update to version 4.0.6

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.0.6] - 2026-02-09
+- Updated manifest file to add Required Microsoft.Graph.Authentication module and ProjectUri.
+- Added 2 new functions: "Assert-GraphConnection" and "Connect-IntuneBackupAndRestore".
+- Added functionality to connect with Application flow using either certificate or secret.
+
 ## [4.0.1] - 2025-12-16
 - Updated Microsoft.Graph Required Scopes. Special thanks to @Felix4567 #93
 - Fixed an issue where the Microsoft Graph $apiVersion was missing in a command. Special thanks to @magfrank #82

IntuneBackupAndRestore/IntuneBackupAndRestore.psd1

@@ -12,7 +12,7 @@
 RootModule = 'IntuneBackupAndRestore.psm1'
 
 # Version number of this module.
-ModuleVersion = '4.0.1'
+ModuleVersion = '4.0.2'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -51,7 +51,7 @@ Description = 'PowerShell Module that queries Microsoft Graph, and allows for cr
 # ProcessorArchitecture = ''
 
 # Modules that must be imported into the global environment prior to importing this module
-# RequiredModules = @(@{ModuleName="MSGraphFunctions", ModuleVersion="2.2.0", Guid="0a3f3df4-64a0-430a-937d-a9b1901349ce"})
+RequiredModules = @(@{ModuleName="Microsoft.Graph.Authentication"})
 
 # Assemblies that must be loaded prior to importing this module
 # RequiredAssemblies = @()
@@ -101,7 +101,7 @@ PrivateData = @{
         LicenseUri = 'https://github.com/jseerden/IntuneBackupAndRestore/blob/master/LICENSE'
 
         # A URL to the main website for this project.
-        # ProjectUri = ''
+        ProjectUri = 'https://github.com/jseerden/IntuneBackupAndRestore'
 
         # A URL to an icon representing this module.
         # IconUri = ''

IntuneBackupAndRestore/Private/Assert-GraphConnection.ps1

@@ -0,0 +1,54 @@
+function Assert-GraphConnection {
+	<#
+	.SYNOPSIS
+		Asserts a valid Graph connection has been established.
+
+	.DESCRIPTION
+		Asserts a valid Graph connection has been established.
+
+	.PARAMETER Cmdlet
+		The $PSCmdlet variable of the calling command.
+
+	.EXAMPLE
+		PS C:\> Assert-GraphConnection -Cmdlet $PSCmdlet
+
+		Asserts a valid Graph connection has been established.
+#>
+	[CmdletBinding()]
+	param (
+		[Parameter(Mandatory = $true)]
+		$Cmdlet
+	)
+
+	process {
+		if ($null -ne (Get-MgContext)) {
+			Write-Verbose "MS-Graph already connected, checking scopes"
+			$requiredScopes = @(
+				"DeviceManagementApps.ReadWrite.All",
+				"DeviceManagementConfiguration.ReadWrite.All",
+				"DeviceManagementServiceConfig.ReadWrite.All",
+				"DeviceManagementManagedDevices.ReadWrite.All",
+				"DeviceManagementScripts.ReadWrite.All"
+			)
+			$connectionScopes = Get-MgContext | Select-Object -ExpandProperty Scopes
+			$IncorrectScopes = $false
+			foreach($scope in $requiredScopes){
+				if($scope -notin $connectionScopes){
+					Write-Verbose "'$scope' is not found as a valid scope for current MS-Graph connection"
+					$IncorrectScopes = $true
+					break
+				}
+			}
+
+			if (-not $IncorrectScopes) {
+				Write-Host "MS-Graph connected and scopes are correct."
+				return
+			}
+		}
+
+		$exception = [System.InvalidOperationException]::new('Not yet connected to Graph API or scopes are incorrect. Use Connect-IntuneBackupAndRestore to establish a connection!')
+		$errorRecord = [System.Management.Automation.ErrorRecord]::new($exception, "NotConnected", 'InvalidOperation', $null)
+
+		$Cmdlet.ThrowTerminatingError($errorRecord)
+	}
+}

