This post is about creating an Intune backup to a storage account. You could use this to create a daily backup or even more frequent.

The clarify the above. I created a script that creates a backup from your Intune environment and uploads it to a storage account.

I got a couple of requests to update a previous blog to remove the on-prem requirement. So, here we go!

Other parts:

Intune Backup to Storage Account Pt.2 – The Automation Account

Intune Backup to Storage Account Pt.3 – The Notification

Prerequisites

A storage account with a container to store your backups

Install Azure CLI on the machine/automation where you run the script.

After that, you can start this blog.

Create Service Principal

We use a service principal for authentication. Firstly, we authenticate against Graph to create the intune backup. After that, we connect via Az CLI to a storage account to upload the backup. A secret is used to authenticate.

Furthermore, you can also use certificate-based authentication but for testing purposes, we use a secret.

So, let’s create the service principal.

Logon to Microsoft Azure and go to Azure AD blade

Next, go to App Registrations:

Intune Backup via Pipeline to Storage Account - App Registrations

After that, click on the new registration:

Intune Backup via Pipeline to Storage Account - New App Registration

Call it “IntuneSPN” and click on register:

Intune Backup via Pipeline to Storage Account - Name App Reg

In addition, you see this screen. Copy these GUID’s to a notepad of some sort:

Intune Backup via Pipeline to Storage Account - App IDS

Next, go to Certificates & Secrets:

Click on “New client secret”:

Name it and click on create.

NOTE: Write down this value in your notepad:

After that, go to “API Permissions” and click on “Add a permission”:

Endpoint Manager Packaging Script Pt.2 - App registrations Permissions

Select “Microsoft Graph”, “Application permissions”, search for “Device” and select these permissions:

NOTE: Make sure this service principal has appropriate permissions to your storage account from the requisites.

Run Intune Backup to Storage Account

Time to test drive the service principal!

I uploaded the script to my GitHub account. You find it here.

Save this file as a .ps1 file. In addition, I use the name “IntuneBackuptoStorageAccount.ps1” so you can follow the example.

Use this code to run the script:

\IntuneBackupToStorageAccount.ps1 -TenantId "YOURTENANT.onmicrosoft.com" -ClientID "CLIENT ID FROM NOTEPAD" -ClientSecret "CLIENT SECRET FROM NOTEPAD" -StorageAccountName "Your Storage Account" -RGName "Resource Group for storageaccount" -ContainerName "backup"

This is the output when you run the script.

Firstly, the appropriate modules are installed, the temporary folders created and the Intune Backup started:

All the data is put in the C:\Temp\IntuneBackup folder. If you want to use another path feel free to change this in the script.

After that, the script logs on to Microsoft Azure using Azure CLI:

The data is uploaded to the Azure storage account:

It’s put in a folder based on the time when the script was run (format: yyyy-MM-dd-HH-mm-ss):

Intune Backup to Storage Account - Folders

Content of the last folder:

Intune Backup to Storage Account - Result

References

I have used Micheal Niehaus’s method to authenticate against Microsoft Graph with a service principal.

5 thoughts on “Intune Backup to Storage Account Pt.1 – The Script”
  1. In my environment it seem to get as far as backing up my ADMX polices to the TEMP directory then starts again from the beginning. I can’t see any obvious errors. This is only error I see and not sure it is the problem Unable to find an entry point named ‘GetPerAdapterInfo’ in DLL ‘iphlpapi.dll’. Works ok when I the script on my computer and backup to Blob storage.

Leave a Reply

Your email address will not be published.