Last month I posted a blog about a Intune device configuration policy duplicator. For this months post I duplicated the Power App from last months post and modified it to be a Intune device configuration policy migrator to migrate policies from tenant to tenant.
Migrating policies from one tenant to another is useful in many ways, for example if an organization has a dev/test tenant where policies are tested, it’s useful to have a tool to migrate policies from dev/test to production tenants. Or maybe you’re a service provider and manage many tenants and have policies you’d like to duplicate across different tenants, the migrator will help with this process as well.
Let’s get started!
- Azure Active Directory
- Microsoft Endpoint Manager – Intune
- Microsoft Graph
- Power Automate
- Power Apps
Azure Active Directory
In the tenant we’d like to migrate to we need to register an application in Azure AD so we can make graph calls to create the policies. Do this by accessing Azure AD in the destination tenant, select “App registrations > New registration”. Give the app a name and select “Register”.
Make note of the Application ID (i.e. client ID) and select API permissions.
Select “Add a permission” and from Microsoft Graph select DeviceManagementConfiguration.ReadWrite.All under application permissions and select Add permissions at the bottom of the page. Lastly, selection “Grant admin consent for Contoso.
Now select Certificates & secrets from the navigation and select “New client secret”. Add a description and an expiration date. Add it and make note of the “Value” of the client secret. We’ll utilize the name of the tenant, client ID, and secret later on.
To accomplish everything we need to do we’ll need to create three different Power Automate Flows:
- Get device configuration profiles – pulls all of the device configuration profiles from Intune
- Migrate device configuration profiles – duplicates one or more device configuration profiles
- Delete device configuration profiles – deletes one of more device configuration profiles
If you’ve built out the policy migrator, simply “save as” each Flow and rename them for this scenario or follow the instructions in my previous post to create the Flows end to end. Otherwise follow the policy duplicator post to recreate.
Migrate device configuration profiles
Rename “Duplicate device configuration profiles” to “Migrate device configuration profiles” and modify the following steps in the Flow:
Again the steps in the Flow are identical and in addition to the existing Flows, add three initialize variable actions and select “Ask in PowerApps” from Dynamic content:
I recommend removing the PowerApps trigger at the top first then re-add it back. This will clear all the initialize variables from the dynamic content under PowerApps. You’ll need to select “Ask in PowerApps” for all five initialize variable values though.
The final edit needed is to modify the last HTTP action and add all three variables created above to Tenant, Client ID, and Secret. These fields will be populated with the tenant information added to the Power App for migration.
We can go about creating the Power App in two ways, either create a new screen in Power Apps and copy all the content from the policy duplicator or export the policy duplicator and re-import under a different name. Exporting and importing will also export all of the Flows too so this is the path I usually go down. If you haven’t created anything, follow the steps for the policy duplicator and work from there.
The Power App is identical to the migrator with a few modifications:
- Migrate button – add or rename the duplicate button to Migrate as well as add an icon if you’d like. My code looks like the following where each item in the parenthesis is the variable asked for after adding the Power Automate flow to the button.
- Tenant name – this is a textbox and the tenant name needs to be the actual name of the tenant such as mytenant.onmicrosoft.com.
- AAD app client ID – use an existing or register a new app in AAD to make Graph calls against. The app will need device configuration read/write perms as well. If you’re unsure, visit this post for details on how to register and configure and AAD app.
- AAD app client secret – create a secret key to authenticate to the AAD registered app, if you’re unsure how to do this, it’s covered in this post as well. To hide the secret when added and as an extra security precaution, under Properties for the textbox change the “Mode” to Password. This will place dots in the field instead of showing the password.
That’s it! We created a Power Automate Flow to pull and migrate Intune device configuration profiles with an optional prefix, delete profiles, as well as utilized Power Apps to create a UI to accomplish the task.