Automatically export your Intune platform scripts and remediation scripts to SharePoint using Azure Automation

In this post I will share an Azure Automation runbook allowing you to automatically export your Intune platform scripts and remediation scripts to SharePoint.

Context

You have platform scripts/Remediation scripts on Intune.

You want to automatically save them every x days.

You want make them available easily for your team.

You want to keep the backup uptodate when scripts have been modified.

The goal is not really to backup them because there is normally no risks to loose them, but mostly to make them available to you and your team easily than going to Intune.

The solution

- A runbook in Azure Automation

- Get all remediation scripts

- Export both detection and remediation

- Get all platform scripts

- Export them to SharePoint

Solution in action

Once the runbook has been executed, you will have the following structure on SharePoint:

The PlatformScripts folder contains your platform scripts

The Remediations folder contains your remediation scripts

In PlatformScripts folder, scripts will be saved with the "file name.ps1"

In Remediations folder, scripts will be saved with Detection.ps1 and Remediations.ps1

Two CSV files will contain a summary of your scripts.

Platform_scripts.csv file contains information from your scripts, as below:

Remediations.csv file contains information from your scripts, as below:

Sources to download

Click on the below GitHub picture to get following files:

- Assign_permissions.ps1

- Runbook.ps1

Adding permissions

In this step we need to add permission on the managed identity to:

- Read Intune scripts

- Access to a SharePoint sites

For reading Intune scripts we need the DeviceManagementScripts.Read.All permission.

Regarding SharePoint, we don't want to access to all sites but only a specific one.

For that we need to add the Sites.Selected permission.

To add permissions we will use the script Assign_permissions.ps1

The next step is to identity on on which SharePoint site the MI should have access.

Getting SharePoint site id

The first step in order to upload something is to identify the SharePoint site on which we want to send file. 

For this we need the SharePoint site path and ID.

The SharePoint site path is pretty easy to get, in my case it's the below one:

https://systanddeploy.sharepoint.com/sites/Support

Now to get the ID of a SharePoint site proceed as below:

1. Open your browser

2. Type the following URL: 

https://yoursharepoint.sharepoint.com/sites/yoursite/_api/site/id

In my case it's:

https://systanddeploy.sharepoint.com/sites/Support/_api/site/id

Given that it's for a specific selected site we need to identify the selected site.

To do this, proceed as below:

1. Open Graph Explorer here 

2. Choose method POST

3. In url type the below one and replace sharepointsiteid with your SharePoint site id

https://graph.microsoft.com/v1.0/sites/sharepointsiteid/permissions

4. Go to Request body

5. Type the below body by replacing specified fields

6. Click on Run query

7. If you have an error 403 forbidden in Graph Explorer, click on Modify permissions

8. There you will find a permission to allow, so allow it

9. Click again on Run query

Creating Automation the account

1. Go to Azure portal

2. Go to Automation accounts

3. Click on Create

4. Type a name

5. Choose a Subscription, Resource group, and region

7. Click on Create

Setting Managed Identity

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

Creating the Runbook

1. Go to your Automation accounts

2. Go to Runbooks

3. Click on Create a runbook

4. Type a name

5. In Runbook type, select PowerShell 

6. Select PowerShell 7

7. Click on Create

8. Go to Edit

9. Copy content of Runbook.ps1

10. In the runbook fill below variables:

Publishing the Runbook

1. Go to your Runbook

2. Click on Edit

3. Click on Publish

4. Click on Yes

Scheduling the Runbook

1. Go to your Runbook

2. Click on Schedules

3. Click on Add a schedule

4. Click on Link a schedule to your runbook

5. Click on Add a schedule

6. Type a name

7. In Recurrence, select Recuring

8. Click on Create