InforcerCommunity: A PowerShell Module for the Inforcer REST API

March 30, 2026 · updated May 15, 2026 · 10 min read · Roy Klooster

Conditional Access Exchange Online Entra ID Graph API Intune Reports Tools

If you use Inforcer to manage Microsoft 365 baselines, alignment scores, and policies across tenants, you already know the value of a single pane of glass for compliance and policy drift. But automation and scripting often mean wrestling with REST APIs, building your own auth and error handling, and maintaining scripts that break when the API changes. InforcerCommunity is a community PowerShell module that wraps the Inforcer API so you can connect, query tenants, baselines, policies, alignment details, users, and audit events from the command line or from your own scripts - with consistent parameters, sensible defaults, and help that works. This guide explains what it does, how to use it, and how you can contribute or ask for new features.

Table of Contents

What is InforcerCommunity?
What’s New in v0.4.0
Requirements
Installation
- Option 1: From PowerShell Gallery (recommended)
- Option 2: From source (GitHub)
Quick Start
Assessments
Tenant Documentation
Environment Comparison
Key Cmdlets and Use Cases
Output Formats and Filtering
How to Contribute
How to Report Bugs
How to Request a Feature
Conclusion

What is InforcerCommunity?

InforcerCommunity is a PowerShell script module that talks to the Inforcer REST API.

What it gives you:

Connect once, query everything: Authenticate with your Inforcer API key and region, then run cmdlets to list tenants, baselines, policies, alignment details, users, and audit events.
Consistent behavior: All Get-* cmdlets support -Format, -OutputType (PowerShellObject or JsonObject), and -TenantId for filtering. TenantId accepts a numeric ID, Microsoft Tenant ID (GUID), or tenant name.
No secrets in scripts: The API key is stored as a SecureString in the session; you can pass it once via Connect-Inforcer and then run as many commands as you need.
Tab completion and help: Every cmdlet has comment-based help; Get-Help Connect-Inforcer -Full and tab completion on parameters (e.g. -EventType on Get-InforcerAuditEvent) work out of the box.
Pipeline support: Pipe tenants into other cmdlets - e.g. Get-InforcerTenant | Get-InforcerUser or Get-InforcerTenant | Get-InforcerTenantPolicies works out of the box.

Where to find it:

Source code and issues: https://github.com/royklo/InforcerCommunity
PowerShell Gallery: https://www.powershellgallery.com/packages/InforcerCommunity

Community project notice: InforcerCommunity was created by me for the community. It is not owned, endorsed, or maintained by Inforcer. It is an independent, community-driven project to make the Inforcer API easier to use from PowerShell. You use it at your own responsibility.

What’s New in v0.4.0

The headline feature in v0.4.0 is compliance assessments — run assessments like Copilot Readiness, CIS Benchmarks, or Essential Eight against one tenant or all of them at once, and get interactive HTML reports or structured data for automation.

v0.4.0 highlights:

New cmdlet: Get-InforcerAssessment — lists all available assessments (Copilot Readiness, CIS Microsoft 365 Foundations Benchmark, CIS Microsoft Intune for Windows 11 Benchmark, Essential Eight Maturity Level 1, and custom assessments).
New cmdlet: Invoke-InforcerAssessment — runs an assessment against a tenant and returns detailed per-check results with pass/fail status, violations, warnings, and per-object scores. Accepts assessment names ("Copilot Readiness") and tenant names ("Contoso") directly — no need to look up IDs.
Multi-tenant mode: Add -MultiTenant to run the assessment against all your tenants in one command, or pass multiple tenant names (e.g. -TenantId "Contoso","Fabrikam","Woodgrove"). See a compliance summary for every tenant and generate a matrix comparison report.
Interactive HTML reports: -OutputPath report.html generates a self-contained HTML report with collapsible checks, per-object expandable cards showing violations and passes, markdown-rendered remediation steps, search, and filters. Multi-tenant mode generates a full-viewport matrix with sticky columns, horizontal scroll for 100+ tenants, a tenant show/hide dropdown, and a slide-out detail panel.
CSV and JSON export: -OutputPath report.csv for flat data (UTF-8 no-BOM, ready for Excel), -OutputType JsonObject for structured JSON — both single-tenant and multi-tenant.
Async with progress: Long-running assessments show progress updates every 10 seconds with human-readable elapsed time (e.g. “3m 16s”). Multi-tenant runs show per-tenant progress and a total elapsed time at the end.

