Intune – Backup and restore of conditional access policies

Intune – Backup and restore of conditional access policies

I have found some tools to backup and restore much of a Intune setup, but not conditional access policies.
So I decided to create a little PowerShell module to backup and restore conditional access policies.

Usage:
Import-Module .\condaccessbackuprestore.psm1
Backup-CondAcc -backupfolder c:\temp
Restore-CondAcc -importfile c:\temp\policy.xml

You find the tool on GitHub: https://github.com/jfremmegaard/Intune-Tools/tree/master/CondAccessBackupRestore

Please report any bugs and missing features to me

By | 2019-08-14T11:38:46+01:00 August 14th, 2019|Uncategorized|6 Comments

6 Comments

  1. Andrew Jones 13/09/2019 at 19:39 - Reply

    Hi As someone fairly new to Graph API and Powershell Im learning with this. When importing the module and running Backup-CondAccess to the same folder Im running the script from I get the following error. Im assuming this is due to Conditional access policies set on th tenant. Any help would be appreciated.

    Export-Clixml : Cannot perform operation because the wildcard path G:\Intune[SharePoint admin center]Block access
    from apps on unmanaged devices – 2019/09/09.xml did not resolve to a file.
    At G:\Intune\condaccessbackuprestore.psm1:48 char:21
    + $exportpolicy | Export-Clixml $exportfile
    + ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OpenError: (G:\Intune[Share… 2019/09/09.xml:String) [Export-Clixml], FileNotFoundE
    xception
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportClixmlCommand
    Export-Clixml : Cannot perform operation because the wildcard path G:\Intune[SharePoint admin center]Use
    app-enforced Restrictions for browser access – 2019/09/09.xml did not resolve to a file.
    At G:\Intune\condaccessbackuprestore.psm1:48 char:21
    + $exportpolicy | Export-Clixml $exportfile
    + ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OpenError: (G:\Intune[Share… 2019/09/09.xml:String) [Export-Clixml], FileNotFoundE
    xception
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportClixmlCommand

  2. Andrew Jones 14/09/2019 at 11:59 - Reply

    Update on error. This seemed to work when I removed the Conditional access policies already registered. Im wondering because the number of policies is spread over more than 1 page within the Intune console that it cant add anymore. So I deleted the policies and attempted to backup. This then worked, However when trying to restore I now get the following error

    Invoke-RestMethod : {“ClassName”:”Microsoft.Portal.Framework.Exceptions.ClientException”,”Message”:”Model validation exception
    occurred.”,”Data”:{},”HResult”:-2146233088,”XMsServerRequestId”:null,”Source”:”Microsoft.ActiveDirectory.ADExtension.Server.Filters”,”HttpStatusCode”:400,”ClientData”:{}}
    At G:\Intune\condaccessbackuprestore.psm1:170 char:1
    + Invoke-RestMethod –Uri $url –Headers $header –Method POST -Body $cont …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

  3. Jens Tore Fremmegaard 17/09/2019 at 17:27 - Reply

    The script doesn’t use Graph API, and the API in use isn’t public documented as far as i know. Hence the script is highly experimental.

    The error means that something in the $conent variable is wrong. The best suggestion to fix this is trying to recreate the policy and record the data sent with developer mode in Chrome or a tool like Fiddler. See https://modernworkplace.fremmegaard.no/2019/06/08/automate-intune-the-hidden-apis-of-azure/

    Then compare $content with the payload recorded with Chrome/Fiddler.

  4. Raf Cox 19/09/2019 at 08:08 - Reply

    Fyi, I just tried this in a demo, but the restore of a policy (that I just exported and deleted in the tenant) always fails with error:
    Invoke-RestMethod : {“ClassName”:”Microsoft.Portal.Framework.Exceptions.ClientException”,”Message”:”Model validation exception occurred.”,”Data”:{},”HResult”:
    -2146233088,”XMsServerRequestId”:null,”Source”:”Microsoft.ActiveDirectory.ADExtension.Server.Filters”,”HttpStatusCode”:400,”ClientData”:{}}
    At C:\temp\CondAccessBackupRestore.ps1:170 char:1
    + Invoke-RestMethod –Uri $url –Headers $header –Method POST -Body $cont …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

  5. Rohan Cragg 16/10/2019 at 12:55 - Reply

    @Andrew – the problem is that your policy names have characters (such as ‘[‘) that are not allowed in file names. I suggest you modify the script to replace characters in the file name.

  6. Adam 19/10/2019 at 22:37 - Reply

    I’m receiving the same error when attempting to restore
    Invoke-RestMethod : {“ClassName”:”Microsoft.Portal.Framework.Exceptions.ClientException”,”Message”:”Model validation exception
    occurred.”,”Data”:{},”HResult”:-2146233088,”XMsServerRequestId”:null,”Source”:”Microsoft.ActiveDirectory.ADExtension.Server.Filters”,”HttpStatusCode”:400,”ClientData”:{}}
    At C:\automation\condaccessbackuprestore.psm1:170 char:1
    + Invoke-RestMethod –Uri $url –Headers $header –Method POST -Body $cont …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

    I will try to do as Jens instruction, to compare $content to Chrome dev

Leave A Comment