Intune Configuration-as-Code

GitOps-based device configuration management

What It Does

  • Configuration-as-Code — Device configurations versioned as JSON files in Git and managed through pull requests
  • Automated validation — PowerShell tests check syntax, required fields, and structural conformance before every deployment
  • CI/CD pipeline — Multi-stage pipeline with validation, approval, deployment, and post-deployment checks
  • Graph API deployment — Automatic creation and update of Intune Configuration Profiles via Service Principal
  • Group-based assignment — Configuration profiles automatically assigned to the correct groups based on role

Automated Endpoint Compliance Platform

Fully automated BIOS and compliance lifecycle platform for an Intune-managed device fleet

What It Does

  • Device inventory collection — Proactive Remediation collects daily hardware and application inventory from Intune-managed devices and sends it to an Azure Function
  • Azure Function (Logs Ingestion API) — Receives inventory data, validates device identity, formats and routes data to Azure Monitor via DCE/DCR architecture
  • BIOS version tracking — Azure Automation Runbook queries OEM catalogs, extracts current BIOS versions and feeds them into Log Analytics for compliance comparison
  • BIOS deployment — Automated Intune Win32 package generation with dynamic catalog integration and BitLocker suspend/resume orchestration
  • Orchestration — Dynamic groups, ring-based rollout (Canary, Pilot, Broad), package supersedence via Graph API
  • Analytics — Azure Monitor Workbooks for compliance dashboards and proactive alerting

Outcome

  • Enterprise-wide compliance visibility — Real-time overview of compliance status across the entire device fleet
  • Automated BIOS lifecycle — From manual updates to fully automated packaging, distribution, and validation
  • Proactive over reactive maintenance — Automated alerting replaces manual monitoring and reduces response times

MFA Migration to Cloud-Native Authentication

Migration from on-premises authentication to cloud-native multi-factor authentication

Problem

The company relied on an on-premises authentication infrastructure for multi-factor authentication. This setup required dedicated server infrastructure and created a dependency on aging components facing deprecation.

What Was Done

  • Configuration backup — Full backup of existing authentication configuration before any changes
  • Authentication routing — Modified authentication policies to route MFA to the cloud platform for staged user groups while preserving on-premises MFA for non-migrated users
  • Staged rollout — Group-based migration for precise control of migration progress
  • Password Hash Sync — Enabled as prerequisite for cloud authentication
  • MFA data migration — Transfer of existing MFA registration data to the cloud platform
  • Testing & validation — Systematic verification of all access scenarios for both migrated and non-migrated users at each stage

Partner Portal Management System

Automated provisioning and management of external partner data shares

What It Does

  • Interactive management tool — Menu-driven PowerShell system for creating hierarchical folder structures for external partners
  • Directory service integration — Automatic creation of security groups with tiered access levels
  • User management — Automated provisioning of external partner user accounts
  • Replication monitoring — Automatic wait for directory replication before permission assignment
  • Audit logging — Complete audit trail of all operations in date-based log files

Email Archive Automation

Secure, automated email archiving to encrypted storage for compliance

Built a PowerShell-based automation tool to securely archive emails to encrypted removable media — addressing legal and compliance requirements for email retention.

  • Media detection — Automatically identifies the designated storage media with polling and user prompts
  • Encryption — Checks encryption status; if needed, initiates drive encryption automatically
  • Network verification — Validates directory service connectivity before encryption operations, with retry logic
  • Archive transfer — Copies email archives to the encrypted media using BITS transfer with progress indication
  • Integrity verification — SHA-256 hash comparison between source and destination to confirm archive integrity; automatic retry on mismatch
  • Code-signed — Script signed with certificate for execution policy compliance