v0.3.x highlights (included):

Cross-tenant comparison with Compare-InforcerEnvironments — four-tab interactive HTML report with comparison, manual review, duplicates, and deprecated settings.
Cross-category reconciliation — settings delivered via different Intune template types (Endpoint Security vs Settings Catalog) are now correctly matched by DefinitionId.
Baseline-scoped comparison — compare only policies in a specific baseline instead of the entire tenant.
Export-InforcerTenantDocumentation — HTML, Markdown, and Excel output formats with Settings Catalog resolution, Graph integration, baseline and tag filtering.
Get-InforcerGroup and Get-InforcerRole — Entra ID groups (with search, filter, pagination, and member detail) and directory role definitions.
Settings Catalog resolution — automatically downloaded and cached from IntuneSettingsCatalogData.
Connection cmdlets — Connect-Inforcer supports -FetchGraphData for Microsoft Graph and -PassThru for cross-account workflows.

Requirements

PowerShell 7.0 or later (Windows, macOS, or Linux).
An Inforcer API key from your Inforcer tenant (Configure > REST API > New API Key).

Installation

Option 1: From PowerShell Gallery (recommended)

Install-Module -Name InforcerCommunity -Scope CurrentUser

Option 2: From source (GitHub)

git clone https://github.com/royklo/InforcerCommunity.git
cd InforcerCommunity
Import-Module ./module/InforcerCommunity.psd1 -Force

Important: When loading from source, always run Import-Module from the repository root and use the path ./module/InforcerCommunity.psd1. If you see errors about a missing file or wrong path, make sure you are in the InforcerCommunity repo root.

Quick Start

After installing the module:

# Connect with your API key (region: uk, eu, us, or anz)
Connect-Inforcer -ApiKey "your-api-key" -Region uk

# List all tenants you have access to
Get-InforcerTenant

# Get alignment details in table format
Get-InforcerAlignmentDetails

# Get users for a tenant (by name, numeric ID, or GUID)
Get-InforcerUser -TenantId "Contoso"

# Get policies for a specific tenant
Get-InforcerTenantPolicies -TenantId 482

# Disconnect when done
Disconnect-Inforcer

You can use Get-Help <CmdletName> -Full for parameters and examples (e.g. Get-Help Get-InforcerUser -Full).

Assessments

Inforcer provides compliance assessments that evaluate your tenant against industry frameworks and readiness checks — things like Copilot Readiness, CIS Microsoft 365 Foundations Benchmark, CIS Microsoft Intune for Windows 11 Benchmark, and Essential Eight Maturity Level 1. With InforcerCommunity, you can run these assessments from the command line and get structured results you can automate with.

Single-Tenant Assessment

Run an assessment against one tenant and see every check with its pass/fail status:

# List available assessments
Get-InforcerAssessment

# Run Copilot Readiness against a tenant (by name)
Invoke-InforcerAssessment -TenantId "Contoso" -AssessmentId "Copilot Readiness"

The output shows a compliance summary followed by each check as a pipeline object:

  Copilot Readiness — 76.2% compliant (16/21 checks passed)

Status           : Pass
name             : Enable Conditional Access policies to block legacy authentication
category         : Entra
subCategory      : Conditional Access
importance       : High
ObjectsEvaluated : 13
FindingsMessage  : 1 out of 13 object(s) are fully-compliant with this check
Scores           : {@{objectId=de66f385...; score=100; objectName=Core - Block - Legacy Authentication; ...}, ...}

Each check includes a Scores property with per-object detail — which Conditional Access policy passed, which failed, and why. You can drill into this:

$results = Invoke-InforcerAssessment -TenantId "Contoso" -AssessmentId "Copilot Readiness"

# See only failed checks
$results | Where-Object Status -eq 'Fail'

# Table view
$results | Format-Table Status, name, category, importance

# Drill into violations for a specific check
$results[1].Scores | Where-Object { $_.violations.Count -gt 0 } | Select-Object objectName, score, violations

Generate an interactive HTML report with one parameter:

Invoke-InforcerAssessment -TenantId "Contoso" -AssessmentId "Copilot Readiness" -OutputPath ./copilot-report.html

The HTML report includes a navy cover banner, compliance score ring, collapsible check cards grouped by category (Entra, Exchange, M365, Purview, SharePoint), per-object expandable cards showing violations and passes, and markdown-rendered description and remediation steps. Everything is self-contained — no external dependencies, works offline.

