Intune Mermaid

I’ve always been a visual person, and one thing that bothers me in Intune is the lack of a centralized viewer for applications and profiles assignments. When you deal with multiple tenants or tenants with a high number of apps or profiles, it’s pivotal to have a blueprint where you can identify misconfigurations or gain quick insights. Once the idea sprung into my mind, I started to research how could I create a repetitive, code driven way of generating said diagrams.

This is when I learned about Mermaid, a JavaScript based diagramming tool which renders Markdown-inspired text definitions to create beautiful diagrams. Many vendors and platforms support Mermaid diagrams, like JetBrains, Draw.io, Atlassian, GitHub, Miro, Azure DevOps, etc (for a full list check Integrations | Mermaid).

Here are some examples of different diagrams Mermaid can handle.

Introducing Intune Mermaid PowerShell module

This module was created to generate diagrams on Mermaid format for Intune assignments of profiles and applications.

Module Installation

The module is available at PowerShell Gallery, and it works on any operational system supported by PowerShell Desktop and Core. To install the module, open PowerShell terminal and type

Install-Module -Name "IntuneMermaid"

To make life easier, the module only has one function:

• New-IntuneMermaidGraph (or its alias New-IMG)

Authentication

This module relies on Microsoft Graph PowerShell SDK (Microsoft.Graph.Authentication) to perform all authentication functions and it’s installed as a dependency. Once both modules are installed you can start authenticating by using Connect-MgGraph with an identity (Account, Service Principal or Managed Identity) which has the below scopes as a minimum:

• DeviceManagementApps.Read.All – So it can read all applications on your tenant
• GroupMember.Read.All – So it can translate group ids to friendly names
• DeviceManagementConfiguration.Read.All – So it can read all profiles and translate filter ids to friendly names.

Exploring the New-IntuneMermaidGraph function

The function currently counts with the following parameters

Type

• Description: Specifies the type of resource on Intune to generate the flowchart for.
• Valid Values: Applications, Profiles
• Default: Applications

GroupBy

• Description: Specifies the grouping criteria for the flowchart to display.
• Valid Values:
  • Name: Groups by Applications/Profiles Name
  • Assignments: Groups by Entra ID groups names they are assigned to
• Default: Name

OperatingSystem

• Description: Specifies the operating systems to include in the flowchart.
• Valid Values: Windows, macOS, iOS, Android
• Default: Includes all operating systems (Windows, macOS, iOS, Android)

Direction

• Description: Specifies the direction of the flowchart.
• Valid Values:
  • TB (Top to Bottom)
  • TD (Top Down)
  • BT (Bottom to Top)
  • LR (Left to Right)
  • RL (Right to Left)
• Default: TB

DisplayIcons

• Description: Specifies whether to download and display icons for applications from Intune in the flowchart.
• Valid Values: $True, $False
• Default: $True

PolicyType (Dynamic Parameter)

• Description: Dynamic parameter that only appears when Type is set to Profiles. Allows filtering of configuration profiles by type.
• Valid Values: Includes values like Device restrictions, Endpoint protection, Administrative templates, etc.
• Default: (Administrative templates, App configuration, Custom, Derived credentials, Device features, Device firmware, Device restrictions, Delivery optimization, Domain join, Edition upgrade, Education, Email, Endpoint protection, Expedited check-in, Extensions, Hardware configurations, IKEv2 VPN, Identity protection, Information protection, Kiosk, Microsoft Defender for Endpoint, Network boundary, OMA-CP, PFX certificate, PKCS certificate, Policy override, Preference file, Presets, SCEP certificate, Secure assessment (Education), Settings Catalog, Shared multi-user device, Teams device restrictions, Trusted certificate, Unsupported, Update Configuration, Update rings for Windows updates, VPN, Wi-Fi, Wi-Fi import, Windows health monitoring, Wired network)

ApplicationType (Dynamic Parameter)

