Every admin knows that in some cases a backup copy can be life saver. Regardless is a server OS backup with some specific configurations, or a database holding critical billing information … or why not, a set of Intune device configuration policies


In this post we start with the following challenge. You are an Intune administrator that work on a large team with multiple tenants. The environment complexity often led to modifying configuration on a wrong tenant or replacing a configuration by mistake. You require a better change management process, but in the mean time you still need to protect the data ( in this case the Intune configuration policies)S


Implement a backup solution with an automation account and Azure Storage. The automation account will use a native Microsoft Graph application you previously created

In this post we will discuss the following steps

  • Create the resource group and storage account with PowerShell
  • Create the automation account
  • Add a runbook to perform the backup
  • Schedule the runbook execution

Resource Group and Storage Account

The data that you plan to backup needs a place to rest. Using the below script, we create a new resource group and a storage account. Feel free to modify the names if you like, but make sure your changes are consistent across the entire solution ( if you change them here, you change them in the runbook as well )

New-AzureRmResourceGroup -Name $RG -Location $loc
New-AzureRmStorageAccount -ResourceGroupName $RG -Location $loc -SkuName Standard_LRS -Name $Stor_Acct_name 

Validate you have the resource group and storage account created

Automation Account

Is time to create an automation account. As a prerequisite you need to have permissions on the subscription to create run as accounts automation. Check this page for more info

  • In azure portal go to All resources -> Add -> enter automation in the search box
  • In the next window click Create
  • In the Add automation account enter name, select subscription, select the resource group you created earlier and a location. Make sure Create Azure Run As account is set to Yes
  • Click Create

As soon as your automation account is created go to automation accounts and select the account you created. We now need to add some credentials to the account and update the Azure modules

  • In the IntuneBackup automation account pane click Credentials under Shared resources
  • Click Add a credential
  • In the new page enter credential for the used you used when created the application. Click create
  • Back to the IntuneBackup automation account
  • Click on Modules under Shared Resources
  •  In the new window click Update Azure modules. Confirm and wait for modules to get updated


Now is time to add the PowerShell runbook.

  • Click Runbooks ->Create a runbook
  • In the new pane enter IntuneBackup as name and select PowerShell as type
  • Click Create

Now you are in edit mode

Copy the following script. Make sure you replace the $client_id, $client_secret and $tenantID with your values

Function Export-JSONData(){

param (
        $JSON1 = ConvertTo-Json $JSON -Depth 5
        $JSON_Convert = $JSON1 | ConvertFrom-Json
        $displayName = $JSON_Convert.displayName
        $DisplayName = $DisplayName -replace '\<|\>|:|"|/|\\|\||\?|\*', "_"
        $Properties = ($JSON_Convert | Get-Member | ? { $_.MemberType -eq "NoteProperty" }).Name
        $FileName_JSON = "ConfigurationPolicy_"+"$DisplayName" + "_" + $(get-date -f dd-MM-yyyy-H-mm-ss) + ".json"
        $ConfigPolItem= New-Item -ItemType file -name $FileName_JSON            
        $JSON1 | Out-File -FilePath $FileName_JSON -Append
        Set-AzureStorageBlobContent -File $FileName_JSON -Container $containerName -BlobType Block -Context $ctx 

#Define parameters for Microsoft Graph access token retrieval
$client_id = "a82f6664-ba39-43cb-client-yourID"
$client_secret = "2Uban4QnNyourclientsecretsTPPixJf6kXgcml3E=" 
$tenant_id = "33f1eaf0-40b6-4f5b-yourtenantID"

$resource = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$tenant_id"
$tokenEndpointUri = "$authority/oauth2/token"

$mycred=Get-AutomationPSCredential -Name 'Intune.automation'

$connection = Get-AutomationConnection -Name AzureRunAsConnection

Connect-AzureRmAccount -ServicePrincipal -Tenant $connection.TenantID `
-ApplicationId $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint

$user = $mycred.UserName

$content = "grant_type=password&client_id=$client_id&client_secret=$client_secret&username=$User&password=$UnsecurePassword&resource=$resource";

$response = Invoke-RestMethod -Uri $tokenEndpointUri -Body $content -Method Post -UseBasicParsing
$access_token = $response.access_token

$configuri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations" 

############## Storage definitions. make sure you use another Storage account name 
$today= Get-Date -Format MM-dd-yy

$storage=Get-AzureRmStorageAccount -Name $Stor_Acct_name -ResourceGroupName $RG
$ctx = $storage.Context
#Create Container if not there
if (!(Get-AzureRmStorageContainer -ResourceGroupName $RG -StorageAccountName $Stor_Acct_name | ?{$_.Name -eq $containerName}))
New-AzureRmStorageContainer -StorageAccount $storage -Name $containerName -PublicAccess Blob

$acctKey=(Get-AzureRmStorageAccountKey -Name $Stor_Acct_name -ResourceGroupName $RG).value[0]
$ctx =  New-AzureStorageContext -StorageAccountName $Stor_Acct_name -StorageAccountKey $acctKey

$configs = (Invoke-RestMethod   -Uri $configuri  -Headers @{"Authorization" = "Bearer $access_token"}   -ContentType "application/json"  -Method GET).value

foreach($config in $configs) 

    Export-JSONData -JSON $config 

  • Click Save
  • Go to the Test Pane
  • Click Start and wait for the runbook to complete
  • If the script completed successfully you will get something like this

Let’s check if the data was saved to the cloud

  • Go to Resource Groups
  • Select the IntuneBackup-RG
  • Select you storage account
  • In the new page click on Blobs
  • Now you should see a container named intunebackupxx-xx-xx with the date in mm-dd-yy format
  • Click on that and you should see all the saved policies

If you want to add a schedule:

  • On the runbook pane click Schedules under Resources
  • Click Add schedule
  • Link a schedule to your runbook
  • Create new Schedule
  • Enter the fields as you see them fit
  • Click Create and Ok

In this post you discover how to backup your Intune configuration policies into the Azure cloud. Then you added a schedule to run the backup daily