Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Groups and filter #206

Open
ghost opened this issue Mar 18, 2024 · 11 comments
Open

Groups and filter #206

ghost opened this issue Mar 18, 2024 · 11 comments

Comments

@ghost
Copy link

ghost commented Mar 18, 2024

Hello,
I'm having some issues with assignments.
I'm exporting and including groups and assignments.
The group directory is included in the policy folder.
When I import the policy again, the groups are not created.
I've checked that "create group" is checked.

I can import filters under the filter tab, but when I import policies, it tries to assign policies as I understand the GUI correctly, but it says "No Access" - if I open the filter manually, I can assign via the GUI.

Has anyone experienced something similar?

I don't see anything strange in the logs.
@Micke-K
Copy link
Owner

Micke-K commented Mar 19, 2024

Hello!

"... if I open the filter manually, I can assign via the GUI." - Do you mean the tools UI or the Intune portal?

Sounds like the app doesn't gave permission to do this but I would expect it to say so in the logs.

Can you attach a log?

Cheers!

@ghost
Copy link
Author

ghost commented Mar 19, 2024

Hello!

"... if I open the filter manually, I can assign via the GUI." - Do you mean the tools UI or the Intune portal?
Excuse my unclear answer. This pertains to Intune.microsoft.com. In IntuneMaster, it seems to be working fine.
image

Sounds like the app doesn't gave permission to do this but I would expect it to say so in the logs.

**I actually saw an error message in the log that should be related.
"Export folder for dependency AssignmentFilters not found"

But I don't get any option to export this when I export policies, and no directory is created with that name either.**

Can you attach a log?

Cheers!

@Micke-K
Copy link
Owner

Micke-K commented Mar 19, 2024

Hello,

This depends on how you did the export.

If you did a bulk export, then you have to include Tenant Admin. That will export the Filters.

If you export "single" objects, you have to export Filters manually.

Also, it's also important during import.

If you import via Bulk, the script will import Filters first. Make sure Tenant Admin is checked.

If you import "single" policies, you have to import Filters first to allow it to resolve dependencies.

Cheers!

@ghost
Copy link
Author

ghost commented Mar 27, 2024

Hi!
So I export the filters as the picture below
image
And choose "Export All"

And the policys as below

image

The settings look like this

image

I am sorry but i cant find the "Tenant Admin" to include

I then delete the filters in the tenant and import them again
image

I verify that the filters exist in the tenant
I then import the policys

image
The policys are assigned but are show as below

image

It get the following in the log "Export folder for dependency AssignmentFilters not found Start-IntuneManagement 2024-03-27 14:48:31 17992 (0x4648)"

I am very grateful for your help. Thanks.

@Micke-K
Copy link
Owner

Micke-K commented Mar 28, 2024

Hello!

Check the "Add object name to path" when you export and then export to C:\Temp\Demo.

The dependency functionality requires that the folder name of the exported policies is correct and matching internal names.

eg the folder for the filters must be called AssignmentFilters for the script to find them.

If you create "custom" names, it will not support Bulk import and dependencies will not work.

Cheers and Happy Easter!

@ghost
Copy link
Author

ghost commented Apr 3, 2024
edited by ghost
Loading

Hello again,
Is there anyone else experiencing the same issue?
I have now tried according to what you wrote.
I ran a bulk export to C:\Temp\Demo2 as shown in the image.
image

And then run a bulk import with the following settings
image

All policys are created.
Groups are not created and filters are not assigned to either policy, MAM, or anything else.
image
image

I have checked the permissions in the Graph Command Line Tools and they look correct.
image

No errors with assignments in the logs.

I understand that there's no guarantee that this will work, my question is mostly whether it's an error or if it's me doing something wrong, but I can't see what I would be doing wrong.

Thanks a lot for the help.

EDIT:

I actually received ONE error during applications and assignment.

Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/730857f1-4ec5-495a-b31e-6b9443dc86a7/assign (Request ID: 38fb4858-2272-45f9-90ce-caa81cd5f7cb). Status code: NotFound. Response message: . Response message: One or more Assignment Filter Id(s) not found from: 5622c810-de4f-4f14-9017-06874a9ed4e7, . - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 0de103b2-a63a-4656-ad53-5ed33bf696a4 - Url: https://fef.amsub0502.manage.microsoft.com/AppLifecycle_2403/StatelessAppMetadataFEService/deviceAppManagement/mobileApps('730857f1-4ec5-495a-b31e-6b9443dc86a7')/microsoft.management.services.api.assign?api-version=5024-01-23 - CustomApiErrorPhrase: Unspecified Exception: Remote server returned an error: (404) Not Found.

However, I only get this on that application, no errors on policies using the same filter.
And i Have verifed in the logs that the filters are created and verified in Intune that they are existing.

@ghost
Copy link
Author

ghost commented Apr 3, 2024

Hi Again,

Regarding filters, it seems that they get a new ID when imported, and since the policy's filter is based on ID, they cannot be assigned.

Compance for filter
image

Policy assignment in json
image

@Micke-K
Copy link
Owner

Micke-K commented Apr 3, 2024

Hello,

I'm trying to understand what you are trying to achieve here.

  • You exported all settings. That looks good.
  • You then import the settings in the same tenant
    image
  • Since it is the same tenant the "Replace Dependency IDs" will be disabled.
  • Also, since it is the same tenant, it will not create any new groups. That is a part of "Replace Dependency IDs"
  • "Always Import" is selected so it will re-import policies again. And it will always get a new ID when importing to another tenant.
  • I have new clue why it says that the group is removed from Entra. Did you delete everything before import?
  • If you deleted everything and tried to do a restore then it might explain the scenario. What you can do is to edit the MigrationTable.json file and change the TenantId. That will allow you to enable "Replace Dependency IDs".
  • The failed assignment is understandable since it didn't resolve dependency IDs and there is no filter with the specified ID in the environment.

Cheers!

@ghost
Copy link
Author

ghost commented Apr 3, 2024

Sorry, I perhaps should have been clearer, I just want to verify how it worked, hence I removed everything to import it again.

I appreciate your help, and the solution you provided seems to solve it.
However, there are still two policies that it didn't resolve (Endpoint security).
I'm not sure if it has to do with Microsoft's new interface for antivirus, but I can live with that.

Again, a big thank you for your help and time.

@Micke-K
Copy link
Owner

Micke-K commented Apr 4, 2024

Hello!

What kind of Endpoibt Security policies didn't work? Note that most new Endpoint Security policies are actually Settings Catalog.

Cheers!

@ghost
Copy link
Author

ghost commented Apr 17, 2024

Sorry for the later answer.
The issue seems to be my own fault.
Everything seems to work fine now.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Micke-K