Intune policy life cycle management

The last two posts demonstrated how to create Power Apps and Power Automate flows to duplicate and migrate Intune device configuration policies as well as created a baseline for this post. This month we’ll continue the theme of policy management by creating a Intune policy life cycle management solution with features such as backup, versioning, and restore.

Backup configuration policies


Restore configuration policies

Let’s get started!

Requirements

  • Azure Active Directory
  • Microsoft Endpoint Manager – Intune
  • Microsoft Graph
  • SharePoint online
  • Power Automate
  • Power Apps


SharePoint

I opted to utilize SharePoint as a policy repository because document libraries support versioning of items with no configuration required. In SharePoint, create a new document library and provide it a name, that’s it. Add the version column and other columns under view settings for the document library. Every time we backup a policy, a new version is created. From Power Apps (described later in this post), we can then either manually copy an older version of a policy and restore it or restore the latest version directly from the Power App.


Power Automate

As with the previous posts, there are multiple Power Automate Flows created to accomplish backing up and restoring configuration policies. If you’ve re-created the Intune device configuration policy duplicator, the Flows are modified a bit and I recommend making copies of existing Flows and modifying those. We’re modeling off of the Intune device configuration policy duplicator and if you haven’t created it, I recommend doing so or use it as a reference when creating the Flows.

Here are the Power Automate Flows I’ve created:

  • Get device configurations – identical to Flow in the policy duplicator
  • Delete configurations – identical to Flow in the policy duplicator
  • Backup configuration profile – this is slightly modified from the “copy configuration profile” Flow created in the duplicator post. Simply copy those and modify using the steps below.
  • Restore configuration profile – this is slightly modified from the “copy configuration profile” Flow created in the duplicator post. Simply copy those and modify using the steps below.
  • Restore multiple configuration profiles – this is slightly modified from the “copy configuration profile” Flow created in the duplicator post. Simply copy those and modify using the steps below.

Backup configuration profile

Again this is identical to the copy configuration profile duplicator Flow, however we have one modification at the end. Instead of using a HTTP action to Post (i.e. create) the policy, instead we’re going to create a .txt file in a SharePoint document library with the policy configuration settings (JSON). The display name comes from the “Parse JSON for get selected config profile” action and the file output is the output from “Compose combine prefix and displayName” action.


Restore configuration profile

Two very small modifications here, I changed the name of the variable and the name of the last HTTP action where it creates the profile from the manual JSON input in Power Apps.


Restore multiple configuration profiles

A few modifications are needed here, change the name of the variable to varConfigPoilcies or whatever makes sense to you, add a Parse JSON where links to the latest SharePoint policy versions will become an array. Then add a “get file content using path” SharePoint action to the flow and add “{Link}” from parse JSON which will convert it to an Apply to each action.

Power Apps

We have two screens in the Power App. The first screen is utilized to search, select, and backup existing policies to SharePoint as .txt files. The second screen is utilized to select or manually input JSON from an older version for restore to Intune.

Screen 1


Backup button

'Backupconfigurationprofile-lifecyclemgt'.Run(JSON(selectedconfigcollection.id,JSONFormat.IndentFour),'TextInput prefix_2'.Text)

Policy library icon

Launch("https://cbenterprisemobility.sharepoint.com/sites/ITworkflows/Intune%20device%20config%20repository/Forms/AllItems.aspx")

Screen 2

This is mostly new with the exception of search, refresh button and the prefix value text box. The Policy library icon is identical to the first screen and is a pointer to the SharePoint document library where the policies are backed up.


At the screen level under ACTION > OnVisible add:

Clear(backupconfigcollection);UpdateContext({ClearCheckbox:true});UpdateContext({ClearCheckbox:false});UpdateContext({CheckCheckbox:true});UpdateContext({CheckCheckbox:false})

Search items and Prefix value are identical to previous posts in this series.

Refresh List refreshes the list from the SharePoint document library so in this instance we need to utilize the “refresh” function as shown below.

Refresh('Intune device config repository')

Gallery list of backed up policies references the SharePoint document library. Add a blank gallery then add labels referencing columns in the document library. For example, the “text” of the policy name label is ThisItem.’File name with extension’. For the View JSON column, add an icon and under ACTION > OnSelect add the following Launch(ThisItem.’Link to item’) which will display to the user the latest version of the policy.

For the checkboxes in the gallery, add the following to OnCheck: Collect(backupconfigcollection,ThisItem) and OnUncheck: Remove(backupconfigcollection,ThisItem). Under DATA add the following Default: CheckCheckbox and Reset ClearCheckbox.

Manual restore is a textbox where we’re able to copy and paste from previous versions of configuration policies. Also add the following under ACTION:

OnChange

UpdateContext({ClearCheckbox:true});UpdateContext({ClearCheckbox:false});UpdateContext({CheckCheckbox:true});UpdateContext({CheckCheckbox:false})

OnSelect

UpdateContext({ClearCheckbox:true});UpdateContext({ClearCheckbox:false});UpdateContext({CheckCheckbox:true});UpdateContext({CheckCheckbox:false})

The reason why we need to clear checkboxes when selecting manual restore is we don’t want to attempt to write checked policies and the JSON from manual restore. We need to pick one or the other, so the code clears out the selected items (i.e. checkboxes) when JSON is added to the textbox. The “Restore” button has a “if” statement looking for which is populated.

Erase icon – I added the selectable icon for convenance to clear out the textbox quickly. Under ACTION > OnSelect add: Reset(JSONTextInput)

Restore button

If(IsBlank(JSONTextInput.Text),'Restoremultipleconfigurationprofiles-lifecyclemgt'.Run('TextInput prefix_1'.Text,JSON(backupconfigcollection.'Link to item',JSONFormat.IndentFour)),'Restoreconfigurationprofile-lifecyclemgt'.Run('TextInput prefix_1'.Text,JSONTextInput.Text))

Conclusion

That’s it! We utilized the work from previous posts and updated Power Apps and Power Automate to create an app to backup multiple versions of device configuration policies to SharePoint as well created a new screen in the app to restore device configuration policies from previous versions.