IntuneBackupAndRestore/Public/Connect-IntuneBackupAndRestore.ps1

@@ -0,0 +1,67 @@
+function Connect-IntuneBackupAndRestore {
+    <#
+    .SYNOPSIS
+    Function to connect to MS Graph with required scopes and obtain a token.
+
+    .DESCRIPTION
+    Function to connect to MS Graph with required scopes and obtain a token.
+    The function can connect using with "User" delegated flow, or "Application" Flow.
+
+    .PARAMETER TenantID
+    TenantID of your AzureAD tenant.
+
+    .PARAMETER ClientID
+    Application ID of your App Registration.
+
+    .PARAMETER CertificateThumbprint
+    Certificate's thumbprint of a valid certificate associated with your App Registration. If parameter is used together with 'ClientSecret' parameter, this parameter will have precedence.
+
+    .PARAMETER ClientSecret
+    Client secret of your App Registration. If parameter is used together with 'CertificateThumbprint' parameter, this parameter will be ommited.
+
+    .EXAMPLE
+    Connect-MgGraph
+
+
+    #>
+    [CmdletBinding()]
+    param (
+        [String]$TenantID,
+        [String]$ClientID,
+        [String]$CertificateThumbprint,
+        [String]$ClientSecret
+    )
+
+    begin {
+    }
+
+    process {
+        try {
+            Write-Host "Authenticating to Graph..."
+            if ( $clientID -ne '' -and $TenantID -ne '' -and ($CertificateThumbprint -ne '' -or $ClientSecret -ne '')) {
+                # Connecting to graph using Azure App Application flow with passed parameters
+                Write-host "Connecting to graph with AppId: $ClientID with passed parameters"
+                if ($PSBoundParameters.ContainsKey('CertificateThumbprint') ) {
+                    Connect-MgGraph -ClientId $ClientID -TenantId $TenantID -CertificateThumbprint $CertificateThumbprint
+                }
+                elseif ($PSBoundParameters.ContainsKey('ClientSecret') ) {
+                    $securedClientSecret = ConvertTo-SecureString -String $ClientSecret -AsPlainText -Force
+                    $clientCredential = New-Object System.Net.NetworkCredential($ClientID, $securedClientSecret)
+                    Connect-MgGraph -TenantId $TenantID -ClientSecretCredential $clientCredential
+                }
+            }
+            else {
+                # Connecting to graph with the user account
+                Write-host "Connecting to graph with the user context"
+                Connect-MgGraph -Scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All"
+            }
+        }
+        catch {
+            Write-Host "Failed to authenticate to MS Graph. Error message: $_"
+            return
+        }
+    }
+
+    end {
+    }
+}

IntuneBackupAndRestore/Public/Invoke-IntuneBackupAppProtectionPolicy.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupAppProtectionPolicy {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if ($null -eq (Get-MgContext)) {
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all App Protection Policies
     $appProtectionPolicies = Invoke-MgGraphRequest -Uri "/$ApiVersion/deviceAppManagement/managedAppPolicies" | Get-MgGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupAppProtectionPolicyAssignment.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupAppProtectionPolicyAssignment {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if ($null -eq (Get-MgContext)) {
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     $appProtectionPolicies = Invoke-MgGraphRequest -Uri "/$ApiVersion/deviceAppManagement/managedAppPolicies" | Get-MgGraphAllPages
 

IntuneBackupAndRestore/Public/Invoke-IntuneBackupAutopilotDeploymentProfile.ps1

@@ -23,10 +23,8 @@
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
 	# Get all Autopilot Deployment Profiles
     $winAutopilotDeploymentProfiles = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/$ApiVersion/deviceManagement/windowsAutopilotDeploymentProfiles" -OutputType PSObject | Select-Object -ExpandProperty Value

IntuneBackupAndRestore/Public/Invoke-IntuneBackupAutopilotDeploymentProfileAssignment.ps1

@@ -23,6 +23,9 @@ function Invoke-IntuneBackupAutopilotDeploymentProfileAssignment {
         [string]$ApiVersion = "Beta"
     )
 