• Description: Appears only when Type is set to Applications. Allows filtering of applications by their application type.
• Valid Values: Includes values like Windows app (Win32), iOS store app, Android store app, etc.
• Default: (Android Enterprise system app, Managed Google Play store app, Android line-of-business app, Android store app, Built-In Android app, iOS/iPadOS web clip, iOS line-of-business app, iOS store app, iOS volume purchase program app, macOS app (DMG), macOS line-of-business app, Microsoft Defender ATP (macOS), Microsoft Edge (macOS), macOS Office Suite, macOS app (PKG), macOS volume purchase program app, macOS web clip, Managed iOS store app, Microsoft 365 Apps (Windows 10 and later), Web link, Windows catalog app (Win32), Windows app (Win32), Microsoft Store app (new), Microsoft Edge (Windows 10 and later), Windows MSI line-of-business app, Microsoft Store app (legacy), Windows Universal AppX line-of-business app, Windows web link)

If you run

New-IntuneMermaidGraph

You will end up with a list of all the applications with assignments in your tenant, grouped by application name, for all the operating systems and all types, displayed in a top to bottom topology, showing the application icons. The output will always be returned on the terminal, for that reason I suggest you append | scb (or Set-Clipboard) so the results are copied to the clipboard, and you can easily paste on your preferred renderer.

The great thing about mermaid is how it allows you to change direction, themes and even layouts of the graph with a simple click (or changing its properties via text).

Here is an example of the output of New-IntuneMermaidGraph on a raw mermaid format

flowchart TB
subgraph "Windows"
subgraph "Windows app (Win32)"
direction TB
subgraph c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0["Charles Proxy 4.6.7"]
    c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0-Name[""] 
end
c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0 -->|Included| IA0-0-00 
 IA0-0-00{available}-->a0-0-00 
 a0-0-00["fa:fa-users All Users"] 

subgraph 873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1["CMTrace Log"]
    873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1-Name[""] 
end
873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1 -->|Included| IU0-0-10 
 IU0-0-10{uninstall}-->a0-0-10 
 a0-0-10["fa:fa-users All Devices"]-->|fa:fa-filter exclude|f0-0-1[Cloud PCs] 

subgraph a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2["Logitech Presentation 2.10.34"]
    a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2-Name[""] 
end
a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2 -->|Included| IA0-0-20 
 IA0-0-20{available}-->a0-0-20 
 a0-0-20["fa:fa-users All Users"] 

subgraph edcecc07-c811-4944-88e8-04f845a2b327_0-0-3["Notepad++ 8.6.7"]
    edcecc07-c811-4944-88e8-04f845a2b327_0-0-3-Name[""] 
end
edcecc07-c811-4944-88e8-04f845a2b327_0-0-3 -->|Included| IR0-0-30 
 IR0-0-30{required}-->a0-0-30 
 a0-0-30["fa:fa-users Test_ Intune_App_Default"] 
 edcecc07-c811-4944-88e8-04f845a2b327_0-0-3 -->|Included| IU0-0-31 
 IU0-0-31{uninstall}-->a0-0-31 
 a0-0-31["fa:fa-users IntuneTech-Dashboard"]-->|fa:fa-filter include|f0-0-3[Cloud PCs] 

end
end

Here is the same example but running New-IntuneMermaidGraph -Direction LR

flowchart LR
subgraph "Windows"
subgraph "Windows app (Win32)"
direction LR
subgraph c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0["Charles Proxy 4.6.7"]
    c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0-Name[""] 
end
c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0 -->|Included| IA0-0-00 
 IA0-0-00{available}-->a0-0-00 
 a0-0-00["fa:fa-users All Users"] 

subgraph 873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1["CMTrace Log"]
    873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1-Name[""] 
end
873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1 -->|Included| IU0-0-10 
 IU0-0-10{uninstall}-->a0-0-10 
 a0-0-10["fa:fa-users All Devices"]-->|fa:fa-filter exclude|f0-0-1[Cloud PCs] 

subgraph a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2["Logitech Presentation 2.10.34"]
    a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2-Name[""] 
end
a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2 -->|Included| IA0-0-20 
 IA0-0-20{available}-->a0-0-20 
 a0-0-20["fa:fa-users All Users"] 

subgraph edcecc07-c811-4944-88e8-04f845a2b327_0-0-3["Notepad++ 8.6.7"]
    edcecc07-c811-4944-88e8-04f845a2b327_0-0-3-Name[""] 
end
edcecc07-c811-4944-88e8-04f845a2b327_0-0-3 -->|Included| IR0-0-30 
 IR0-0-30{required}-->a0-0-30 
 a0-0-30["fa:fa-users Test_ Intune_App_Default"] 
 edcecc07-c811-4944-88e8-04f845a2b327_0-0-3 -->|Included| IU0-0-31 
 IU0-0-31{uninstall}-->a0-0-31 
 a0-0-31["fa:fa-users IntuneTech-Dashboard"]-->|fa:fa-filter include|f0-0-3[Cloud PCs] 

end
end

Depending on where you are embedding Mermaid you can also use themes and different layouts.

