Bulk Intune IOS Content Filter

I had a requirement to block a list of URLs utilizing IOS content filter. I realized the Intune management UI does not have a upload button.

Please see below for the Powershell code. Please have an existing content filter in the policy. This will not create it.

##Connect to MSGraph
Connect-MSGraph -PSCredential $cred

#GET List of Sites
$BlockList = [string[]](Get-Content c:\temp\weblist.txt)

#Get the Policy we want to update
$Pol = Get-IntuneDeviceConfigurationPolicy | ? DisplayName -eq  "iOS MDM Corporate Features"

#The content filter settings are only in MS Graph Beta, so lets get that version
$URL = $pol.iosDeviceFeaturesConfigurationReferenceUrl -replace "v1.0","beta"
$PolBeta = Invoke-MSGraphRequest -Url $URL

#Create a copy of the filter and add our URLs
$ContentFilter = $PolBeta.contentFilterSettings
$ContentFilter.blockedUrls = $BlockList

#Create our iosDeviceFeaturesConfiguration Shell with the new contentFilter settings
$IOSF = @{
    '@odata.type' = '#microsoft.graph.iosDeviceFeaturesConfiguration' ;
    contentFilterSettings = $ContentFilter

#Patch the policy with new config.
Invoke-MSGraphRequest -Url $URL -HttpMethod PATCH -Content $($($IOSF | ConvertTo-Json) -replace "`r`n","" -replace " ","") -Verbose

A little background:

We are using the Microsoft.Graph.Intune PS modules. The contentFilterSettings only exist in the MS Graph beta; I had to get creative to update the policy.

AADC / Object Cannot Be Found

With Azure AD Connect I was getting the following errors for several objects. “The operation failed because the object cannot be found” and “

Please do a 2 full backups of your database at two locations. Run the SQL below to list how many errors

select cs.ma_id, ma.[ma_name] ,count(*) as [count],min([initial_import_error_date]) as [min initial import error date]
from dbo.mms_connectorspace cs
join [dbo].[mms_management_agent] ma
on ma.[ma_id] = cs.[ma_id]
join (

SELECT [mv_object_id]
,mv.[object_id] as [mv.object_id]
  FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] csmv

full outer join [FIMSynchronizationService].[dbo].[mms_metaverse] mv

on mv.[object_id] = csmv.[mv_object_id]
where mv.[object_id] is null
on b.cs_object_id = cs.object_id
group by cs.ma_id, ma.[ma_name]
order by count(*) desc

The follow code will save the objects with errors to a temporary table and then delete them.

SELECT [mv_object_id]
,mv.[object_id] as [mv.object_id]
into #wehackedit
  FROM [FIMSynchronizationService].[dbo].[mms_csmv_link] csmv
full outer join [FIMSynchronizationService].[dbo].[mms_metaverse] mv
on mv.[object_id] = csmv.[mv_object_id]
where mv.[object_id] is null

delete from dbo.mms_connectorspace
where object_id in
select cs_object_id from #wehackedit

delete from dbo.mms_csmv_link
where mv_object_id in
select [mv_object_id] from #wehackedit

The credit goes to Joe for this fix

Exchange/Office 365 add domains from EML files to SPAM block list

The script reads EML files from a directory and parses the header.from and adds the domain to the SPAM block list.


Spam Filter

$SpamFolder = "C:\Users\Administrator\Desktop\spam"

$DomainsNeverBlock = @('gmail.com','outlook.com','aol.com','yahoo.com')

$DefaultPolicy = Get-HostedContentFilterPolicy -Identity "Default"

$regex = [regex]"header\.from=(.*);"

Get-ChildItem -Path $SpamFolder -File | % {
    #Get-Content $_.FullName
    $from = (Get-Content $_.FullName | Select-String 'header.from')
    if($from -match $regex) {
        $domain = $Matches[1]
        if(-not $DomainsNeverBlock.Contains($domain)) {
            Write-Warning "Blocking Domain $domain"
           $DefaultPolicy | Set-HostedContentFilterPolicy -BlockedSenderDomains @{Add=$domain} -Confirm

#Sync Spam Policies
$OnPremPolicy = Get-HostedContentFilterPolicy -Identity "Cloud quarantine for on prem users"
$DefaultPolicy = Get-HostedContentFilterPolicy -Identity "Default"

$OnPremPolicy | Set-HostedContentFilterPolicy -AllowedSenderDomains $DefaultPolicy.AllowedSenderDomains -AllowedSenders $DefaultPolicy.AllowedSenders -BlockedSenders $DefaultPolicy.BlockedSenders -BlockedSenderDomains $DefaultPolicy.BlockedSenderDomains