I have found some tools to backup and restore much of a Intune setup, but not conditional access policies.
So I decided to create a little PowerShell module to backup and restore conditional access policies.
Usage:
Import-Module .\condaccessbackuprestore.psm1
Backup-CondAcc -backupfolder c:\temp
Restore-CondAcc -importfile c:\temp\policy.xml
You find the tool on GitHub: https://github.com/jfremmegaard/Intune-Tools/tree/master/CondAccessBackupRestore
Please report any bugs and missing features to me
Hi As someone fairly new to Graph API and Powershell Im learning with this. When importing the module and running Backup-CondAccess to the same folder Im running the script from I get the following error. Im assuming this is due to Conditional access policies set on th tenant. Any help would be appreciated.
Export-Clixml : Cannot perform operation because the wildcard path G:\Intune[SharePoint admin center]Block access
from apps on unmanaged devices – 2019/09/09.xml did not resolve to a file.
At G:\Intune\condaccessbackuprestore.psm1:48 char:21
+ $exportpolicy | Export-Clixml $exportfile
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (G:\Intune[Share… 2019/09/09.xml:String) [Export-Clixml], FileNotFoundE
xception
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportClixmlCommand
Export-Clixml : Cannot perform operation because the wildcard path G:\Intune[SharePoint admin center]Use
app-enforced Restrictions for browser access – 2019/09/09.xml did not resolve to a file.
At G:\Intune\condaccessbackuprestore.psm1:48 char:21
+ $exportpolicy | Export-Clixml $exportfile
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (G:\Intune[Share… 2019/09/09.xml:String) [Export-Clixml], FileNotFoundE
xception
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportClixmlCommand
Update on error. This seemed to work when I removed the Conditional access policies already registered. Im wondering because the number of policies is spread over more than 1 page within the Intune console that it cant add anymore. So I deleted the policies and attempted to backup. This then worked, However when trying to restore I now get the following error
Invoke-RestMethod : {“ClassName”:”Microsoft.Portal.Framework.Exceptions.ClientException”,”Message”:”Model validation exception
occurred.”,”Data”:{},”HResult”:-2146233088,”XMsServerRequestId”:null,”Source”:”Microsoft.ActiveDirectory.ADExtension.Server.Filters”,”HttpStatusCode”:400,”ClientData”:{}}
At G:\Intune\condaccessbackuprestore.psm1:170 char:1
+ Invoke-RestMethod –Uri $url –Headers $header –Method POST -Body $cont …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
The script doesn’t use Graph API, and the API in use isn’t public documented as far as i know. Hence the script is highly experimental.
The error means that something in the $conent variable is wrong. The best suggestion to fix this is trying to recreate the policy and record the data sent with developer mode in Chrome or a tool like Fiddler. See https://modernworkplace.fremmegaard.no/2019/06/08/automate-intune-the-hidden-apis-of-azure/
Then compare $content with the payload recorded with Chrome/Fiddler.
Fyi, I just tried this in a demo, but the restore of a policy (that I just exported and deleted in the tenant) always fails with error:
Invoke-RestMethod : {“ClassName”:”Microsoft.Portal.Framework.Exceptions.ClientException”,”Message”:”Model validation exception occurred.”,”Data”:{},”HResult”:
-2146233088,”XMsServerRequestId”:null,”Source”:”Microsoft.ActiveDirectory.ADExtension.Server.Filters”,”HttpStatusCode”:400,”ClientData”:{}}
At C:\temp\CondAccessBackupRestore.ps1:170 char:1
+ Invoke-RestMethod –Uri $url –Headers $header –Method POST -Body $cont …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
@Andrew – the problem is that your policy names have characters (such as ‘[‘) that are not allowed in file names. I suggest you modify the script to replace characters in the file name.
I’m receiving the same error when attempting to restore
Invoke-RestMethod : {“ClassName”:”Microsoft.Portal.Framework.Exceptions.ClientException”,”Message”:”Model validation exception
occurred.”,”Data”:{},”HResult”:-2146233088,”XMsServerRequestId”:null,”Source”:”Microsoft.ActiveDirectory.ADExtension.Server.Filters”,”HttpStatusCode”:400,”ClientData”:{}}
At C:\automation\condaccessbackuprestore.psm1:170 char:1
+ Invoke-RestMethod –Uri $url –Headers $header –Method POST -Body $cont …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
I will try to do as Jens instruction, to compare $content to Chrome dev
Doesn’t work.
Cannot even import the module
At C:\Powershell\CABackup.psm1:47 char:1
+ }
+ ~
Unexpected token ‘}’ in expression or statement.
At C:\Powershell\CABackup.psm1:163 char:52
+ … rl –Headers $header –Method POST -Body $content -ErrorAction Stop
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The string is missing the terminator: “.
At C:\Powershell\CABackup.psm1:52 char:26
+ function Restore-CondAcc {
+ ~
Missing closing ‘}’ in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
import-module : The specified module ‘.\CABackup.psm1’ was not loaded because no valid module file was found in any module directory.
At line:1 char:1
+ import-module .\CABackup.psm1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (.\CABackup.psm1:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand