Setting NTFS permissions on a Folder through Intune

Although I found a good example/article on how to set modify permission through Intune, I wanted to use more of a desired state configuration type remediation where inheritance is removed and all defined ACL’s are exclusively applied to a given folder and all child folders/files. It also includes creating the folder if it isn’t there yet, which can be useful for certain legacy applications 🙂

Without further ado here’s the detection script:

https://github.com/jflieben/assortedFunctionsV2/blob/main/NTFSPermissionRemediation/detect.ps1

And here is the remediation script:

https://github.com/jflieben/assortedFunctionsV2/blob/main/NTFSPermissionRemediation/remediate.ps1

Run in SYSTEM context unless you unwisely made all your users local admins 😉

M365Permissions v1.2.2

Are you also curious about all those PowerApps and Flows in your environment? Orphaned ones maybe? Or when someone leaves the company?

1.2.2 adds scanning of PowerApps and Flows! Only when using SPN auth. (setup instructions)

In addition to that, I’ve also added provisional support for scans of tenants in USGOV, USDOD and China. Since I don’t have a test tenant there, I’ll have to rely on you to test how it performs there.

Full changelog here

Download / Use:

M365Permissions module page | Github | PSGallery

Scanning the Power Platform

By default, the Power Platform does not allow service principals to use its API’s, but this can be enabled easily.

To allow M365Permissions to scan PowerApps, Flows etc:

  1. Note the GUID of the service principal you’re using to scan with (a.k.a. the app id or client id)
  2. Open a powershell window
  3. Run the following code:
Install-Module -Name "Microsoft.PowerApps.Administration.PowerShell"

Add-PowerAppsAccount

New-PowerAppManagementApp -ApplicationId {APPID}

Where you replace {APPID} with the GUID from step 1

M365Permissions v1.2.1

Yes, we finally have Microsoft Azure! All active and eligible permissions are in scope from the subscription level and below.

If you use a service principal for scanning, be sure to assign read permissions for it to all subscriptions (or lower level resource groups) you want it to index.

Full changelog here

Download / Use:

M365Permissions module page | Github | PSGallery

Microsoft 365, Azure, Automation & Code