How To Update Intune MDM User Scope using PowerShell

The MDM user scope specifies who is able to automatically enrol their mobile devices and workstation into Microsoft Intune. Often, the first step in preparing your environment for Intune device management is to ensure the MDM user scope is configured correctly. 

In this tutorial I am going to show you how you can use PowerShell to report to you how the MDM user scope is configured and automatically set it to All, if no users are assigned.

MDM vs MAM

If you configure your Microsoft Intune enrolment policy through the Azure Portal, there are 2 options, the MDM user scope and the MAM user scope, but what is the difference?

MDM is an acronym for Mobile Device Management. The MDM user scope lets you configure who can auto-enrol their devices into Microsoft Intune when the device is joined to Azure Active Directory. 

MAM is an acronym for Mobile Application Management. The MAM user’s scope lets you device who can auto-enrol their personal BYOD device into Application Management.

MDM vs MAM
MDM vs MAM

The difference between the 2 types of policies is that with MDM you are managing the whole device, meaning you can make device restrictions, install apps and enforce compliance. Whereas with MAM, you are only controlling the business applications on a personal device and applying restrictions to the applications, such as preventing the user from copying data outside of that application.

Pre-Requisites

To run the scripts in this tutorial, you need to ensure you have the Microsoft Graph PowerShell module installed. Check out my guide on How to install the Microsoft Graph PowerShell module.

Permissions:

You should ensure are assigned global administrator permissions to perform the necessary tasks in this tutorial.

Subscriptions:

An active Intune subscription is required to enable you to join your devices to Microsoft Intune management.

Update MDM user scope with PowerShell

The below script will automatically check if you have configure your MDM user scope and if it is not set, it will automatically assign all users in the MDM user scope.

Import-Module Microsoft.Graph.Identity.SignIns

Select-MgProfile -Name beta

Connect-MgGraph -Scopes Policy.Read.All, Policy.ReadWrite.MobilityManagement

$uri = "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000/?$select=appliesTo"
$mdmscope = $null
$mdmscope = Invoke-MgGraphRequest -Uri $uri -Method GET

Write-host "Checking MDM Scope settings" -BackgroundColor yellow -ForegroundColor black
sleep 2

If ($mdmscope.appliesTo -eq "none") {
    write-host "MDM scope not set" -backgroundcolor Red
    sleep 2
    write-host "Setting MDM scope to All" -backgroundcolor yellow -ForegroundColor Black
    sleep 2

    try {
        $uripatch = "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000/?$select=appliesTo"
        $json = @'
        {
        "@odata.context": "https://graph.microsoft.com/beta/$metadata#mobilityManagementPolicies(appliesTo)/$entity",
        "appliesTo": "All"
        }
'@
       
        Invoke-MgGraphRequest -uri $uripatch -body $json -method PATCH -ContentType "Application/Json"
        write-Host "MDM scope is set to all" -ForegroundColor green
        sleep 2
        
        } catch {"Unable to set MDM scope"}
        

} elseif ($mdmscope.appliesTo -eq "selected") {

    $uri = "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/" + $mdmscope.id + "/includedGroups"
    $PolicyGroups = Invoke-MgGraphRequest -uri $uri -method GET
    $IncludedGroup = $policyGroups.Values.DisplayName
    
    Write-Host "MDM scope is set to" $IncludedGroup -BackgroundColor Green -ForegroundColor Black
    sleep 2
} elseif ($mdmscope.appliesTo -eq "all") {
    write-Host "MDM scope is set to all" -ForegroundColor green
}

All my scripts are available on my GitHub page here.

If you want to learn more about how this script works, check out my post: How to use Invoke-MgGraphRequest with PowerShell.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has One Comment

  1. Timmern

    Excellent, how would i be able to update the MAM scope then?

Leave a Reply