Multi-Tenant Assessment Matrix

The real power comes when you run an assessment across all your tenants at once:

# Run against all tenants
Invoke-InforcerAssessment -AssessmentId "Copilot Readiness" -MultiTenant -OutputPath ./matrix.html

# Or pick specific tenants by name
Invoke-InforcerAssessment -TenantId "Contoso","Fabrikam","Woodgrove" -AssessmentId "Copilot Readiness" -OutputPath ./matrix.html

The cmdlet runs each tenant sequentially with progress updates:

Multi-tenant assessment: 'Copilot Readiness' across 10 tenant(s)

[1/10] Running 'Copilot Readiness' against Contoso...
  Still running... 10s elapsed
  Completed in 14s.
[2/10] Running 'Copilot Readiness' against Fabrikam...
  Still running... 3m 10s elapsed
  Completed in 3m 16s.
...

All assessments complete. 10 tenant(s) processed in 16m 18s.
  Contoso — 76.2% (16/21)
  Fabrikam — 42.9% (9/21)
  Woodgrove — 38.1% (8/21)
  ...

The matrix HTML report is a full-viewport interactive dashboard: a sticky left column with check names that stays visible while you scroll horizontally across tenant columns, each showing a pass/fail indicator. A tenant filter dropdown lets you show or hide specific tenants (useful when you have 100+ tenants and want to focus on a subset). Click “Details” on any check to open a slide-out panel with the description, impact, and rationale. Category rows group checks by Entra, Exchange, M365, Purview, and SharePoint. Search and status filters (All, Has Failures, All Passed) work across the entire matrix.

Assessment Export Options

All export formats work for both single-tenant and multi-tenant:

# HTML report (single or matrix)
Invoke-InforcerAssessment -TenantId "Contoso" -AssessmentId "Copilot Readiness" -OutputPath ./report.html

# CSV for Excel or automation (multi-tenant includes Tenant column)
Invoke-InforcerAssessment -AssessmentId "Copilot Readiness" -MultiTenant -OutputPath ./matrix.csv

# JSON for webhooks, APIs, or further processing
Invoke-InforcerAssessment -AssessmentId "Copilot Readiness" -MultiTenant -OutputType JsonObject

# Pipeline for PowerShell automation (each check has TenantName in multi-tenant mode)
Invoke-InforcerAssessment -AssessmentId "Copilot Readiness" -MultiTenant |
    Where-Object Status -eq 'Fail' |
    Group-Object TenantName |
    Select-Object Name, Count

Tenant Documentation

The new Export-InforcerTenantDocumentation cmdlet generates comprehensive documentation for an entire tenant in one command:

# Generate HTML documentation (opens in browser automatically)
Export-InforcerTenantDocumentation -TenantId "Contoso" -Format Html

# Generate HTML and Excel, with Graph enrichment for group/filter names
Connect-Inforcer -ApiKey "your-api-key" -Region uk -FetchGraphData
Export-InforcerTenantDocumentation -TenantId "Contoso" -Format Html,Excel -OutputPath C:\Reports

# Export only policies from a specific baseline
Export-InforcerTenantDocumentation -TenantId 139 -Baseline "Inforcer Blueprint Baseline - Tier 1" -Format Html

# Filter by tag
Export-InforcerTenantDocumentation -TenantId "Contoso" -Tag "Production" -Format Markdown

HTML output is a self-contained file with no external dependencies — you can email it, archive it, or open it offline. It includes:

Collapsible Product > Category > Policy navigation in a sidebar
Real-time search with text highlighting
Dark/light mode toggle (persisted in localStorage)
Tag filter pills with AND/OR logic
Hide empty fields and show metadata toggles
Collapsible long values and a back-to-top button

Excel output creates a workbook with one sheet per product area. Each row is a policy with columns for category, name, description, platform, settings, and assignments — ready for filtering and analysis.

Markdown output generates a GFM-compatible document with a table of contents and per-policy tables — useful for including in wikis or version-controlled documentation.

