All the Different Ways to Backup and Restore Your Microsoft Intune Configuration Policies

All the Different Ways to Backup and Restore Your Microsoft Intune Configuration Policies

By
April 24, 2023

Given its critical role in managing and securing all your company devices, Microsoft Intune is too important in ensuring business continuity to leave without its own robust backup plan. And yet, Microsoft offers zero built-in tools for backing up your Intune policies, leaving your organization vulnerable to a host of attacks that can compromise and disrupt your company devices.

All of this forces business users to look for third-party backup tools, but such solutions are few and far between when it comes to Intune. As for the few tools that are available, they are often too complicated and lack the necessary polish to serve as your centralized backup plan. 

In today’s article on Intune backups, let’s discuss the different solutions currently available for backing up Microsoft Intune. We’ll discuss the steps required to execute each solution, along with the pros and cons of using them. By the time you finish reading, you’ll have a clear idea of the options available to you for backing up your device configurations.

Why Back Up Your Intune Configurations?

Why is it necessary to keep a backup of your Intune configurations and policies? Here are a few reasons why Intune backups are a must-have element of your to-do list as an IT manager:

  • Disaster Recovery: In case of system failures, cyberattacks, or other unforeseen events that cause data loss, having a backup of your Intune configuration policies enables you to quickly restore the settings and resume normal operations, minimizing downtime and disruption to your business.
  • Human Error: Mistakes can happen, such as accidentally deleting or modifying configuration policies. A backup allows you to restore the original settings, preventing the potential negative impact of human error on your organization's mobile device management.
  • Configuration Consistency: Intune configurations can be complex, involving multiple policies and profiles. A backup ensures you have a reference point for your desired settings, allowing you to maintain consistency across devices, users, and applications, even if changes are made over time.
  • Regulatory Compliance: Some industries require organizations to maintain records of their security policies and configurations. Regularly backing up your Intune configuration can help demonstrate compliance with relevant regulations by providing an auditable history of your mobile device management settings.
  • Change Management: Intune configuration backups can be used as a part of a change management process. If an update or modification to a policy causes issues, you can easily revert to the previous configuration using the backup, minimizing the impact on your organization's operations.

What Needs Backing Up in Microsoft Intune?

Before you start planning your backup strategy, it’s important to understand what exactly you need to back up in Microsoft Intune. Here are a few key components that should be included in your backup plan:

  • Device Compliance Policies: These policies define the rules and settings that devices must meet to be considered compliant. They may include security settings, system updates, and device features.
  • Device Configuration Profiles: Configuration profiles contain settings for devices managed by Intune. These profiles can include Wi-Fi, VPN, email, and other settings that are applied to devices.
  • App Protection Policies: These policies control how users can access and interact with organizational data within managed apps on their devices. They may include data sharing restrictions, authentication requirements, and data encryption settings.
  • App Configuration Policies: These policies customize the behavior of managed apps for your organization, such as specifying app settings or pre-configuring server information.
  • Mobile App Deployment: Backup the list of mobile apps you have deployed to devices, including app details and deployment settings, like the assignment of apps to specific groups of users or devices.
  • Conditional Access Policies: These policies control access to organizational resources based on specific conditions, such as user location, device compliance status, or the risk level associated with the sign-in attempt.
  • Role-based Access Control (RBAC) Settings: Backup the custom roles and their permissions that you have configured in Intune to control access to various administrative functions.
  • Enrollment Restrictions: These settings specify which devices are allowed to enroll in Intune and any enrollment limits, such as the maximum number of devices a user can enroll.
  • Device Categories and Groups: Backup information about device categories and the assignment of devices to specific groups, which can be used for targeted policy application or app deployment.
  • Custom Notifications and Alerts: Save the configurations for any custom notifications or alerts you have set up in Intune to monitor device compliance, app deployment, or other aspects of your mobile device management environment.
  • PowerShell Scripts and Custom Policies: If you are using custom PowerShell scripts or any other custom policies to manage devices or applications through Intune, ensure they are backed up as well.

4 Ways to Back Up and Restore Your Intune Settings

When it comes to Intune, there are very few dedicated solutions available in the market to reliably back up your settings and policies. That said, here’s a list of different approaches you can take, including third-party tools and frameworks you can use to aid the process.

