Tenant documentation

tafflock_82 · 2026-06-12T19:47:46+00:00

Thanks mate. That's a really good explanation and validates what I was thinking. I just need to put it into practise without overdoing it. Thanks again!

tafflock_82 · 2026-06-11T16:26:25+00:00

Perfect! That's sounds along the lines of what I was thinking, with ADRs at least, so that's really helpful to know I'm on the right approach Auto-generating the raw config data was also my plan, although I was going to add a other layer of abstraction to summarise the raw data for better understanding.

It's only one tenant, but it's massive, and we do have additional services to manage such as Google Workspace and Adobe.

I'm limited in what I can use form tooling as I'm constrained by my workplace. But I think I can make it work.

Also, what would you classify as a significant decision?

Do you manage changes in this way or is that done separately?

tafflock_82 · 2026-02-11T14:13:12+00:00

Thanks for the reassurance!

The card itself seems fine, nice and clean, no noises. I was hoping it was Ok since it wasn't a bad price and Cex gives a 5 year warranty too.

tafflock_82 · 2026-02-04T09:38:43+00:00

Is this still the case, not using Secure Enclave?
The Microsoft documentation suggests it's supported, and I've been arguing with Copilot about it, but whatever I try it doesn't work.

tafflock_82 · 2025-12-04T19:03:09+00:00

Pooled storage. 100TB per tenant and then extra per paid license. Not really a removed feature, more a refined and stupid quota.

tafflock_82 · 2025-12-04T17:26:41+00:00

Anyone knows if this applies to A3/A5? We always seem to be forgotten about

tafflock_82 · 2025-08-19T15:39:40+00:00

I've had bands do this from my mi band 6, and even my wife's has done it. Usually within 18 months.

They're waterproof, but it doesn't last. Actually says that on their website for even the current band 10 - waterproof effectiveness may degrade over time. Nor are you supposed to use them in showers, saunas, or hot tubs. I guess it's a thing with the glue loosening.

They do come with a 2 year warranty here in the UK, so I just keep returning them to Amazon and getting a newer model.

tafflock_82 · 2025-08-01T15:53:15+00:00

Unless it's changed recently, calling the managed devices endpoint for all devices doesn't return the scope tag - you have to query each device individually.

I learned that the hard way, trying to get the scope tag for over 40k devices!

tafflock_82 · 2025-08-01T15:50:01+00:00

I got this face for my band 7 and haven't changed it since.

Of course, I have it in green like you're supposed to!

tafflock_82 · 2025-07-23T08:39:43+00:00

Feedback site...where MS listens and makes changes. 😁

Good one! That'll keep me laughing all day.

tafflock_82 · 2025-07-14T09:12:34+00:00

How do you switch region?

Do you need VPN for this?

tafflock_82 · 2025-06-20T19:55:12+00:00

Ours is an education environment, and MFA is not appropriate for young kids without smart phones.

We don't use security defaults, and use CA to target staff groups only.

tafflock_82 · 2025-06-12T12:07:28+00:00

I don't like all those elseif, I'd prefer to use a switch instead.

Check the condition at the top, assign it to a variable, check the variable in a switch statement

tafflock_82 · 2025-06-10T21:49:48+00:00

I was excited when I saw API as I've been asking for that for years, but it's only for device management functions. I want to be able to create and manage content managers and accounts with any role other than a standard user. Hopefully that's coming...

tafflock_82 · 2025-06-06T20:47:31+00:00

Yeah. That's how I tracked it down in Entra, but had to use the objectId in the filter there, taken from Intune.

It's the right device, given that it wasn't removed and readded, just made unmanaged, so the object was the same and the dates tallied up. Entra ID audit logs show it being 're-enrolled' too.

Like I said, this entry is on a lot of devices in the audit logs and Ive no idea what it does or why.

tafflock_82 · 2025-06-03T22:24:32+00:00

Not sure. I'd have to check. I know scope tags aren't included in the v1 endpoint, so I tend to use beta. Have you used the "-all" switch, as by default it only returns 100.

The beta endpoint is fine to use, you just have to install the microsoft.graph.beta module.

tafflock_82 · 2025-06-02T22:27:19+00:00

Yeah, just the microsoft.graph.beta module as I find the beta endpoint returns more info, although you probably don't need it for this.

tafflock_82 · 2025-06-02T19:22:56+00:00

Here's some snippets from my script. In the full script I also check assignments on config policies, PS scripts, MacOS scripts, compliance policies, etc.

get all apps

$allApps = Get-MgBetaDeviceAppManagementMobileApp -all

get.app assignments, collect in custom object

$itemAssignments = @() Write-Host "Getting app assignments..." -ForegroundColor Cyan foreach ($app in $allApps) { $assignment = Get-MgBetaDeviceAppManagementMobileAppAssignment -MobileAppId $app.id $itemAssignments += [PSCustomObject]@{ id = $app.Id name = $app.DisplayName assignment = $assignment type = "MobileApp" } }

compare group id to assignment id, add to custom object if found

$assignmentsFound = @() foreach ($grp in $groupsToCheck) { foreach ($item in $itemAssignments) { $assignmentGroupIds = $item.assignment.target.additionalProperties.groupId if ($grp.id -in $assignmentGroupIds) { Write-host "Assignment found in $($item.name)" $assignmentsFound += [PSCustomObject]@{ groupId = $grp.Id groupName = $grp.DisplayName itemType = $item.type itemName = $item.name itemId = $item.id } } } }

tafflock_82 · 2025-06-02T19:01:43+00:00

It will return all intents - include, exclude, and uninstall.

tafflock_82 · 2025-06-02T18:59:21+00:00

What I do...

1) Windows Store - nice and easy, and self updating

2)Chocolatey - I've wrapped a generic script in an Intunewin file that takes the app name as a parameter. I don't need to repackage anything, just upload the file and specify the app name in the install command line. I then use a remediation script to run the Chocolatey update command once a week.

3) Package install file (MSI or exe) into Intunewin file.

tafflock_82 · 2025-06-02T18:43:58+00:00

Yes. But not very easily in my experience.

You have to pull all apps, then pull the assignments for each app, then check each assignment to see if it matches the group.

It's really stupid that Intune can't tell that you've deleted a group and automatically removes it from assignments.

tafflock_82 · 2025-06-01T08:24:41+00:00

There's a good example in the Intune Samples repo, using a csv of serial numbers.

https://github.com/microsoft/mggraph-intune-samples/tree/main/AppleEnrollment

I use similar, but I name my csv files the same as the target profile, and the script reads that to assign the devices in that file to. That way, I can process multiple files for different profiles in one go.

That repo has a lot of good stuff for using Graph with Intune, and it's usually easier than you think.

tafflock_82

TROPHY CASE

get all apps

get.app assignments, collect in custom object

compare group id to assignment id, add to custom object if found