Assign Store Applications in Intune via Powershell

by

I meant to write this blog a long time ago. I always wanted to deep-dive into Intune to assign Microsoft Store Applications via Powershell.

We all struggled with the Microsoft Store applications and assigning them “one by one” through the portal. Even though (almost) every assignment was the same: “Unassign for All Users/All Devices”. Of course, you would want to assign the Company Portal app and maybe another application. But, the general idea is that you would like to assign all Store Apps faster than clicking through the portal.

In addition, Microsoft planned to deprecate the Microsoft Store for Business in 2023. Nevertheless, I share my methods with you to do this via Powershell.

Prerequisites

You need a Powershell Module called “MSAL.PS”.

Install it using the code below:

#Checking for correct modules and installing them if needed
$InstalledModules = Get-InstalledModule
$Module_Name = "MSAL.PS"
If ($InstalledModules.name -notcontains $Module_Name) {
	Write-Host "Installing module $Module_Name"
	Install-Module $Module_Name -Force
}
Else {
	Write-Host "$Module_Name Module already installed"
}		

#Importing Module
Write-Host "Importing Module $Module_Name"
Import-Module $Module_Name

Assigning Store Application via Powershell

We are using Microsoft Graph to get the information and assign groups to the applications. So, firstly we need to log on to Microsoft Graph.

In Azure AD, there is an Enterprise Application called “Intune Powershell”. We leverage this Application to log on. Therefore, the application id in the code below is the same for each Microsoft 365 tenant.

We do so by using the following code:

$AuthToken = Get-MsalToken -ClientId d1ddf0e4-d672-4dae-b554-9d5bdfd93547 -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Interactive

Log in with a user account that has the appropriate permissions for Microsoft Intune.

After that, run $AuthToken to view the token:

Assign Store Applications in Intune via Powershell - Token

Furthermore, if you want to know which permissions your token has, run $Authtoken.Scopes:

Next, we need to get the information about the Microsoft Store Apps within our Intune tenant. Use the following code to get the information:

## Get Microsoft Store Applications
$Url = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps?$filter=(isof(%27microsoft.graph.microsoftStoreForBusinessApp%27))'
$StoreApplications = (Invoke-RestMethod -Headers @{Authorization = "Bearer $($AuthToken.AccessToken)" }  -Uri $Url -Method GET).Value | Select-Object publisher,DisplayName, id, isAssigned

This is the output:

Assign Store Applications in Intune via Powershell - All Applications

Furthermore, If you want all the details. Remove ” | Select-Object publisher,DisplayName, id, isAssigned”

Lastly, we need to assign the application. You can do so by using the following code:

I have used the Company Portal app as an example. The $ApplicationID is the application ID grabbed from the previous output. This is the assignment “Required for All Users”: (I specify the $JSON body for All Devices and Custom Group later)

$ApplicationID = "7b557426-2128-4fe7-8c42-5a9baf4d1b8b"
$JSON = @"
{
    "intent": "required",
    "target": {
        "@odata.type": "#microsoft.graph.groupAssignmentTarget",
        "deviceAndAppManagementAssignmentFilterId": null,
        "deviceAndAppManagementAssignmentFilterType": "none",
        "groupId": "$AzureADGroupID"
    },
}
"@

$URL = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$ApplicationID/assignments"

$AssignApplication = Invoke-RestMethod -Headers @{Authorization = "Bearer $($AuthToken.AccessToken)" }  -Uri $URL -Method POST -Body $JSON -ContentType 'application/json'

This is the output:

$JSON Body for All Devices assignment:

$JSON = @"
{
    "intent": "required",
    "target": {
        "@odata.type": "#microsoft.graph.allDevicesAssignmentTarget",
        "deviceAndAppManagementAssignmentFilterId": null,
        "deviceAndAppManagementAssignmentFilterType": "none"
    },
}
"@

$JSON Body for a custom group:

$AzureADGroupID = "7fbb81e7-aa9a-4c38-9416-808c0b90744b"
$JSON = @"
{
    "intent": "required",
    "target": {
        "@odata.type": "#microsoft.graph.groupAssignmentTarget",
        "deviceAndAppManagementAssignmentFilterId": null,
        "deviceAndAppManagementAssignmentFilterType": "none",
        "groupId": "$AzureADGroupID"
    },
}
"@

References

Graph Explorer (Used for looking up the correct JSON body’s)

Other posts about Graph:
Create Autopilot Profile via Powershell
Intune Config Backup to Storage Account

6 thoughts on “Assign Store Applications in Intune via Powershell”

  1. Pingback: Endpoint Manager Newsletter – 17th June 2022 – Andrew Taylor
  2. Pingback: Intune Devices Report via Graph and Teams - NielsKok.Tech

  4. Hi Niels, thanks for this post. Please don’t forget, “This will likely change in Q2 in 2023, I will update my blog accordingly.”
    Sincerely,
    David

    Reply

Leave a Comment