A PowerShell GUI tool for Microsoft Intune that provides insights and visibility where the Intune portal falls short.
Blog Post
🆕 Reports Feature: Generate comprehensive reports for your Intune and Entra ID environment
- Authentication Methods Analysis
- Inactive Users Detection
- Conditional Access Effectiveness
- Shadow IT and Unmanaged Devices
⚡ Device Ownership Performance: Significantly improved query performance for large user groups in enterprise deployments
🔗 Nested Groups Support: Device ownership analysis now recursively processes nested Entra ID groups
💾 Save Remediation Scripts: Export scripts directly to disk for easy upload
📊 Reports: Generate comprehensive reports for authentication methods, inactive users, conditional access effectiveness, and shadow IT detection.
📈 Device Ownership: Analyze device ownership for user groups with support for nested groups and optimized performance.
💾 Configuration Backup: Export your entire Intune configuration to JSON files.
🎯 Assignment Tracking: View policy and app assignments for specific groups and find orphaned policies.
📱 Application Insights: View all Intune applications with version tracking and export capabilities.
🔨 Remediation Scripts: Browse and save community remediation scripts ready for deployment.
Analyze device ownership for user groups
View policy and app assignments
Generate comprehensive HTML reports
View updates for applications and possible MSstore availability
Export your entire Intune configuration
Clone the repository:
git clone https://github.com/MrOlof/InSight.git
cd InSightRun the application:
.\Start-InSight.ps1- Launch the Application: Run
Start-InSight.ps1 - Select a Tool: Choose from the left sidebar (Applications, Configurations, Assignments, Reports, etc.)
- Authenticate When Needed: Each feature will prompt for authentication when you use it
- Grant Permissions: Accept the required Microsoft Graph API permissions when prompted
- Perform Analysis: Use the tool's features to analyze or export data
Generate Reports:
- Click Reports in the left menu
- Select the report type you want to generate
- Choose the analysis timeframe (7, 14, or 30 days for Conditional Access and Shadow IT reports)
- Click Generate Report
- Review results in the application
- Open the HTML report in your browser or navigate to the output folder
Backup Intune Configuration:
- Click Backup in the left menu
- Select destination folder
- Configure options (include assignments, exclude built-in policies, API version)
- Click Start Backup
- Wait 30-60 seconds for completion
Analyze Device Ownership:
- Click Device Ownership
- Search for a user group
- Click Analyze Devices
- Review results categorized by device count (now includes nested groups)
- Export to CSV if needed
Find Orphaned Policies:
- Click Assignments
- Scroll to Orphaned Policies section
- Click Find Orphaned Policies
- Review configurations without assignments
Generate comprehensive HTML reports for security and compliance insights:
Authentication Methods Report:
- Overview of MFA adoption across your organization
- Breakdown by authentication method (Phone, Authenticator, FIDO2, etc.)
- User-level details with registration status
- Identifies users without MFA configured
Inactive Users Report:
- Detect dormant accounts that haven't signed in recently
- Configurable inactivity threshold
- Security risk assessment
- Export capabilities for cleanup workflows
Conditional Access Effectiveness Report:
- Analyze sign-in logs against Conditional Access policies
- Identify authentication patterns and policy coverage
- Configurable analysis period (7, 14, or 30 days)
- Performance optimized for large tenants
Shadow IT and Unmanaged Devices Report:
- Discover devices accessing your environment that aren't managed by Intune
- Identify BYOD and compliance gaps
- Risk assessment based on sign-in activity
- Configurable analysis period (7, 14, or 30 days)
All reports are generated as styled HTML files with interactive tables and can be opened directly from the application.
- MSAL-based OAuth2 authentication
- Automatic token refresh
- Session management with PIM support
- Permission tracking and validation
- On-demand authentication per feature (no upfront sign-in required)
Supported resource types:
- Device Compliance Policies
- Device Configuration Profiles
- Settings Catalog Policies
- Device Management Scripts
- Proactive Remediations (Health Scripts)
- Applications (metadata)
- Autopilot Profiles
- Endpoint Security Policies
- Administrative Templates
Optional features:
- Include policy and profile assignments
- Exclude built-in policies
- API version selection (v1.0 or Beta)
- Timestamped backup folders
- Recursive nested group support for complete visibility
- Optimized performance for enterprise-scale deployments
- Device categorization by ownership count
- User-level device distribution
- Export to CSV for further analysis
- Device group assignment tracking
- User group assignment tracking
- Orphaned policy detection
- Empty group identification
- Export capabilities
Built with:
- UI Framework: Windows Presentation Foundation (WPF)
- Authentication: Microsoft Authentication Library (MSAL)
- API: Microsoft Graph API
- Data Format: JSON
InSight/
├── Start-InSight.ps1 # Main launcher
├── Modules/
│ ├── AuthenticationManager.psm1 # MSAL authentication
│ ├── ConfigurationManager.psm1 # App settings
│ ├── LoggingManager.psm1 # Logging functions
│ ├── PermissionManager.psm1 # Permission validation
│ ├── ScriptManager.psm1 # Script registry
│ └── AssignmentHelpers.psm1 # Assignment analysis
├── Resources/
│ ├── MainWindow.xaml # Main UI definition
│ ├── DeviceOwnershipView.xaml # Device ownership UI
│ └── RemediationScripts.json # Script library
├── Scripts/
│ ├── Reports/
│ │ ├── EntraAuthReport.ps1 # Authentication methods report
│ │ ├── InactiveUsersReport.ps1 # Inactive users report
│ │ ├── ConditionalAccessEffectivenessReport.ps1 # Conditional Access analysis
│ │ └── ShadowIT-UnmanagedDevices.ps1 # Shadow IT detection
│ ├── Get-GroupDeviceOwnershipAnalysis.ps1
│ └── ScriptTemplate.ps1
└── Logs/ # Application logs
Settings are stored in %LOCALAPPDATA%\IntuneAdmin\config.json:
{
"Data": {
"ExportPath": "C:\\IntuneExports"
},
"Logging": {
"Level": "Info",
"RetentionDays": 30
}
}- Read-only by default for safety
- On-demand authentication (features authenticate only when used)
- MSAL OAuth2 authentication
- Local token caching with encryption
- Automatic token refresh
- No credentials stored in code
- Comprehensive logging with sensitive data redaction
- Minimal permission requests (only what each feature needs)
The application requests the following Microsoft Graph API permissions:
DeviceManagementManagedDevices.Read.All- Read Intune managed devicesDeviceManagementApps.Read.All- Read Intune applicationsDeviceManagementConfiguration.Read.All- Read Intune configuration policiesUser.Read.All- Read user profiles and authentication methodsDirectory.Read.All- Read directory dataGroup.Read.All- Read group memberships (including nested groups)AuditLog.Read.All- Read sign-in logs for reportsPolicy.Read.All- Read Conditional Access policies
Permissions are requested on-demand when you use each feature. Admin consent may be required for some permissions.
Logs are stored in C:\Logs\IntuneAdmin\:
- File format:
IntuneAdmin_YYYY-MM-DD.log - Levels: DEBUG, INFO, WARNING, ERROR
- Automatic rotation with configurable retention (default 30 days)
Contributions are welcome. Please:
- Fork the repository
- Create a feature branch
- Test in your Intune environment
- Submit a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
Kosta Wadenfalk
- GitHub: @MrOlof
- Microsoft Graph API
- Microsoft Authentication Library (MSAL)
- PowerShell Community
