A PowerShell script and GitHub Actions workflow for creating a Microsoft Intune package for the Microsoft 365 Apps.
For full details on how to use this solution see: An Intune Package Factory for the Microsoft 365 Apps.
Microsoft 365 Apps configuration files are included in this repository - these files can be used to create packages for any target tenant as some key options will be updated dynamically by this solution.
O365BusinessRetail.xml- Configuration file for Microsoft 365 Apps for businessO365BusinessRetail-VDI.xml- Configuration file for Microsoft 365 Apps for business with shared licensing enabled, and OneDrive and Teams excludedO365ProPlus.xml- Configuration file for Microsoft 365 Apps for enterpriseO365ProPlus-VDI.xml- Configuration file for Microsoft 365 Apps for enterprise with shared licensing enabled, and OneDrive and Teams excludedO365ProPlusVisioProRetailProjectProRetail.xml- Configuration file for Microsoft 365 Apps for enterprise, Visio, and ProjectO365ProPlusVisioProRetailProjectProRetail-VDI.xml- Configuration file for Microsoft 365 Apps for enterprise, Visio, and Project with shared licensing enabled, and OneDrive and Teams excludedUninstall-Microsoft365Apps.xml- A configuration that will uninstall all Microsoft 365 Apps
When the package is generated, the following properties will be updated:
- Company name
- Tenant id
- Channel
New-Microsoft365AppsPackage.ps1- Creates and imports a Microsoft 365 Apps package into Intune via GitHub Actions or from a local copy of this repositoryCreate-Win32App.ps1imports the intunewin package into the target Intune tenant, usingApp.jsonas the template. Called byNew-Microsoft365AppsPackage.ps1scrub- Office Scrub Scripts, Office uninstall and scrub scripts sources from Deploy-OfficeClickToRun. These ensure that existing Office MSI or Click-to-Run packages installed on the target machine are cleanly uninstalled before installing the Microsoft 365 Apps
New-Microsoft365AppsPackage.ps1 must be run on a supported Windows version, and has been written for PowerShell 5.1. Parameters for New-Microsoft365AppsPackage.ps1 are:
| Parameter | Description | Required |
|---|---|---|
| Path | Path to the top level directory of the m365apps repository on a local Windows machine. | No |
| ConfigurationFile | Full path to the Microsoft 365 Apps package configuration file. Specify the full path to a configuration file included in the repository or the path to an external configuration file. | Yes |
| Channel | A supported Microsoft 365 Apps release channel. | No. Defaults to MonthlyEnterprise |
| CompanyName | Company name to include in the configuration.xml. | No. Defaults to stealthpuppy |
| TenantId | The tenant id (GUID) of the target Azure AD tenant. | Yes |
| ClientId | The client id (GUID) of the target Azure AD app registration. | No |
| ClientSecret | Client secret used to authenticate against the app registration. | No |
| Import | Switch parameter to specify that the the package should be imported into the Microsoft Intune tenant. | No |
Use New-Microsoft365AppsPackage.ps1 by authenticating with an Intune Administrator account before running the script. Run Connect-MSIntuneGraph to authenticate with administrator credentials using a sign-in window or device login URL.
Connect-MSIntuneGraph -TenantID "lab.stealthpuppy.com"
$params = @{
Path = "E:\projects\m365Apps"
ConfigurationFile = "E:\projects\m365Apps\configs\O365ProPlus.xml"
Channel = "Current"
CompanyName = "stealthpuppy"
TenantId = "6cdd8179-23e5-43d1-8517-b6276a8d3189"
Import = $true
}
.\New-Microsoft365AppsPackage.ps1 @paramsUse New-Microsoft365AppsPackage.ps1 to create a new package by passing credentials to an Azure AD app registration that has rights to import applications into Microsoft Intune. This approach can be modified for use within a pipeline:
$params = @{
Path = "E:\projects\m365Apps"
ConfigurationFile = "E:\projects\m365Apps\configs\O365ProPlus.xml"
Channel = "MonthlyEnterprise"
CompanyName = "stealthpuppy"
TenantId = "6cdd8179-23e5-43d1-8517-b6276a8d3189"
ClientId = "60912c81-37e8-4c94-8cd6-b8b90a475c0e"
ClientSecret = "<secret>"
Import = $true
}
.\New-Microsoft365AppsPackage.ps1 @paramsThe app registration requires the following API permissions:
| API / Permissions name | Type | Description | Admin consent required |
|---|---|---|---|
| DeviceManagementApps.ReadAll | Application | Read Microsoft Intune apps | Yes |
| DeviceManagementApps.ReadWriteAll | Application | Read and write Microsoft Intune apps | Yes |
Requires the following secrets on the repo:
TENANT_ID- tenant ID used bynew-package.ymlCLIENT_ID- app registration client ID used bynew-package.ymlto authenticate to the target tenentCLIENT_SECRET- password used bynew-package.ymlto authenticate to the target tenent
The workflow is run on demand (workflow_dispatch) requires input when run. This must be a configuration XML file that exists in the configs directory in this repository.
To use the package workflow, clone this repository, enable GitHub Actions, and configure the repository secrets.
This repository includes copies of the following binaries and support files that are automatically kept updated with the latest versions:
- Microsoft 365 Apps / Office Deployment Tool (
setup.exe) - the key installer required to install, configure and uninstall the Microsoft 365 Apps - Microsoft Win32 Content Prep Tool (
IntuneWinAppUtil.exe) - the tool that converts Win32 applications into the intunewin package format - PSAppDeployToolkit - the install is managed with the PowerShell App Deployment Toolkit
If you have cloned this repository, ensure that you synchronise changes to update binaries to the latest version releases.