#1 Microsoft Endpoint Manager

Microsoft allows users to utilize the Endpoint Manager Admin Center to manually export and later import certain configurations and policies from Intune. Here are the steps needed to make that happen:

Backing Up Intune Configurations:

  1. Open your web browser and navigate to the Microsoft Endpoint Manager Admin Center.
  2. Sign in with your administrator credentials.
  3. Identify the specific configuration policies or profiles you want to back up. Examples include device compliance policies, device configuration profiles, app protection policies, and app configuration policies.

For each policy or profile, follow these steps:

  1. Navigate to the specific policy section in the admin center.
  2. Click on the policy or profile you want to back up.
  3. Look for an option to export the policy or profile. If available, this option typically exports the configuration as a JSON or XML file.
  4. Save the exported file to a secure location, such as a cloud storage service or an encrypted local drive.
  5. Repeat step 4 for each policy or profile you want to back up.

Restoring Intune Configurations:

  1. Open your web browser and navigate to the Microsoft Endpoint Manager Admin Center.
  2. Sign in with your administrator credentials.
  3. Identify the specific configuration policies or profiles you want to restore.

For each policy or profile, follow these steps:

  1. Navigate to the specific policy section in the admin center.
  2. Look for an option to import or create a new policy or profile.
  3. If an import option is available, use it to upload the previously saved JSON or XML file. If the import option is not available, create a new policy or profile using the data from the backup file as a reference.
  4. Configure the settings and assignments for the restored policy or profile as needed.
  5. Repeat step 4 for each policy or profile you want to restore.

#2 PowerShell and Graph API

The above process may work in a pinch but won’t cover all Intune components, such as custom notifications, alerts, or enrollment restrictions. For a more comprehensive backup and restore strategy, you can use PowerShell scripts with Microsoft Graph API to automatically create a backup of your Intune policies.

Register an application in Azure AD:

  1. Sign in to the Azure portal (https://portal.azure.com/).
  2. Navigate to "Azure Active Directory" > "App registrations" > "New registration".
  3. Provide a name for your app and select the appropriate account type.
  4. Click "Register" to create the app.

Configure API permissions:

  1. In the "App registrations" section, click on the newly registered app.
  2. Navigate to "API permissions" > "Add a permission".
  3. Select "Microsoft Graph" > "Application permissions".
  4. Add the required permissions, such as "DeviceManagementConfiguration.ReadWrite.All" and "DeviceManagementApps.ReadWrite.All".
  5. Click "Add permissions" to save your changes.
  6. Ask an administrator to grant admin consent for the required permissions.

Obtain application (client) ID, directory (tenant) ID, and client secret:

  1. In the "App registrations" section, click on the registered app.
  2. Copy the "Application (client) ID" and "Directory (tenant) ID" values.
  3. Navigate to "Certificates & secrets" > "New client secret".
  4. Provide a description and an expiration period, then click "Add".
  5. Copy the generated client secret value.

Install the Microsoft.Graph.Intune PowerShell module:

  1. Open PowerShell and run the following command:
  2. Install-Module -Name Microsoft.Graph.Intune

Connect to the Graph API using the PowerShell module:

  • Run the following command in PowerShell, replacing the placeholders with your actual values:

Connect-MSGraph -ClientID <client_id> -TenantID <tenant_id> -ClientSecret <client_secret>

Back up Intune configurations:

  • a. Create a folder to store the backed-up configuration files.
  • b. Use the Microsoft.Graph.Intune module cmdlets and Graph API to export Intune configurations to JSON files. For example:
  • Get-IntuneDeviceConfigurationPolicy | ConvertTo-Json | Set-Content -Path "C:\Backup\DeviceConfigurationPolicies.json"
  • c. Repeat this process for each type of configuration you want to back up (e.g., device compliance policies, app protection policies, app configuration policies).

Restore Intune configurations:

  1. Connect to the Graph API using the PowerShell module, as explained in step 5.
  2. Use the Microsoft.Graph.Intune module cmdlets and Graph API to import the backed-up configurations from the JSON files. For example:

$deviceConfigurationPolicies = Get-Content -Path "C:\Backup\DeviceConfigurationPolicies.json" | ConvertFrom-JsonCreate new policies using the imported data. For example:

  • foreach ($policy in $deviceConfigurationPolicies) {

    New-IntuneDeviceConfigurationPolicy -DisplayName $policy.displayName -Settings $policy.settings -Platform $policy.platform

}

  • Repeat this process for each type of configuration you want to restore.

