This post is about creating an Intune backup to a storage account. You could use this to create a daily backup or even more frequent.
The clarify the above. I created a script that creates a backup from your Intune environment and uploads it to a storage account.
I got a couple of requests to update a previous blog to remove the on-prem requirement. So, here we go!
Other parts:
Intune Backup to Storage Account Pt.2 – The Automation Account
Intune Backup to Storage Account Pt.3 – The Notification
Prerequisites
A storage account with a container to store your backups
Install Azure CLI on the machine/automation where you run the script.
After that, you can start this blog.
Create Service Principal
We use a service principal for authentication. Firstly, we authenticate against Graph to create the intune backup. After that, we connect via Az CLI to a storage account to upload the backup. A secret is used to authenticate.
Furthermore, you can also use certificate-based authentication but for testing purposes, we use a secret.
So, let’s create the service principal.
Logon to Microsoft Azure and go to Azure AD blade
Next, go to App Registrations:
After that, click on the new registration:
Call it “IntuneSPN” and click on register:
In addition, you see this screen. Copy these GUID’s to a notepad of some sort:
Next, go to Certificates & Secrets:
Click on “New client secret”:
Name it and click on create.
NOTE: Write down this value in your notepad:
After that, go to “API Permissions” and click on “Add a permission”:
Select “Microsoft Graph”, “Application permissions”, search for “Device” and select these permissions:
NOTE: Make sure this service principal has appropriate permissions to your storage account from the requisites.
Run Intune Backup to Storage Account
Time to test drive the service principal!
I uploaded the script to my GitHub account. You find it here.
Save this file as a .ps1 file. In addition, I use the name “IntuneBackuptoStorageAccount.ps1” so you can follow the example.
Use this code to run the script:
\IntuneBackupToStorageAccount.ps1 -TenantId "YOURTENANT.onmicrosoft.com" -ClientID "CLIENT ID FROM NOTEPAD" -ClientSecret "CLIENT SECRET FROM NOTEPAD" -StorageAccountName "Your Storage Account" -RGName "Resource Group for storageaccount" -ContainerName "backup"
This is the output when you run the script.
Firstly, the appropriate modules are installed, the temporary folders created and the Intune Backup started:
All the data is put in the C:\Temp\IntuneBackup folder. If you want to use another path feel free to change this in the script.
After that, the script logs on to Microsoft Azure using Azure CLI:
The data is uploaded to the Azure storage account:
It’s put in a folder based on the time when the script was run (format: yyyy-MM-dd-HH-mm-ss):
Content of the last folder:
References
I have used Micheal Niehaus’s method to authenticate against Microsoft Graph with a service principal.
[…] the previous part in this series:Intune Backup to Storage Account Pt.1After that, you are ready to start this […]
[…] have been made between the latest 2 backups. We do so by sending mail via the Graph API.Other parts:Intune Backup to Storage Account Pt.1 – The ScriptIntune Backup to Storage Account Pt.2 – The Automation […]
This is perfect I will be switching to this. Much better than running on batch server !
In my environment it seem to get as far as backing up my ADMX polices to the TEMP directory then starts again from the beginning. I can’t see any obvious errors. This is only error I see and not sure it is the problem Unable to find an entry point named ‘GetPerAdapterInfo’ in DLL ‘iphlpapi.dll’. Works ok when I the script on my computer and backup to Blob storage.
Hello,
Do you use Windows Based agent for your Azure Automation Account?
Thanks,
Niels