Intune device sync with PSScripts

Here we will understand and go through the steps for different tasks under Intune that can be managed by PowerShell scripts only.
There is no inbuilt feature available for those tasks yet in Intune by Microsoft.

• Bulk force device Sync
• To force bulk Sync for user group
• To force bulk Sync for all Android and iOS Devices

Bulk Force device Sync

Force sync can be initiated via Intune but one device at a time, there is no provision to force sync on multiple devices in one go.
Here, we need to have a such scripts that can accomplish this task.
A PowerShell script mentioned below will take care for force sync to multiple devices in one go, but there are few requirements that needs to be fulfilled before running the scripts.

Requirements

User has to has Intune Administrator Role activated from PIM.
User should be having MS graph application access as an administrator and connected with the application by running below command.

We need to run below commands on elevated PS

Install-Module -Name Microsoft.Graph.Intune
Import-Module -Name Microsoft.Graph.Intune
Connect-MSGraph -AdminConsent

Update-MSGraphEnvironment -AppID 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxx' -SchemaVersion 'beta'
 
Connect-MSGraph

To force bulk Sync for user group

Now, once all requirements are full filled, we are ready to run force bulk sync for targeted security group members.

This script, first will export all the members of targeted security group into .Csv file and then will export all Intune managed device IDs for those members into another .Csv file.

Once, we have DeviceIds (managed device IDs), last lines of script will force the sync to all mentioned managed devices in .csv file, it will also write down the success message.

# Export users's UPN to a csv
$Group = "Group Name"
$samaccountnames = (Get-ADGroupMember $group -Recursive).samaccountname
if (Test-Path c:\temp\Users.csv){ Remove-Item c:\temp\Users.csv -Force }
foreach ($samaccountname in $samaccountnames){
Get-ADUser $samaccountname | select UserPrincipalName,givenname,surname | Export-Csv c:\temp\Users.csv -Append -NoTypeInformation
}
#Exports IntuneID for all UPNs in the CSV
$Users = Import-Csv C:\temp\Users.csv
if (Test-Path c:\temp\IntuneID.csv){ Remove-Item c:\temp\IntuneID.csv -Force }
foreach ($u in $users){
$givenname = $u.givenname
$Surname = $u.surname
$displayame = "$givenname" + "." + "$Surname"
Get-IntuneManagedDevice -Filter "contains(deviceName, '$displayame' )" | select id | Export-Csv "C:\temp\IntuneID.csv" -Append -NoTypeInformation
}
#Force Sync
$IDs = Import-Csv C:\temp\IntuneID.csv
Import-Module Microsoft.Graph.Intune -Force
Update-MSGraphEnvironment -AppID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
Connect-MSGraph
Foreach ($ID in $IDs){
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $ID.id
Write-Host "Sending Sync request to Device with DeviceID $($ID.id)" -ForegroundColor Yellow
}

To force bulk Sync for all Android and iOS Devices: Credit to Michael Mardahl for this script

#setting Graph Enviroment to Org.
Update-MSGraphEnvironment -AppID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx' -SchemaVersion 'beta'
 
 
#Starting a log, just in case...
Start-Transcript "$($env:TEMP)\script_Invoke-IntunePolicySyncOniOSAndAndroid.ps1_log.txt" -Force
 
Write-Output "Importing Powershell modules for Intune"
try {
Import-Module -Name Microsoft.Graph.Intune -ErrorAction Stop
}
catch {
Write-Output "Microsoft.Graph.Intune module not found in common module path, installing in the current user scope..."
Install-Module -Name Microsoft.Graph.Intune -Scope CurrentUser -Force
Import-Module Microsoft.Graph.Intune -Force
}
 
Write-Output "Connecting to Graph"
try {
Connect-MSGraph -ForceNonInteractive -ErrorAction Stop -Quiet
# change the switch to -AdminConsent when first running this command in your tenant to disable future prompts (see requirements note)
} catch {
Write-Error "Failed to connect to MSGraph! Did you remember to give Admin Consent?"
Exit 1
}
 
Write-Output "Getting iOS and Adroid device list"
try {
$deviceObjList = @()
 
$deviceObjList += get-intunemanageddevice | Get-MSGraphAllPages | Where-Object operatingSystem -eq "Android"
$deviceObjList += get-intunemanageddevice | Get-MSGraphAllPages | Where-Object operatingSystem -eq "iOS"
} catch {
Write-Error "Failed to fetch devices! Permissions or Admin Consent issue perhaps?"
Exit 1
}
 
if (($deviceObjList).count -gt 0){
Write-Output "Sending sync signal to all iOS and Android devices"
foreach ($deviceObj in $deviceObjList) {
try {
"id: {0} OS: {1,-8} Name: {2,-50} Owner: {3}" -f $deviceObj.id,$deviceObj.operatingSystem,$deviceObj.deviceName,$deviceObj.emailAddress
$deviceObj | Invoke-IntuneManagedDeviceSyncDevice -ErrorAction Stop
} catch {
Write-Error "Failed to send signal to $($deviceObj.id)"
}
}
} else {
Write-Output "No iOS or Android devices found in intune (You might want to verify this manually in the Intune Portal)"
}
 
Write-Output "Done."
 
Stop-Transcript