#3 Microsoft 365 DSC

Microsoft 365 Desired State Configuration (M365DSC) is a PowerShell module that allows you to manage the configuration of various Microsoft 365 services, including SharePoint, Exchange, Teams, and Intune. M365DSC uses Desired State Configuration (DSC), a PowerShell-based configuration management platform that enables you to declaratively specify the desired state of your environment and apply it consistently across multiple systems.

While M365DSC does not directly provide a feature to automatically back up and restore Intune configurations, you can use it to maintain a consistent Intune configuration across your environment. Here's how:

  • Install the Microsoft365DSC module. Open PowerShell and run the following command:

Install-Module -Name Microsoft365DSC

  • Extract the current Intune configuration:
  1. Run the following command in PowerShell to extract the current configuration of your Intune environment:

Export-M365DSCConfiguration -Quiet -ComponentsToExtract @("MSIntune_*") -GlobalAdminAccount (Get-Credential) -Path "C:\Backup\IntuneConfiguration.ps1"

  • Replace the path with your desired backup location. This command will prompt you for your global admin credentials.
  • Review and store the generated configuration:
  • Open the generated "IntuneConfiguration.ps1" file and review the configuration settings. This file contains a DSC configuration script that represents the current state of your Intune environment. Store this file in a secure location, such as a cloud storage service or an encrypted local drive.
  • Apply the saved configuration to restore or maintain consistency:
  • When you need to restore the saved configuration or apply it to another environment, use the following steps:
  • Open the "IntuneConfiguration.ps1" file and modify the configuration name and node if necessary.
  • Run the PowerShell script to apply the saved Intune configuration: .\IntuneConfiguration.ps1
  • Apply the configuration to the local computer or a remote computer using the following command (replace "IntuneConfiguration" with the actual configuration name):

Start-DscConfiguration -Wait -Verbose -Path .\IntuneConfiguration -Force

Please note that M365DSC currently provides limited support for Intune configurations, focusing mainly on device configuration profiles, device compliance policies, and some app protection policies.

#4 Simeon Cloud

Simeon Cloud is a cloud-based solution that focuses on managing and automating Microsoft 365 and Intune configurations. It simplifies the process of deploying, managing, and maintaining configurations across devices, applications, and policies.

Simeon can help you back up and restore Intune configurations in the following ways:

  • Configuration Management: Simeon Cloud enables users to manage and maintain Intune configuration settings centrally. This includes device configurations, app configurations, app protection policies, and other Intune-related settings.
  • Version Control: Simeon Cloud provides version control for your configurations, allowing you to track changes, revert to a previous version, and maintain a history of your Intune settings.
  • Backup and Restore: With its centralized management and version control capabilities, Simeon Cloud effectively backs up your Intune configurations. In the event of accidental changes or issues, you can easily restore the desired configuration settings from the Simeon Cloud platform.
  • Automation: Simeon Cloud allows you to automate the deployment and management of Intune configurations across multiple environments or tenants. This reduces manual effort and streamlines the backup and restore processes.
  • Reporting and Monitoring: Simeon Cloud provides reporting and monitoring features, enabling you to track the status of your Intune configurations and identify any discrepancies or issues.
  • Security and Compliance: By centralizing and automating the management of Intune configurations, Simeon Cloud helps maintain security and compliance standards across your organization.

Why Simeon Is the Best Solution for Backing Up Your Intune Configurations

Simeon Cloud's no-code nature makes it a more refined approach to backing up Intune configurations compared to PowerShell or Microsoft 365 DSC. It provides a centralized platform for managing all your configurations, making it easier to maintain consistency across devices, applications, and policies. 

Moreover, Simeon's no-code web portal enables users with varying technical expertise to manage and maintain Intune configurations with ease. This reduces the dependency on specialized knowledge, making the backup and restore process more accessible to a wider range of team members.

Want to learn more about how Simeon can help you set up and maintain Intune backups? Request a demo today!