This post is about creating an Intune backup to a storage account. You could use this to create a daily backup or even more frequent.
The clarify the above. I created a script that creates a backup from your Intune environment and uploads it to a storage account.
I got a couple of requests to update a previous blog to remove the on-prem requirement. So, here we go!
Other parts:
Intune Backup to Storage Account Pt.2 – The Automation Account
Intune Backup to Storage Account Pt.3 – The Notification
Prerequisites
A storage account with a container to store your backups
Install Azure CLI on the machine/automation where you run the script.
After that, you can start this blog.
Create Service Principal
We use a service principal for authentication. Firstly, we authenticate against Graph to create the intune backup. After that, we connect via Az CLI to a storage account to upload the backup. A secret is used to authenticate.
Furthermore, you can also use certificate-based authentication but for testing purposes, we use a secret.
So, let’s create the service principal.
Logon to Microsoft Azure and go to Azure AD blade
Next, go to App Registrations:
After that, click on the new registration:
Call it “IntuneSPN” and click on register:
In addition, you see this screen. Copy these GUID’s to a notepad of some sort:
Next, go to Certificates & Secrets:
Click on “New client secret”:
Name it and click on create.
NOTE: Write down this value in your notepad:
After that, go to “API Permissions” and click on “Add a permission”:
Select “Microsoft Graph”, “Application permissions”, search for “Device” and select these permissions:
NOTE: Make sure this service principal has appropriate permissions to your storage account from the requisites.
Run Intune Backup to Storage Account
Time to test drive the service principal!
I uploaded the script to my GitHub account. You find it here.
Save this file as a .ps1 file. In addition, I use the name “IntuneBackuptoStorageAccount.ps1” so you can follow the example.
Use this code to run the script:
\IntuneBackupToStorageAccount.ps1 -TenantId "YOURTENANT.onmicrosoft.com" -ClientID "CLIENT ID FROM NOTEPAD" -ClientSecret "CLIENT SECRET FROM NOTEPAD" -StorageAccountName "Your Storage Account" -RGName "Resource Group for storageaccount" -ContainerName "backup"
This is the output when you run the script.
Firstly, the appropriate modules are installed, the temporary folders created and the Intune Backup started:
All the data is put in the C:\Temp\IntuneBackup folder. If you want to use another path feel free to change this in the script.
After that, the script logs on to Microsoft Azure using Azure CLI:
The data is uploaded to the Azure storage account:
It’s put in a folder based on the time when the script was run (format: yyyy-MM-dd-HH-mm-ss):
Content of the last folder:
References
I have used Micheal Niehaus’s method to authenticate against Microsoft Graph with a service principal.
This is perfect I will be switching to this. Much better than running on batch server !
In my environment it seem to get as far as backing up my ADMX polices to the TEMP directory then starts again from the beginning. I can’t see any obvious errors. This is only error I see and not sure it is the problem Unable to find an entry point named ‘GetPerAdapterInfo’ in DLL ‘iphlpapi.dll’. Works ok when I the script on my computer and backup to Blob storage.
Hello,
Do you use Windows Based agent for your Azure Automation Account?
Thanks,
Niels
Hi Niels,
I now have it working using Windows Hybrid worker group. So that will work for me. Not sure why it doe not work it is not working when I run directly in Azure.
Thanks,
Alex
Hi Alex,
That’s odd. I don’t use a hybrid worker. Since you don’t have an obvious error I find it hard to give you any advice…
Thanks,
Niels
Hi, will this still work now that azure has moved away from using app registrations and is now using managed identities for authentication?
Hi Jourdan,
You can still make this work. For both authentication methods.
KR,
Niels
Hi Niels,
Thank you for your reply,
Another question,
1. if i have the backup working to a storage account and i want to restore, i’m assuming i can only restore the whole backup, not only certain things?
2. I couldnt find any steps about restoring a backup,what would be the process to restore the backup, is it just running this command:
Start-IntuneRestoreConfig -Path “For Example(2019-12-25)”
if so what would the path be if using a storage account?
Hello,
1. You can restore parts of the backup. Check out the Powershell module for IntuneBackupAndRestore, that will give you an idea.
2. You would have to download the backup first from the storage account. You can do this by using Powershell. After that, you can use the command you mentioned.
Thanks,
Niels