Intune Backup to Storage Account Pt.1 – The Script

This post is about creating an Intune backup to a storage account. You could use this to create a daily backup or even more frequent.

The clarify the above. I created a script that creates a backup from your Intune environment and uploads it to a storage account.

I got a couple of requests to update a previous blog to remove the on-prem requirement. So, here we go!

Other parts:

Intune Backup to Storage Account Pt.2 – The Automation Account

Intune Backup to Storage Account Pt.3 – The Notification

Prerequisites

A storage account with a container to store your backups

Install Azure CLI on the machine/automation where you run the script.

After that, you can start this blog.

Create Service Principal

We use a service principal for authentication. Firstly, we authenticate against Graph to create the intune backup. After that, we connect via Az CLI to a storage account to upload the backup. A secret is used to authenticate.

Furthermore, you can also use certificate-based authentication but for testing purposes, we use a secret.

So, let’s create the service principal.

Logon to Microsoft Azure and go to Azure AD blade

Next, go to App Registrations:

Intune Backup via Pipeline to Storage Account - App Registrations

After that, click on the new registration:

Intune Backup via Pipeline to Storage Account - New App Registration

Call it “IntuneSPN” and click on register:

Intune Backup via Pipeline to Storage Account - Name App Reg

In addition, you see this screen. Copy these GUID’s to a notepad of some sort:

Intune Backup via Pipeline to Storage Account - App IDS

Next, go to Certificates & Secrets:

Click on “New client secret”:

Name it and click on create.

NOTE: Write down this value in your notepad:

After that, go to “API Permissions” and click on “Add a permission”:

Endpoint Manager Packaging Script Pt.2 - App registrations Permissions

Select “Microsoft Graph”, “Application permissions”, search for “Device” and select these permissions:

NOTE: Make sure this service principal has appropriate permissions to your storage account from the requisites.

Run Intune Backup to Storage Account

Time to test drive the service principal!

I uploaded the script to my GitHub account. You find it here.

Save this file as a .ps1 file. In addition, I use the name “IntuneBackuptoStorageAccount.ps1” so you can follow the example.

Use this code to run the script:

\IntuneBackupToStorageAccount.ps1 -TenantId "YOURTENANT.onmicrosoft.com" -ClientID "CLIENT ID FROM NOTEPAD" -ClientSecret "CLIENT SECRET FROM NOTEPAD" -StorageAccountName "Your Storage Account" -RGName "Resource Group for storageaccount" -ContainerName "backup"

This is the output when you run the script.

Firstly, the appropriate modules are installed, the temporary folders created and the Intune Backup started:

All the data is put in the C:\Temp\IntuneBackup folder. If you want to use another path feel free to change this in the script.

After that, the script logs on to Microsoft Azure using Azure CLI:

The data is uploaded to the Azure storage account:

It’s put in a folder based on the time when the script was run (format: yyyy-MM-dd-HH-mm-ss):

Intune Backup to Storage Account - Folders

Content of the last folder:

Intune Backup to Storage Account - Result

References

I have used Micheal Niehaus’s method to authenticate against Microsoft Graph with a service principal.

12 thoughts on “Intune Backup to Storage Account Pt.1 – The Script”

  1. In my environment it seem to get as far as backing up my ADMX polices to the TEMP directory then starts again from the beginning. I can’t see any obvious errors. This is only error I see and not sure it is the problem Unable to find an entry point named ‘GetPerAdapterInfo’ in DLL ‘iphlpapi.dll’. Works ok when I the script on my computer and backup to Blob storage.

    Reply
      • Hi Niels,
        I now have it working using Windows Hybrid worker group. So that will work for me. Not sure why it doe not work it is not working when I run directly in Azure.
        Thanks,
        Alex

        Reply
        • Hi Alex,

          That’s odd. I don’t use a hybrid worker. Since you don’t have an obvious error I find it hard to give you any advice…

          Thanks,
          Niels

          Reply
  2. Hi, will this still work now that azure has moved away from using app registrations and is now using managed identities for authentication?

    Reply
      • Hi Niels,
        Thank you for your reply,

        Another question,
        1. if i have the backup working to a storage account and i want to restore, i’m assuming i can only restore the whole backup, not only certain things?
        2. I couldnt find any steps about restoring a backup,what would be the process to restore the backup, is it just running this command:
        Start-IntuneRestoreConfig -Path “For Example(2019-12-25)”
        if so what would the path be if using a storage account?

        Reply
        • Hello,

          1. You can restore parts of the backup. Check out the Powershell module for IntuneBackupAndRestore, that will give you an idea.

          2. You would have to download the backup first from the storage account. You can do this by using Powershell. After that, you can use the command you mentioned.

          Thanks,
          Niels

          Reply

Leave a Comment