Let me paint you a picture. You’re at a nice restaurant, the kind with real tablecloths and everything, and you ask the waiter for the menu. Instead of handing you a neatly organized list, he dumps a phone book (for you younger folks, we used to look up numbers in a book) on your table and says, “It’s in there somewhere. Good luck.” That’s essentially what managing Intune policy assignments feels like when your tenant has thousands of groups. You click into a group, check one policy, click back, open another policy, click back again. Before you know it, you’ve got seventeen browser tabs open and a growing sense of anxiety.
Now, the Intune community has already cooked up some great tools to tackle this. Ugur Koc’s Intune Assignment Checker is probably the most well-known, and for good reason. It’s a comprehensive PowerShell tool that generates interactive HTML reports covering users, groups, devices, and just about every policy type out there. Sander Rozemuller’s Intune Assistant also deserves a shout-out for making group-based assignment searches easier. On top of those, the broader community has produced a healthy ecosystem of utilities, from policy comparison tools to full-blown documentation generators.
So why am I introducing yet another tool? Fair question. Let me tell you a story.
6,000 Groups and a Whole Lot of Scrolling
I was working with a customer whose Entra tenant had accumulated over 6,000 groups. Years of organic growth, team turnover, project-based deployments, and the classic “we’ll clean that up later” approach had produced a sprawling mess of security groups. Many of them were tied to Intune assignments in ways nobody fully understood anymore. Trust me on this one, I’ve seen messy tenants before. This one was like walking into a garage that hadn’t been cleaned since 2012.
The existing tools helped. They really did. I could pull reports, search by group, and get a general sense of the landscape. However, this customer needed something more targeted. They wanted to sit down with a dashboard, filter down to just the groups that had assignments, zero in on groups with only one or two assignments (prime cleanup candidates), and quickly see exactly what was assigned before deciding whether that group could be retired.
So, naturally, I built one.
Introducing Tunedin Assignment Checker
Tunedin Assignment Checker is a web-based dashboard that connects to Microsoft Intune via the Microsoft Graph API and displays policy and application assignments for Entra ID groups. You pick a group from the sidebar, and it shows you everything assigned to that group. Everything is organized across five categories: Device Configurations, Settings Catalog, Applications, Scripts, and Remediations.
You can run it two ways. If you prefer a local setup, there’s a PowerShell backend that authenticates through the Microsoft Graph Command Line Tools enterprise application. No app registration required. Just run the script, sign in, and a browser window opens. If you’d rather skip the PowerShell route entirely, the app also runs as a standalone single-page application directly from GitHub Pages, using MSAL.js to authenticate in the browser.
Custom App Registration Support
This was the first hard requirement from my customer. They didn’t want anyone authenticating with broad admin credentials just to check assignments. Instead, they wanted a dedicated app registration in their tenant with explicitly scoped, read-only permissions. Totally fair ask, honestly.
The SPA mode supports exactly that. You create your own app registration in Entra, assign the specific delegated permissions the tool needs (all read-only), and plug in your Tenant ID and Client ID on the setup screen. The tool uses MSAL.js with PKCE for authentication, so there’s no client secret to worry about. As a result, your security team gets a clean audit trail of exactly which app is accessing what, and you get to sleep at night knowing nothing is over-permissioned.
If you’re running the PowerShell backend instead, authentication happens through the Microsoft Graph Command Line Tools enterprise application. You don’t need to create an app registration at all. Just run the script, sign in, consent to the permissions on first use, and you’re connected.
Assignment Count Filtering: The Feature That Saved My Sanity
Here’s the feature that saved me hours of scrolling through 6,000 groups. I do mean hours, by the way.
When the dashboard loads, it scans all Intune policy categories and counts how many assignments target each group. That count shows up right next to each group name in the sidebar. The real magic, though, is the Assignment Count filter. You can set a minimum and maximum range, and the group list instantly narrows to just the groups that fall within that range.
For my cleanup project, the sweet spot was filtering for groups with exactly one assignment. Those were the groups most likely to be remnants of a one-off deployment that nobody remembered creating. I could click through them one at a time, see what single policy or app was assigned, confirm with the customer whether it was still needed, then move on. What would have been a week of spreadsheet wrangling became an afternoon of focused clicks.