Environment Comparison

The new Compare-InforcerEnvironments cmdlet compares two tenants’ Intune configurations and generates an interactive HTML report:

# Compare two tenants in the same Inforcer account
Compare-InforcerEnvironments -SourceTenantId "Contoso" -DestinationTenantId "Fabrikam"

# Compare across different Inforcer accounts with Graph enrichment
$src = Connect-Inforcer -ApiKey $key1 -Region uk -PassThru
$dst = Connect-Inforcer -ApiKey $key2 -Region eu -PassThru
Compare-InforcerEnvironments -SourceTenantId 482 -DestinationTenantId 139 `
    -SourceSession $src -DestinationSession $dst -FetchGraphData

The HTML report includes four tabs:

Comparison — flat table of all Settings Catalog settings with sortable columns, status filter pills (Matched/Conflicting/Source Only/Dest Only), category dropdown, and advanced column filters with AND/OR logic
Manual Review — non-Settings-Catalog policies (compliance, enrollment, scripts) in a 50/50 source/destination layout grouped by platform. Matching policy names are aligned side-by-side. Scripts and compliance rules are shown as collapsible code blocks with syntax highlighting
Duplicates — settings configured in two or more policies with different values, with automated conflict analysis
Deprecated — settings flagged as deprecated by Microsoft, grouped by source and destination

The report also features an animated configuration match score (with confetti at 100%), dark/light mode toggle, column resize handles, and a responsive layout. Like the Export report, the HTML is fully self-contained with no external dependencies.

Key Cmdlets and Use Cases

Cmdlet	What it does
`Connect-Inforcer`	Establishes a secure connection to the Inforcer API (ApiKey, Region or BaseUrl). Supports `-PassThru` for cross-account workflows.
`Disconnect-Inforcer`	Clears the session and disconnects.
`Test-InforcerConnection`	Verifies the current API connection.
`Get-InforcerTenant`	Lists tenants; optional `-TenantId` to return a single tenant.
`Get-InforcerBaseline`	Retrieves baseline groups and members.
`Get-InforcerTenantPolicies`	Retrieves policies for a given tenant.
`Get-InforcerAlignmentDetails`	Retrieves alignment scores or per-policy alignment details (optional `-TenantId`, `-BaselineId`, `-Tag`).
`Get-InforcerAuditEvent`	Retrieves audit events (optional `-EventType`, date range, paging).
`Get-InforcerSupportedEventType`	Lists supported audit event types (used for tab completion).
`Get-InforcerUser`	Lists/searches users or gets full user detail by ID (optional `-Search`, `-MaxResults`, `-UserId`).
`Get-InforcerGroup`	Retrieves Entra ID groups (list with search/filter/pagination, or detail by name/GUID with members).
`Get-InforcerRole`	Retrieves Entra ID directory role definitions (built-in, enabled, privileged).
`Export-InforcerTenantDocumentation`	Generates tenant documentation in HTML, Markdown, or Excel (optional `-Baseline`, `-Tag`, `-FetchGraphData`).
`Compare-InforcerEnvironments`	Compares two tenants’ Intune configuration and generates an interactive HTML comparison report.
`Get-InforcerAssessment`	Lists available assessments (Copilot Readiness, CIS Benchmarks, Essential Eight, etc.).
`Invoke-InforcerAssessment`	Runs an assessment against one or more tenants. Supports `-MultiTenant`, `-OutputPath` (HTML/CSV), `-OutputType JsonObject`.

Typical workflows:

Tenant and policy overview: Connect-Inforcer -> Get-InforcerTenant -> Get-InforcerTenantPolicies -TenantId "Contoso" to inspect a specific tenant’s policies.
Alignment and drift: Get-InforcerAlignmentDetails for score summaries; Get-InforcerAlignmentDetails -BaselineId "Tier 0" for per-policy detail.
User overview: Get-InforcerUser -TenantId "Contoso" for a user list; Get-InforcerUser -TenantId 139 -UserId "8e61ce11-..." for full detail including groups, roles, devices, and risk.
Audit and compliance: Get-InforcerAuditEvent with optional -EventType (tab completion for event types), -DateFrom, -DateTo, and paging parameters.
Tenant documentation: Export-InforcerTenantDocumentation -TenantId "Contoso" -Format Html,Excel to generate a complete configuration snapshot.
Environment comparison: Compare-InforcerEnvironments -SourceTenantId "Contoso" -DestinationTenantId "Fabrikam" to see every difference between two tenants.
Group and role lookup: Get-InforcerGroup -TenantId 139 -Search "Finance" for groups, Get-InforcerRole -TenantId 139 | Where-Object IsPrivileged -eq $true for privileged roles.
Compliance assessment: Invoke-InforcerAssessment -TenantId "Contoso" -AssessmentId "Copilot Readiness" to check a single tenant, or add -MultiTenant -OutputPath matrix.html for a cross-tenant matrix report.
Pipeline: Get-InforcerTenant -TenantId 139 | Get-InforcerUser to list users for a piped tenant.

