AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.65k stars 2.65k forks source link

Error when trying to load device information from Intune via Graph API. #1261

Closed AndreasRybin closed 4 years ago

AndreasRybin commented 4 years ago

Library

Framework

Description

Error when trying to load device information from Intune via Graph API.

When using the msal-azure library for calling the Grap API endpoint https://graph.microsoft.com/v1.0/deviceManagement/managedDevices i get the below error message in the browser console. When i try to call a different endpoint like /users everything works and i get the users in the response.

{
  "error": {
    "code": "UnknownError",
    "message": "{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\r\\n  \\\"_version\\\": 3,\\r\\n  \\\"Message\\\": \\\"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 2f4hj74r-f5d3-4529-9441-c6e6543b2133 - Url: https://fef.msub02.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=2018-05-24\\\",\\r\\n  \\\"CustomApiErrorPhrase\\\": \\\"\\\",\\r\\n  \\\"RetryAfter\\\": null,\\r\\n  \\\"ErrorSourceService\\\": \\\"\\\",\\r\\n  \\\"HttpHeaders\\\": \\\"{\\\\\\\"WWW-Authenticate\\\\\\\":\\\\\\\"Bearer realm=\\\\\\\\\\\\\\\"urn:intune:service,2f4hj74r-2e37-4c56-87b5-7b444ee1cb26,2f4hj74r-59bf-4f0d-b1b2-0ef84ddfe3c7\\\\\\\\\\\\\\\"\\\\\\\"}\\\"\\r\\n}\",\"Target\":null,\"Details\":null,\"InnerError\":null,\"InstanceAnnotations\":[]}",
    "innerError": {
      "request-id": "2f4hj74r-f5d3-4529-9441-c6e6543b2133",
      "date": "2020-02-03T09:53:34"
    }
  }
}

Configuration

[MsalModule.forRoot({
      clientID: environment.MSAL_CLIENT_ID,
      authority: environment.MSAL_AUTHORITY,
      validateAuthority: true,
      redirectUri: environment.MSAL_REDIRECT_URL,
      cacheLocation: environment.MSAL_CACHE_LOCATION,
      storeAuthStateInCookie: isIE,
      postLogoutRedirectUri: environment.MSAL_POST_LOGOUT_URL,
      navigateToLoginRequestUrl: true,
      popUp: !isIE,
      consentScopes: ['user.read.all', 'deviceManagementManagedDevices.read.all', 'user.read', 'Directory.AccessAsUser.All'],
      protectedResourceMap,
      // logger: loggerCallback,
      correlationId: '1234',
      piiLoggingEnabled: true

    })]
  ]

export const protectedResourceMap: [string, string[]][] = [
  ['https://graph.microsoft.com/v1.0/users', ['user.readbasic.all']],
  ['https://graph.microsoft.com/v1.0/me', ['user.read', 'user.read.all']],
  ['https://graph.microsoft.com/v1.0/deviceManagement/managedDevices', ['DeviceManagementManagedDevices.Read.All']]
];

Azure AD

image

Reproduction steps

  1. User is successfully logged in in the Application.
  2. Calling the Grap API with the endpoint

https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

  1. Result is the error message above.

Expected behavior

Get all Devices from Intune. Like calling the /users endpoint.

DarylThayil commented 4 years ago

were you able to successfully acquire an access token?

jasonnutter commented 4 years ago

Closing due to inactivity, let us know if this is still an issue.