IntuneFirewallMigration is an updated version of the no longer available Microsoft tool which was removed in June 2024:
This version is a streamlined version of the Microsoft tool with the following changes:
- Uses Settings Catalog firewall rule policies natively
- Allows for selection of only specific firewall profile rules (Domain, Private, Public)
- Removed the reliance on the old Microsoft GitHub repository.
- Changed to the
Microsoft.Graph.AuthenticationPowerShell module. - Changed to
Invoke-MgGraphRequestfor calls to Graph. - Disabled and removed all telemetry functions and calls.
- Fixed issues when checking for profile name matching when there are no existing firewall rule policies.
- Resolved issues with module
Microsoft.Graphversion 2.26.1 module on PowerShell 5.
IntuneFirewallMigration is currently in Public Preview, meaning that although it is functional, you may encounter issues or bugs with the script.
Tip
If you do encounter bugs, want to contribute, submit feedback or suggestions, please create an issue.
Important
- Supports PowerShell 5 and 7 on Windows
Microsoft.Graph.Authenticationthe script will detect and install if required.ImportExcelthe script will detect and install if required.- Entra ID App Registration with appropriate Graph Scopes or using Interactive Sign-In with a privileged account.
- v0.3
- Able to upload only specific firewall profile rules from: domain, private, public, all, or not configured
- Duplicate rule names now shown as (1), (2) etc.
- Improved conversion of rules to Settings Catalog format
- v0.2.1
- Ensures only unique firewall rules are created in Settings Catalog policies
- Improved duplicate firewall name handling
- v0.2
- Creates Setting Catalog policies as standard
- Allows for creation of legacy Endpoint Security policies using the
legacyProfileswitch
- v0.1
- Initial release
The PowerShell script requires the below Graph API permissions, you can create an Entra ID App Registration with the following Graph API Application permissions:
DeviceManagementConfiguration.ReadWrite.AllDeviceManagementManagedDevices.ReadWrite.All
The script can then be authenticated by passing in the App Registration details:
$tenantId = '437e8ffb-3030-469a-99da-e5b527908001'
$appId = '375793fc-0132-4938-bc80-a907e5cba4d0'
$appSecret = 'supersecretstuff'
.\IntuneFirewallMigration.ps1 -profileName TestMigration -tenantId $tenantId -appId $appId -appSecret $appSecretClone or download this repository to the Windows machine where you want to capture Firewall Rules, then execute the following commands from within the extracted or cloned folder:
Creates Settings Catalog Firewall rule profiles with the name prefix TestMigration using only the first 20 enabled Group Policy applied firewall rules:
.\IntuneFirewallMigration.ps1 -profileName TestMigration -mode TestCreates Settings Catalog Firewall rule profiles with the name prefix FirewallRules with 100 rules per profile, using all enabled Group Policy applied firewall rules:
.\IntuneFirewallMigration.ps1 -profileName FirewallRulesCreates Settings Catalog Firewall rule profiles with the name prefix DomainFirewallRules with 100 rules per profile, using all enabled Group Policy applied firewall rules, only uploading domain profile rules:
.\IntuneFirewallMigration.ps1 -profileName DomainFirewallRules -firewallProfile domainCreates Settings Catalog Firewall rule profiles with the name prefix PrivateFirewallRules with 100 rules per profile, using all enabled Group Policy applied firewall rules, only uploading private profile rules:
.\IntuneFirewallMigration.ps1 -profileName PrivateFirewallRules -firewallProfile privateCreates Settings Catalog Firewall rule profiles with the name prefix PublicFirewallRules with 100 rules per profile, using all enabled Group Policy applied firewall rules, only uploading public profile rules:
.\IntuneFirewallMigration.ps1 -profileName PublicFirewallRules -firewallProfile publicCreates Settings Catalog Firewall rule profiles with the name prefix LocalFirewallRules with 70 rules per profile, using all enabled Group Policy and Locally applied firewall rules:
.\IntuneFirewallMigration.ps1 -profileName LocalFirewallRules -includeLocalRules -splitRules 70Creates Settings Catalog Firewall rule profiles with the name prefix DisabledFirewallRules with 50 rules per profile, using all enabled and disabled Group Policy applied firewall rules:
.\IntuneFirewallMigration.ps1 -profileName DisabledFirewallRules -includeDisabledRules -splitRules 50Important
These legacy Profiles don't appear in Intune immediately, looks like they are processed behind the scenes and converted now.
Creates Endpoint Security Firewall rule profiles with the name prefix LegacyProfileFirewallRules with 100 rules per profile, using all enabled Group Policy applied firewall rules:
.\IntuneFirewallMigration.ps1 -profileName LegacyProfileFirewallRules -legacyProfileIf you encounter any issues or have questions:
- Check the Issues page
- Open a new issue if needed
Thank you for your support.
This project is licensed under the MIT License - see the LICENSE file for details.
Created by Nick Benton of odds+endpoints