For full parameter details and example output, see the Cmdlet Reference in the repository.

Output Formats and Filtering

-Format: Most Get-* cmdlets support Table or Raw (e.g. for alignment details).
-OutputType: PowerShellObject (default) or JsonObject (JSON with depth 100) for piping into other tools or export.
-TenantId: Accepts a numeric Client Tenant ID, a Microsoft Tenant ID (GUID), or a tenant name (case-insensitive match). Use it on Get-InforcerTenant, Get-InforcerTenantPolicies, Get-InforcerAlignmentDetails, Get-InforcerUser, and others.

# Example: export all tenants as JSON for use elsewhere
Get-InforcerTenant -OutputType JsonObject | Out-File tenants.json -Encoding utf8

# Example: search users by name
Get-InforcerUser -TenantId "Contoso" -Search "Adele"

# Example: get full user detail as JSON
Get-InforcerUser -TenantId 139 -UserId "8e61ce11-a45b-42a6-8ca4-1d881781566d" -OutputType JsonObject

How to Contribute

Contributions are welcome. The project uses a standard fork-and-pull-request workflow:

Fork the repository on GitHub: https://github.com/royklo/InforcerCommunity.
Clone your fork and create a branch (e.g. feature/your-feature-name or fix/bug-description).
Make your changes under module/ (see CONTRIBUTING.md for code style and the consistency contract - parameter order, -Format/-OutputType, property names, etc.).
Run tests from the repo root: Invoke-Pester ./Tests/Consistency.Tests.ps1.
Commit and push to your fork, then open a pull request against the main repository. Fill in the PR template (summary, how to test, related issue if any).

New cmdlets must be added to module/Public/, registered in FunctionsToExport in the manifest, and documented in docs/CMDLET-REFERENCE.md. The consistency tests must be updated if you add or change exported cmdlets or key parameters.

How to Report Bugs

If something doesn’t work as expected:

Go to New issue.
Choose Bug report.
Fill in:

Description: What went wrong?

Steps to reproduce: Exact commands or steps.
Expected behavior: What you expected.
Actual behavior: What happened instead (including any error messages).
Environment: PowerShell version, OS, and module version (e.g. Get-Module InforcerCommunity | Select-Object Version).
Additional context: Logs, screenshots, or other details.

This helps maintainers and the community reproduce and fix issues quickly.

How to Request a Feature

Have an idea for a new cmdlet, parameter, or behaviour?

Go to New issue.
Choose Feature request.
Describe:

The feature you’d like (e.g. a new endpoint, a new parameter, or a different output shape).

The use case (why it would help you or others).
If you have one, a proposed solution (e.g. cmdlet name, parameters, example usage).

Not every request can be implemented immediately, but all are read and considered; they also help others discover and discuss ideas.

Conclusion

InforcerCommunity turns the Inforcer API into a set of PowerShell cmdlets you can use interactively or in scripts: connect once, then list tenants, baselines, policies, alignment details, users, groups, roles, and audit events with consistent parameters and output. Run compliance assessments like Copilot Readiness and CIS Benchmarks against one tenant or all of them at once, with interactive HTML matrix reports that let you compare compliance across your entire estate. Generate complete tenant documentation in HTML, Markdown, or Excel. Compare two tenants’ Intune configurations side-by-side with an interactive report that shows every difference, duplicate, and deprecated setting. Use tenant names instead of IDs, pipe results between cmdlets, and export to CSV or JSON for integration with other tools and automation pipelines. It’s a community project, not owned or maintained by Inforcer; feedback, bug reports, and feature requests from users like you shape what comes next. Install it from the PowerShell Gallery, try the quick start, and if you hit a bug or have an idea, open an issue or send a pull request.

The MSP License Ladder #1: The Hunting Gap — why MSPs need Defender for Endpoint Plan 2, with a multi-tenant hunting script.
RKSolutions PowerShell Module — another PowerShell module for M365 reporting across Intune, Entra ID, and license management.

← back to all posts next: RKSolutions PowerShell Module →