Export & import your Intune tenant settings
If you’ve ever run into the need to change tenants (maybe your tenant trial has ended or you want to move settings from development to production), you may have noticed that there is no quick way to export settings from Intune. In this step-by-step post, we’ll go over using PowerShell to easily migrate settings.
1. Open a new tab and download the latest Intune PowerShell scripts from https://github.com/microsoftgraph/powershell-intune-samples. Save the .zip file into the downloads folder. Right-click on the powershell-intune-samples-master zip file and select Extract all > Extract.
2. Run PowerShell as an Administrator and accept the UAC popup. Run Set-ExecutionPolicy Bypass.
3. Run Install-Module AzureAD. Approve installing the module.
4. Run cd C:\Users\*YourUserAccount*\Downloads\powershell-intune-samples-master\powershell-intune-samples-master\DeviceConfiguration
If you’re looking to export other content from Intune, you would select another folder during this step and run that corresponding PowerShell script. Other options here include Company Portal Branding, Enrollment Restrictions, and Terms and Conditions.
5. Run .\DeviceConfiguration_Export.ps1
6. Sign-in using your Intune administrator account. Select the checkbox to consent on behalf of your organization and click Accept.
8. The next step is to provide the export location. Run C:\Users\*YourUserAccount*\Downloads\powershell-intune-samples-master\powershell-intune-samples-master\DeviceConfiguration
Now all of our settings are exported! We’ll follow the same general process for importing, except specifying the exported JSON file.
9. Run .\DeviceConfiguration_Import_FromJSON.ps1
10. Open the C:\Users\*YourUserAccount*\Downloads\powershell-intune-samples-master\powershell-intune-samples-master\DeviceConfiguration folder. While holding shift, copy as path the configuration profile. Paste into the PowerShell window.
11. Navigate back to the Azure Portal.
12. On the left navigation bar, click All Services > Intune. Click on Device Configuration and verify the profiles are duplicated. Since I reused my same tenant for this demo, I’ll see that the Autopilot Reset profile is duplicated:
IIs there a way to import the MDMMigrationAnalysis.html into Intune once its created to save having to create each setting individually?
Is it also possible with this to set up one tenant perfectly with compliance policies, gpo’s and apps and such and then export it and import it into all my other tenants, so I don’t have to do all the settings everytime again?
Sure – take a look here: https://deviceadvice.io/2019/07/12/export-import-your-intune-tenant-settings/
I think you’ll only be able to import/export configuration settings (no apps), but that should save some time!
Is it possible to migrate intune configuration settings from one intune environment to another? As in can I grab your setting json files and import them in my intune? I noticed json files contain a number of guid-alike items
Yup! These settings can be imported into a different environment.
Any way to export Administrative Template-based settings? They don’t seem to get exported with the above script.
You would need to amend the default script (or find another sample) that targets the GroupPolicyConfiguration node in the Intune Graph API: https://docs.microsoft.com/en-us/graph/api/resources/intune-grouppolicy-grouppolicyconfiguration?view=graph-rest-beta
Hi Janusz, it works perfectly except one of our huge Custom profile, getting below error. Have you seen this before, any tips?
Response content:
{“error”:{“code”:”BadRequest”,”message”:”Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.”,”innerError”:{“date”:”2021-07-04T10:59:11″,”request-id”:”5befa7df-f856-410e-babd-66ed047827b1″,”client-request-id”:”5befa7df-f856-410e-babd-66ed047827b1″}}}
Add-DeviceConfigurationPolicy : Request to https://graph.microsoft.com/Beta/deviceManagement/deviceConfigurations
failed with HTTP Status BadRequest Bad Request
At C:\temp\powershell-intune-samples-master\DeviceConfiguration\DeviceConfiguration_Import_FromJSON.ps1:343 char:1
+ Add-DeviceConfigurationPolicy -JSON $JSON_Output
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-DeviceConfigurationPolicy
I have AzureADPreview installed, do I need to unistall it and install AzureAD module instead?
I guess the answer is Yes, because I see this:-
Checking for AzureAD module…
AzureAD PowerShell module not found, looking for AzureADPreview
When I ran .\DeviceConfiguration_Export.ps1 it doesnt actually export in .csv format only .json but in the screenshot it shows both csv and json. Am I running the correct script? Thanks!
Looks like they updated that .ps1 script to only export .json’s now… I’d recommend using the latest scripts as I’m sure there are other improvements, but here’s a .zip of the 2019 Intune PowerShell Samples scripts with the deviceconfiguraiton_export.ps1 that also exports a csv: powershell-intune-samples-master.zip
Ahhh awesome thanks so much for providing the old script and super quick response! 🙂
Hi Janusz, I don’t know what’s going on but with both old and new script no file are made, *.json or *.csv.
No error on powershell, folder has been created but it’s empty :-/
Have you met all of the prereq’s for Intune Graph API? https://github.com/microsoftgraph/powershell-intune-samples#prerequisites
When exporting csp I get the isencrypted values set so I can’t re-import them.. what am I missing? is there some flag I am missing?
“secretReferenceValueId”: “12345678990”,
“isEncrypted”: true,
“value”: “****”
I’m not too familiar with this – but when I search the repository the isEncrypted flag only shows up for Managed Devices. Is that the case? Because you can’t import devices into your tenant, they would need to be reenrolled.
I am getting the same issues
When exporting csp I get the isencrypted values set so I can’t re-import them.. what am I missing? is there some flag I am missing?
“secretReferenceValueId”: “12345678990”,
“isEncrypted”: true,
“value”: “****”