
• Fix hardcoded Graph URLs to use the dynamic GraphEndpoint variable (supports Global / USGov / USGovDoD correctly)
• Add Autopilot Deployment Profiles and ESP Profiles to simulation options
• Add ScopeTagFilter support to simulation options

Known follow-ups

• Assignment filter visibility (#122) is planned for v4.1

---

Full diff: v3.10.0...v4.0.0

v3.10.0

Bug Fix

• Fix auto-update function using incorrect script URL (Fixes #110)
  • The $scriptUrl variable pointed to IntuneAssignmentChecker_v3.ps1 which does not exist in the repository, causing a 404 error when auto-update triggered
  • Updated $scriptUrl, $newScriptPath, all .EXAMPLE references, and README to use the correct filename IntuneAssignmentChecker.ps1

v3.9.1

Bug Fix

• Fix HTML report crash when tenant has no legacy Endpoint Security intent policies (Fixes #109)
  • The Add-IntentTemplateFamilyInfo function in html-export.ps1 failed with a null parameter binding error when Get-IntuneEntities returned no deviceManagement/intents policies
  • Made the parameter optional, removed the strict type constraint, and added a null guard to match the defensive version in the main script

v3.9.0

What's New

New Features

• -HTMLReportPath parameter -- Specify a custom output path for the HTML report. Accepts a full file path or directory. (Fixes #107)
• -GroupNames parameter -- Run group assignment checks non-interactively (-CheckGroup -GroupNames "Marketing Team"). Previously referenced in help docs but missing from the parameter block.

Bug Fixes

• Fix version mismatch -- $localVersion was stuck at 3.8.3 while the script header already declared 3.9.0, causing the update check to behave incorrectly.
• Fix Failed Assignments CSV export (option 11) -- Export-ResultsIfRequested was called with wrong parameter names, so CSV export silently did nothing.
• Fix version_v3.txt -- Remote update-check file was still at 3.8.3.

UX Improvements

• Collapsed permission output -- When all permissions pass, a single summary line is shown instead of 18+ lines of per-permission detail.
• Hidden empty sections in User Check (option 1) -- Empty categories no longer print "No X found". Only categories with results are displayed.
• Category summary -- User Check now shows "Found assignments in X of Y categories" before the detail sections, so admins immediately know the scope.
• Progress counter -- Fetch operations in User Check show [1/17], [2/17], etc. so admins know how far along the process is.
• No interactive prompts in parameter mode -- The CSV export prompt no longer fires when running non-interactively without -ExportToCSV, preventing automation hangs.

CI

• Fixed PSScriptAnalyzer workflow failing to comment on PRs due to missing pull-requests: write permission.

Full Changelog: v3.8.3...v3.9.0

v3.8.3

Bug Fix

• Fix null parameter binding error in Add-IntentTemplateFamilyInfo when Endpoint Security intent policies are inaccessible (Fixes #105)

Details

When Get-IntuneEntities returns null for deviceManagement/intents (due to missing permissions, empty tenant, or API errors), the Add-IntentTemplateFamilyInfo function now gracefully skips processing instead of throwing "Cannot bind argument to parameter 'IntentPolicies' because it is null" errors for Antivirus, Disk Encryption, Firewall, EDR, ASR, and Account Protection policies.

v3.8.2

Bug Fix

Fix HTML Report Generation Error (fixes #105)

• Fixed a bug where generating the HTML report (Option 7) would throw a PowerShell parse error
• The issue was caused by unescaped $ characters in JavaScript regex code inside a PowerShell expandable here-string
• Specifically, ${} and $& in the Scope Tag and Platform filter regex patterns were being interpreted by PowerShell as variable references instead of literal JavaScript
• Thanks to @udapvr for reporting and @erik-wo for identifying the root cause

v3.8.1

What's New

Platform Filter in HTML Report (fixes #103)

• A new Platform filter dropdown has been added to the HTML report
• Dynamically populated with all unique platforms found across policies and apps
• Works alongside the existing Group Search, Assignment Type, and Scope Tag filters
• Filter layout updated to a 2x2 grid to accommodate all four filter controls

Platform Column on All Tabs

• All policy types now include platform information (Device Configurations, Compliance Policies, Settings Catalog, Endpoint Security, Scripts, Autopilot, etc.)
• The Platform column is now shown on every tab, not just app tabs
• Platform filter works consistently across all tabs

v3.8.0

What's New

Multi-Device Handling (fixes #94)

• When multiple Entra ID devices share the same display name (common with Hybrid Join + Entra Join), the script now detects this and presents an interactive selection list
• Each device is displayed with OS, trust type, device ownership, compliance status, last sign-in date, and Object ID
• In parameter mode, a warning lists all matching devices with their Object IDs so the user can re-run with a specific ID
• Device lookup by Object ID (GUID) is now supported as direct input, bypassing display name ambiguity entirely
• Device query switched from v1.0 to beta endpoint for richer disambiguation properties

Scope Tag Filter in HTML Report (fixes #85, #96)

• A new Scope Tag filter dropdown has been added to the HTML report alongside the existing Group Search and Assignment Type filters
• The dropdown is dynamically populated with all unique scope tags across policies and apps
• Uses regex-based matching for accurate filtering of comma-separated scope tag values

Platform Column in "All Policies & Apps" Tab (fixes #96)

• The combined "All Policies & Apps" tab now includes a Platform column, showing the platform/OS for applications to help distinguish duplicate app names across Android and iOS/iPadOS

Bug Fixes

• Fixed the Assignment Type filter in the HTML report which targeted a hardcoded column index and broke on tables with different column counts (e.g., app tabs with a Platform column)
• The filter now dynamically finds the correct column by header text