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
+
     # Get all assignments from all policies
     $winAutopilotDeploymentProfiles = Invoke-MgGraphRequest -Uri "$apiversion/deviceManagement/windowsAutopilotDeploymentProfiles" | Get-MGGraphAllPages
 

IntuneBackupAndRestore/Public/Invoke-IntuneBackupClientApp.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupClientApp {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all Client Apps
     $filter = "microsoft.graph.managedApp/appAvailability eq null or microsoft.graph.managedApp/appAvailability eq 'lineOfBusiness' or isAssigned eq true"

IntuneBackupAndRestore/Public/Invoke-IntuneBackupClientAppAssignment.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupClientAppAssignment {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
      # Get all Client Apps
      $filter = "microsoft.graph.managedApp/appAvailability eq null or microsoft.graph.managedApp/appAvailability eq 'lineOfBusiness' or isAssigned eq true"

IntuneBackupAndRestore/Public/Invoke-IntuneBackupConfigurationPolicy.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupConfigurationPolicy {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all Setting Catalogs Policies
     $configurationPolicies = Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/configurationPolicies" | Get-MGGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupConfigurationPolicyAssignment.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupConfigurationPolicyAssignment {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all assignments from all policies
     $configurationPolicies = (Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/configurationPolicies").value

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceCompliancePolicy.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupDeviceCompliancePolicy {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all Device Compliance Policies
     $deviceCompliancePolicies = Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/deviceCompliancePolicies" | Get-MGGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceCompliancePolicyAssignment.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupDeviceCompliancePolicyAssignment {
         [string]$ApiVersion = "Beta"
     )
 
-     #Connect to MS-Graph if required
-     if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all Device Compliance Policies
     $deviceCompliancePolicies = Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/deviceCompliancePolicies" | Get-MGGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceConfiguration.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupDeviceConfiguration {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all device configurations
     $deviceConfigurations = Invoke-MgGraphRequest -Uri "$apiVersion/deviceManagement/deviceConfigurations" | Get-MGGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceConfigurationAssignment.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupDeviceConfigurationAssignment {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all assignments from all policies
     $deviceConfigurations = Invoke-MgGraphRequest -Uri "$apiVersion/deviceManagement/deviceConfigurations" | Get-MGGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceHealthScript.ps1

@@ -22,10 +22,8 @@
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
 	# Get all Intune Health Scripts
     $healthScripts = Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/deviceHealthScripts" | Get-MGGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceHealthScriptAssignment.ps1

@@ -23,10 +23,8 @@
         [string]$ApiVersion = "Beta"
     )
 
-     #Connect to MS-Graph if required
-     if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all assignments from all policies
     $healthScripts = Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/deviceHealthScripts" | Get-MGGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceManagementIntent.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupDeviceManagementIntent {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     Write-Verbose "Requesting Intents"
     $intents = Get-MgBetaDeviceManagementIntent -all

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceManagementScript.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupDeviceManagementScript {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all device management scripts
     $deviceManagementScripts = Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/deviceManagementScripts" | Get-MgGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupDeviceManagementScriptAssignment.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupDeviceManagementScriptAssignment {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if($null -eq (Get-MgContext)){
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
     # Get all assignments from all policies
     $deviceManagementScripts = Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/deviceManagementScripts" | Get-MgGraphAllPages

IntuneBackupAndRestore/Public/Invoke-IntuneBackupGroupPolicyConfiguration.ps1

@@ -23,10 +23,8 @@ function Invoke-IntuneBackupGroupPolicyConfiguration {
         [string]$ApiVersion = "Beta"
     )
 
-    #Connect to MS-Graph if required
-    if ($null -eq (Get-MgContext)) {
-        connect-mggraph -scopes "DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All" 
-    }
+    #Assert MS-Graph connection
+    Assert-GraphConnection -Cmdlet $PSCmdlet
 
 	# Get all Group Policy Configurations
     $groupPolicyConfigurations = Invoke-MgGraphRequest -Uri "$ApiVersion/deviceManagement/groupPolicyConfigurations" | Get-MgGraphAllPages