Here is an example of New-IntuneMermaidGraph using Dark theme and Elk layout

%%{init: {"theme": "dark", "flowchart": {"defaultRenderer": "elk"}}}%%
flowchart TB
subgraph "Windows"
subgraph "Windows app (Win32)"
direction TB
subgraph c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0["Charles Proxy 4.6.7"]
    c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0-Name[""] 
end
c0b2596b-1b8a-495e-9763-5ab26927b90b_0-0-0 -->|Included| IA0-0-00 
 IA0-0-00{available}-->a0-0-00 
 a0-0-00["fa:fa-users All Users"] 

subgraph 873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1["CMTrace Log"]
    873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1-Name[""] 
end
873b031d-4fa2-4179-8e31-0003b6db9ff3_0-0-1 -->|Included| IU0-0-10 
 IU0-0-10{uninstall}-->a0-0-10 
 a0-0-10["fa:fa-users All Devices"]-->|fa:fa-filter exclude|f0-0-1[Cloud PCs] 

subgraph a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2["Logitech Presentation 2.10.34"]
    a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2-Name[""] 
end
a5838081-c761-4475-b6f9-132e57aa9d8a_0-0-2 -->|Included| IA0-0-20 
 IA0-0-20{available}-->a0-0-20 
 a0-0-20["fa:fa-users All Users"] 

subgraph edcecc07-c811-4944-88e8-04f845a2b327_0-0-3["Notepad++ 8.6.7"]
    edcecc07-c811-4944-88e8-04f845a2b327_0-0-3-Name[""] 
end
edcecc07-c811-4944-88e8-04f845a2b327_0-0-3 -->|Included| IR0-0-30 
 IR0-0-30{required}-->a0-0-30 
 a0-0-30["fa:fa-users Test_ Intune_App_Default"] 
 edcecc07-c811-4944-88e8-04f845a2b327_0-0-3 -->|Included| IU0-0-31 
 IU0-0-31{uninstall}-->a0-0-31 
 a0-0-31["fa:fa-users IntuneTech-Dashboard"]-->|fa:fa-filter include|f0-0-3[Cloud PCs] 

end
end

The Mermaid project has a playground where you can test the diagrams and change properties live (my above example linked here), but there are also other Mermaid tools which are more user friendly where you can change the properties by clicking buttons (I know, so 2000s). To get started copy the content from here and paste into here

These diagrams can also be exported in multiple formats (png, svg, pdf) for offline consumption.

You can also find more examples and information at the project site hosted on GitHub.

General tips

1 – The parameters ‘OperatingSystem‘ and (‘PolicyType‘ or ‘ApplicationType‘) act as filters and are combined.

• If you choose Operating System ‘Windows’ and ApplicationType ‘Windows app (Win32)’ you will only get the Win32Apps for Windows.
• If you perhaps choose Operating System ‘Windows’ and ApplicationType ‘iOS store app’ you will get an empty diagram as there are no ‘iOS store apps’ type in ‘Windows’ and no ‘Windows’ operating system of type ‘iOS store apps’

2 – The parameter ‘DisplayIcons‘ only works with applications. It extracts the application icon and resizes the image to 64×64 to display on the diagrams. Be aware that many implementations of Mermaid will have a maximum text size of 50k characters, and since the images need to be encoded in Base64, the more images, the more characters. To get around this you can either user one of the tools above (where you can manually increase that limit) or you can opt to generate the diagrams without the icons (not as cool but it dramatically reduces the diagram size).

3 – The resultant diagrams are always encapsulated in boxes representing the OperatingSystem, Type (PolicyType  or ApplicationType) and GroupBy respectively.

4 – Depending on the size of your tenant and number of policies or apps, the diagrams might be really big and take some time to load when pasting on Mermaid for rendering. That happens because all rendering is done client side (the data never leaves your browser). Fine tune the filters to see what works best for you.

5 – Only resources (Profiles and Applications) with valid assignments will be added to the diagram. If you have resources without assignments, they are skipped.