If you work at an MSP or regularly configure Intune for other organizations, you probably configure many of the same policies/profiles several times a month. The ability to bulk export & import your standard configuration policies will help make your deployments more efficient and standardized. This post describes some methods to export your policies, and I’ll follow up with another post on how to Import these policies in bulk. I considered updating my 2+ year old post (Export & Import settings catalog profiles between tenants with PowerShell and Graph API – SMBtotheCloud), but most of it would need to be rewritten, so I decided to make a new one. Manually configuring your policies can be time-consuming and subject to human error. You also may want to back up your current policies, or you inherited a tenant with a mess of policies and want to export them before doing some cleanup. Intune added the ability to export settings catalog profiles as JSON from the Intune dashboard a while back, but you need to do this one policy at a time, and it doesn’t work for all platforms or policy types. It’s only compatible with Windows Settings Catalog policies at the time of writing.
This is a great option for a single policy or two, but you’ll want to use another method if you have many policies to export or non-Windows settings catalog policies. There are two other methods I’ll describe in this post:
- Using the Edge/Chrome developer tools. This method will work if you are scared of PowerShell, or only need a few policies exported that don’t support the Export JSON option like settings catalog policies support.
- Using PowerShell and the Graph API to pull your policies down as JSON files. This method is much more efficient if you have many policies to export or back up.
Use the Edge Developer Tools to export policies as JSON
As we just mentioned, this method may be an option if you only have a few policies you want to export and they don’t support the export JSON option in the Intune dashboard. Sign into your Intune dashboard and navigate to the policy area you want to export. In this example, we will export an AV policy since they don’t natively support exporting to JSON in the dashboard.
Open the Edge developer tools by pressing the F12 key.
Select the Network tool and make sure the record button is red. This means it’s capturing activity:
Back in the Intune dashboard, select the Intune policy you want to capture and edit it. You do not need to make any changes (although you can if you want to). After opening it, click next through the different settings pages until you get to the Review page and click save.
After clicking Save, look at the developer tools console. Look for an entry that starts with configurationPolicies (or the type of profile you just edited) and a type of fetch:
Select that entry You can confirm this is the correct entry because it should have a request method of “PUT” which means it was updated and also contains the entire body (even though we didn’t change anything).
Select the Payload tab. Right-click the top level and click copy. This is the JSON of the configuration profile.
Open Notepad or another text/code editor and paste the contents. You should see the description and name of the profile in the top two lines. The rest of the JSON contains the policy settings:
Save your JSON file, and then repeat for any additional policies. Again, this is not the most efficient method, but one option. Another nice thing about the developer tools, even if you don’t use it for exporting policies, is that you can retrieve the graph API resource. Most of these will fall under deviceManagement/configurationPolicies, but this depends on what you’re exporting. For example, custom OMA-URI policies fall under deviceManagement/deviceConfigurations. Simply look at the request URL in the headers section of one of the get or put requests.
One more thing to mention about non-settings catalog profiles is that not all custom OMA-URI policies can be simply exported/imported. For example, if you’re using a custom OMA-URI policy to deploy a local account with a password, that password will export as encrypted in the JSON. This is also true for custom macOS mobileconfig policies. Those are exceptions and will either need to be manually created, or you’ll need to manually edit the JSON file.
Use PowerShell to bulk export all policies/profiles:
It’s fun to poke around in the Edge Developer tools, but if you’re looking for efficiency, you’ll want to use PowerShell to export your policies. This script from GitHub will grab all of your Conditional Access policies, device configurations (custom policies or templates), device Configuration Policies, App Protection Policies, and App Configuration Policies. They’ll be exported to respective directories in the c:\temp folder on the device where you run the script. This was enough for me, but you can easily edit the script to grab more policies or send the JSON files to another location. From the example below, just edit the path and output variables for what you’re exporting, and also edit the URI so its pointing to what you want to export.
#Custom Device Configuration Profiles
$path = "C:\temp\androidManagedAppProtections"
New-Item -Path $path -ItemType Directory -Force
Write-Host -ForegroundColor Green "Exporting Android App Protection Policies to $path"
$uri = "https://graph.microsoft.com/beta/deviceAppManagement/androidManagedAppProtections/"
$response = Invoke-MgGraphRequest -Method GET -Uri $uri
$policyIds = $response.value.id
Foreach ($policyId in $PolicyIds) {
$policy = Invoke-MgGraphRequest -Method GET -URI $uri$policyId
$policyjson = $policy | ConvertTo-Json -Depth 10
$name = $policy.displayname
$policyJson | Out-File -FilePath "$path\$name.json" -Encoding utf8
write-host -ForegroundColor yellow "Exported $name successfully"
}When the script is finished, you’ll see a parent folder for each policy type in C:\Temp, along with the transcript log.
And the JSON output
The script should only take several seconds to finish. Here is how it looks when you run it:
I’ll follow up with a quick post and another script in a week or two for Importing the JSON files.