First Look at IntuneDiff

Reviewing Microsoft Intune policies to identify differences, conflicts, and coverage gaps across device configurations can be a time-consuming and tedious task. This is especially true when you’re introduced to a new tenant and need to quickly understand the existing setup, or when Microsoft releases updated baselines and you want to compare them against your current environment.

In this post, we’ll take a first look at IntuneDiff, a community tool developed by our own Sandy Zeng. How can this tool make the process easier? Let’s find out.

Testdrive IntuneDiff version 1.4

IntuneDiff is a new community tool released in August 2025 by MVP Sandy Zeng, but it is already available in version 1.4. Intune Diff is a powerful tool for comparing Microsoft Intune policies, helping you identify differences, conflicts, and coverage gaps across your device configurations.

The tools support policies based on the Settings Catalog configuration, and they have two modes available: You can connect directly to your tenant using Microsoft Graph API access, or you can use an offline JSON method, where you import and compare Intune policies using exported JSON files.

As an active Microsoft Intune consultant, I find this tool particularly interesting when reviewing existing environments. How well does the current configuration perform compared to a baseline?

Intune Review Using IntuneDiff JSON Mode

Let’s jump into the process of comparing a current tenant with the available Microsoft Security baselines using IntuneDiff in JSON mode. Using this mode, I will export the policies I want to analyze to JSON. I will also need a JSON reference for comparison.

Export Of Microsoft Security Baselines

I will create a default policy set of the Microsoft Security Baselines I am interested in using as a baseline. These policies will not be assigned. The only purpose is to export them. For reference, I will include the routine to create one of the security baselines.

Create The Microsoft Baseline Policies

The security baselines are available in the Endpoint Security blade. I will select the Security Baseline for Windows 10 and later, which is currently available in version 24H2.

I will create a new policy based on this security baseline.

The policy will get a good name and description.

For the configuration settings, I will leave them at the defaults from Microsoft.

I will ensure that this baseline policy is not assigned, as I only want it to serve as a reference for export.

Following this routine for more of the security baselines gives me the following set of policies to be exported to JSON files.

The baseline policies are seen here in the Windows Configuration blade. They will not be assigned or used in any other way than for the export.

PS!
To compare with the Open Intune Baseline by MVP James Robinson, simply follow the same steps: import an unassigned policy set into a tenant, then export it to the required format.

Export The Microsoft Baseline Policies

With the policies in place, I will use the Microsoft Edge Developer tools, accessible via the F12 shortcut, as described in the IntuneDiff user guide. Navigating to each policy, the raw JSON response will be available.

These outputs will be copied and saved to JSON files.

To make it easier for you, I have made my exports of the Microsoft Security Baselines available to you in GitHub.

Export of Configuration Policies from Tenant

I could have used the same method when exporting the configuration policies from the tenant to be reviewed, but it is time-consuming to perform copy-paste operations using the developer tools in Edge. Instead, I will use the PowerShell script provided with the IntuneDiff tool to export the policy set. This, however, requires PowerShell access for the tenant. If that’s not available, you have to run the F12 route.

Kicking off the script is easy, and it gives great feedback as it runs.

The script is quickly finished, giving a nice summary of the operation.

I now have a folder containing the JSON exports from the tenant for review.

I also have an export summary in a separate JSON file alongside the folder containing the configuration JSON files.

Compare Baseline and Tenant Configuration using IntuneDiff

At this point, I have a folder containing JSON files for the Microsoft baselines, and I also have a folder with JSON files representing the configuration policies from the tenant I want to review.

Let’s test-drive IntuneDiff to see how the tenant compares with the Microsoft baselines.

I will use the Offline JSON Method inside the IntuneDiff tool. There, I can manually add each policy in JSON format from a public URL, but I would rather use the bulk import feature from Azure Blob Storage, which is the latest addition to the tool. This will save me a lot of work.

Upload JSON Files to Azure Blob Storage

I have prepared a container in an Azure Storage account where I can easily upload all my JSON files.

After dragging and dropping the JSONs from my local folder, I can select to upload these.

I now find the JSONs inside the container.

I repeat this same routine for my other folders, which hold the JSONs from the Tenant I am reviewing.

This will give me all policies, both the baselines and the policies from the tenant, within the same container.

Import The JSONs From The Container To IntuneDiff

I am now ready to import these JSONs from the Container. I have granted the necessary read access to the container (ref. IntuneDiff instructions), and grabbed the URL for the Container.

The URL for the container can now be used in IntueDiff to list all files.

From the list of JSON policies found in the container, I select the policies I want to compare and import them to IntuneDiff.

The JSON files will now be imported as policies in IntuneDiff.

PS! While writing this post, Sandy has released a new version 1.5.0 of IntuneDiff, which includes a pre-loaded URL for blob storage with demo policies.
It is smart to follow Sandy on social media to stay up-to-date with the latest news on this tool!

Note that you can also load more policies from different URLs. This is smart if you have your baselines in one container and configuration JSONs from live tenants in separate containers.

Compare Imported Policies Using IntuneDiff

I will now select a baseline policy (1) from the imported policies, select the policies for comparison towards the baseline (2), and click on the Compare Policies button (3).

This provides a helpful comparison of the tenants’ policies in relation to the baseline policy. I can easily see where things settings are missing or conflicting.

By using the buttons, I can filter the results to my liking.

The IntuneDiff findings can also be exported to HTML or XLSX. The export will respect the filtering that has been done in the tool.

These insights are invaluable when doing tenant reviews to identify differences, conflicts, and coverage gaps across device configurations in Intune.

The Value of Community Tools

As we wrap up this first look at the new IntuneDiff community tool, it’s worth taking a step back to reflect on the broader impact that these contributions have on the Intune admin community. Managing modern endpoints is complex and constantly evolving. While Microsoft provides powerful native capabilities, there are often scenarios where administrators benefit from an extra layer of tooling to make day-to-day tasks more efficient, transparent, or simply easier to handle.

That’s where community tools truly shine. They are born from real-world needs, created by admins for admins, and sharpened by the collective feedback of those who rely on them. The popularity of resources like the Intune Debug Toolkit is a testament to how valuable these tools are in practice. They fill gaps, reduce repetitive work, and speed up troubleshooting in ways that save organizations both time and money.

We’ve seen excellent contributions from people in the community who continue to release innovative solutions that complement and extend what Intune offers natively. Their work has become a trusted part of many admins’ toolboxes, offering not just code, but also the shared knowledge and experience of experts who understand the daily challenges of endpoint management.

Some great resources for Intune community tools:
– Modern Endpoint Management Official Community Tool Program
– Just Shipped by Ugur
– MSEndpointMGR
– Merill.net
– Jörgen Nilsson’s Community Tools Session

Community tools don’t replace the platform; they enrich it. They represent the strength of collaboration and a willingness to share that makes this ecosystem so dynamic. By supporting, using, and contributing to these tools, we not only solve immediate problems but also help drive forward the best practices and innovations that shape the future of endpoint management.

And finally, let’s not forget the people behind these tools. They invest their time, energy, and expertise into making the lives of others easier, often without expecting anything in return. Supporting them, giving feedback, and simply showing appreciation is vital. A little recognition goes a long way, and it ensures that the spirit of sharing and innovation in our community continues to thrive.

FAQ