Script Content Preview: Small Feature, Big Impact
This one is a small feature that punches way above its weight. When you’re looking at the Scripts category for a group, each script card has a preview button. Click it, and a modal pops up showing the full PowerShell script content, decoded from the base64 blob that Graph returns. Thanks to Logan for showing me that trick a few years ago.
If you’ve ever inherited a tenant where someone deployed a dozen “quick fix” scripts through Intune and left zero documentation, you know exactly why this matters. Instead of navigating to the Intune portal, finding the script, downloading it, and opening it in an editor, you can see exactly what’s going on right from the assignment view. It’s a small thing on its own. However, when you’re triaging 6,000 groups, small things add up fast. Think of it like finally finding a flashlight in that messy 2012 garage I mentioned earlier. Suddenly, everything is a lot easier to sort through.
All Devices, All Users, and Dark Mode
The header includes toggle buttons for All Devices and All Users assignments. When enabled, you see those broad-scope assignments alongside the group-specific ones. When you’re focused on group cleanup, you can toggle them off to reduce noise. There are also dedicated “All Devices” and “All Users” entries at the bottom of the group list. These let you see everything assigned to those virtual targets across all categories in one click.
There is also a dark mode. It respects your system preference by default, plus you can toggle it manually. We’re sysadmins. We live in dark mode. I wasn’t going to ship a tool without it. That would be like selling a truck without cup holders.
A Few More Nice-to-Haves
Each group shows its type (Dynamic or Assigned), and for dynamic groups, the membership rule query is displayed right below the group name. This means you don’t have to jump over to Entra just to check it. There’s a CSV export button for each group’s assignments too, which is especially handy for documenting what you found during a cleanup session.
In SPA mode, there’s a 30-minute inactivity timeout that automatically signs you out if you step away. That way, you’re not leaving an authenticated session sitting open on your machine while you go grab lunch.
Okay, Let’s Talk About Vibe Coding
I have a confession. I didn’t write every line of this tool by hand. Yes, I’m not a developer. You may already know this.
If you’ve been anywhere near tech X or LinkedIn recently, you’ve probably seen the term “vibe coding” floating around. The basic idea is that you describe what you want to an AI assistant, and it helps you build it. You stay in the driver’s seat, steering the design and architecture, while the AI handles a lot of the scaffolding, boilerplate, and even some of the trickier logic.
I’ll be honest. It took me long enough to actually start. I spent months watching other people talk about it while I kept manually writing PowerShell scripts the old-fashioned way. Once I finally gave it a real shot, though, the productivity boost was hard to ignore. Features that would have taken me an entire evening to implement were roughed out in minutes. I still reviewed everything, tested everything, and refactored plenty. The iteration speed, though, was something else entirely.
If you’re a sysadmin who’s been curious about vibe coding and keeps thinking “that’s a developer thing, not for me,” I’d encourage you to give it a try. You don’t need to be building the next SaaS product. Small internal tools, automation scripts, or dashboards like this one are a perfect place to start. The barrier to entry has never been lower, and honestly, the results might surprise you.
Grab a Menu and Take It for a Spin
You can try the tool right now without installing anything.
GitHub Pages (SPA mode): http://tunedin.zerototrust.tech/
You’ll need to set up an app registration in your tenant first (the setup screen walks you through it). Once that’s done, you’re up and running in under two minutes.
PowerShell backend (local):
git clone https://github.com/dgulle/Tunedin-Assignment-Checker.git
cd Tunedin-Assignment-Checker/src
.\TunedinAssignmentChecker.ps1No app registration needed for this option. Just run the script, sign in through the Microsoft Graph Command Line Tools consent flow, and the dashboard opens in your browser.
The source code is on GitHub at github.com/dgulle/Tunedin-Assignment-Checker. It’s all read-only, it can’t modify your Intune environment, and the permissions are scoped to exactly what’s needed.
Wrapping Up
If you’re staring down a tenant with hundreds (or thousands) of groups and wondering which ones still matter, give this tool a spin. No more phone book menus, no more seventeen-tab browser sessions, and no more guessing which group does what. Just a clean, organized dashboard that finally puts things in order.
