Awesome Intune - Microsoft Intune Tools Directory

Ugur Koc

PowerShell ModuleMigration

Intune Device Migration

Intune Device Migration off-boards devices from one tenant and automatically joins them to a destination tenant, preserving user data during the transition. Built with PowerShell, Microsoft Graph, and Windows provisioning packages, it enables near-zero downtime cross-tenant migrations, with detailed logging, registry updates, and post-install validation to ensure provisioning packages are applied correctly.

Created by

Steve Weiner

View on GitHubGitHub

Security Analysis

4of 6

2 Issues FoundOverride

5 files scanned on Jun 11, 2026

Issues Detected

No Credential Theft

No token or credential harvesting code

The script reads Graph service principal credentials (clientSecret) from a local JSON config file (C:\ProgramData\IntuneMigration\config.json) to obtain tokens. Storing credentials on disk increases risk of leakage if the host is compromised. Recommendation: move secrets to a secure vault or use certificate-based authentication, DPAPI protection, and enforce strict file permissions with rotation.

No Hardcoded Secrets

No API keys or credentials in code

Hardcoded credential in StartMigrate.ps1 ([lines: 546](https://github.com/stevecapacity/intunemigration-v9/blob/main/StartMigrate.ps1#L546))

Passed Checks

No Obfuscated Code

No Remote Execution

No Data Exfiltration

No Malicious Patterns

AI Analysis

The Intune Device Migration scripts perform legitimate Graph-based management actions (e.g., tagging devices, updating Entra/Intune attributes, BitLocker key handling, Autopilot registration). However, there are security considerations: credentials are stored in config.json (risk of leakage), there are defense-evasion-like cleanup actions, and reliance on Graph Beta endpoints with silent error handling. Mitigations include securing secrets (vault/certificate-based auth), auditing/approval for cleanup steps, and migrating to stable Graph endpoints with robust error handling.

You might also like

Other

JUMP-IN

JUMP-IN is an all-in-one macOS application that simplifies migrating between MDM solutions, enabling migration to Microsoft Intune or between Intune tenants without data loss. It performs system compatibility checks, automatic MDM detection, backups, profile removal, Company Portal installation, tenant enrollment, and FileVault key rotation to maintain security; typical migration runs in about 15-20 minutes per device.

Somesh Pathak

PowerShell Module

Intune-App-Sandbox

Intune-App-Sandbox is a testing utility for PowerShell-based installers packaged with the Win32 Content Prep Tool for Intune deployments. It creates a sandbox workspace (C:\SandboxEnvironment), and adds context-menu options to pack with IntunewinUtil or run tests in a Safe sandbox. It also supports a detection-based test flow and a reusable template script to accelerate building and validating packaging for Win32 apps in Intune.

Maciej Horbacz

PowerShell Module

IntuneWinAppUtil GUI

IntuneWinAppUtil GUI is a PowerShell-based WPF wrapper for Microsoft's IntuneWinAppUtil.exe. It streamlines packaging Win32 apps for Intune with auto-download of the latest tool, input validation, path-length checks, and configuration persistence across launches. It also detects PSAppDeployToolkit usage to suggest names and sanitizes invalid filename characters.

Giovanni Solone

PowerShell Module

WinGet-PSADT-GUI-Tool

WinGet-PSADT-GUI-Tool is a Windows PowerShell WPF GUI that streamlines Win32 app packaging and Intune deployment. It integrates WinGet search, installer download, PSADT scaffolding, and GUI-driven configuration of install/uninstall/repair logic, enabling generation of .intunewin packages and direct upload to Intune via Microsoft Graph. It outputs standard PSADT/Intune artifacts and provides live monitoring of packaging and upload steps.

Dhiraj Dhote