search

MSEndpointMgr / IntuneWin32App

Provides a set of functions to manage all aspects of Win32 apps in Microsoft Intune.
MIT License
322 stars 84 forks source link

[MC736429] the global Microsoft Intune PowerShell application (client) ID based authentication method is being removed. #156

Open Basti890 opened 2 months ago

Basti890 commented 2 months ago

Today I was informed from our company EntraID Admin, that the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) will be removed by Microsoft?

Here the Message:

As mentioned in MC721851, last year we announced a new Microsoft Intune GitHub repository (https://aka.ms/Intune/Scripts-blog) based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, starting on or after April 1, 2024, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method is being removed.

[How this will affect your organization:] If you are using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you will need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking.

[What you need to do to prepare:] Before April 1, 2024, update your PowerShell scripts by: Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: Quickstart: Register an application with the Microsoft identity platform (https://learn.microsoft.com/entra/identity-platform/quickstart-register-app). Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1.

Are you aware of theese changes?

x907 commented 2 months ago

Scripts with references to the old app id.

\IntuneWin32App-master\Development\Save-IntuneWin32AppContent.ps1 \IntuneWin32App-master\Public\Connect-MSIntuneGraph.ps1

MichaelGerman commented 2 months ago

We got the following announcement in our intune tenant: We've detected a Microsoft Intune PowerShell script issue in your environment User impact: If action isn't taken, PowerShell scripts may break. Current Status: If you are using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you will need to update your scripts before May 6 with a different Microsoft Entra ID registered application ID to prevent your PowerShell scripts from breaking. Microsoft has replaced the GitHub repository using the old application ID d1ddf0e4-d672-4dae-b554-9d5bdfd93547 with a new repository...

blimpz commented 2 months ago

It is possible to use your own application by doing: Connect-MSIntuneGraph -TenantID $TenantID -ClientID $ClientID -ClientSecret $ClientSecret

I am not sure on the least access permission but the one I tested this with had:

twelch-ricohnz commented 2 months ago

It appears that Connect-MSIntuneGraph is failing on most tenants now.

I've tried creating an application as per here but despite retrieving an access token Add-IntuneWin32App fails with Forbidden errors despite the application seemingly having the same permissions.

This is significantly impacting us as it has broken all our Intune application deployments.

VERBOSE: POST https://graph.microsoft.com/Beta/deviceAppManagement/mobileApps
WARNING: An error occurred while creating the Win32 application. Error message: UnknownError: {"ErrorCode":"Forbidden","Message":"{\r\n  \"_version\": 3,\r\n  \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 9ac8ae62-7e74-4777-9d37-17aeaf202201 - Url: https://fef.msuc03.manage.microsoft.com/AppLifecycle_2404/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5024-03-08\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\": \"{\\\"WWW-Authenticate\\\":\\\"Bearer realm=\\\\\\\"urn:intune:service,9225b241-44e1-44a8-8bfe-c10e39177505,3e9c57b9-808d-4aa0-9500-4b2d369279e7\\\\\\\"\\\"}\"\r\n}","Target":null,"Details":null,"InnerError":null,"InstanceAnnotations":[]}
Ekrist3 commented 2 months ago

WE have the same issue, that Microsoft Intune Powershell app registration has been revoked my Microsoft

Marcel-Blokland commented 2 months ago

Create new app registration or use the "new default" app registration. Lookup the client id from appregistration. With the same settings as the revoked one.

Connect to Microsoft Intune Graph

Connect-MSIntuneGraph -TenantID "yourtenant.onmicrosoft.com" -ClientID "yourappregistrationid"

Then you can connect again.

apmurdoch commented 2 months ago

It is possible to use your own application by doing: Connect-MSIntuneGraph -TenantID $TenantID -ClientID $ClientID -ClientSecret $ClientSecret

I am not sure on the least access permission but the one I tested this with had:

  • DeviceManagementApps.Read.All
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementManagedDevices.ReadWrite.All

Thanks for this @blimpz! We are back up and running again.

I can confirm that using an application with only:

I was able to create an app, get list of all apps, supersede a previous version, and assign the app to groups whose IDs I had passed.

I would assume that if you want to look up groups and members you would need to add Directory.Read.All

Other functions may need DeviceManagementManagedDevices.Read(/Write).All if your script performs other actions - but I think for this module at least, DeviceManagementApps is enough.

twelch-ricohnz commented 2 months ago

Confirming that a new application with permissions assigned as Application gives me the same access as previously.

NOTE that many commenters have specified to duplicate the existing Microsoft Intune PowerShell application, but this has permissions assigned as type Delegated which gives a token but does not work.

I'm still finding that Add-IntuneWin32App fails with 

WARNING: Failed to finalize Azure Storage blob upload. Error message: The given key 'Content-Type' was not present in the dictionary.

but switching to PowerShell 5.1 it works.

Ath3na-UK commented 2 months ago

Working for me fine with 5.1

jason-nyc commented 2 months ago

Same. Connect-MSIntuneGraph fails with Application with identifier 'd1ddf0e4-d672-4dae-b554-9d5bdfd93547' was not found. This has broken our deployments, so we are unable to deploy until it gets resolved. From what we gather, Connect-MSIntuneGraph has a reliance on the above ID which was published years ago by Microsoft as a kind of Powershell sample code. And now Microsoft has blocked this identifier.

The workaround seems to be for administrators to create an application. I tried a few things but couldn't get it working. If someone can document the steps that would be very helpful. Ideally, the codebase should include a method for creating the application with the 'correct' permission, if not in-line, then at least as a utility function.

twelch-ricohnz commented 2 months ago

Run my script here which will create an Azure application called "IntuneWin32App" and add the permissions... DeviceManagementApps.ReadWrite.All and DeviceManagementConfiguration.ReadWrite.All

You'll need the PowerShell module Microsoft.Graph installed to run it successfully

hotzenwalder commented 2 months ago

It works for most parts, but when checking or changing the Category I still get an error, so we probably need more API Permissions

WARNING: Graph request failed with status code '401 (Unauthorized)'. Error details: UnknownError - {"ErrorCode":"Forbidden","Message":"{\r\n \"_version\": 3,\r\n \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: d6e7b4ab-0199-45a0-98ee-22248f2117e3 - Url: https://fef.msub07.manage.microsoft.com/AppLifecycle_2404/StatelessAppMetadataFEService/deviceAppManagement/mobileAppCategories?api-version=5024-03-08&$filt er=displayName+eq+%27Web+Browsers%27\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{\\\"WWW-Authenticate\\\":\\\"Bearer

The documentation says we need DeviceManagementApps.ReadWrite.All, but these are already added (Delegegated/Application , consent for whole tenant)

jaspain commented 1 month ago

I also ran into this as described at Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID. I found that the only MS Graph permission required for my use case was DeviceManagementApps.ReadWrite.All, but that application permissions were required. Delegated permissions did not work.

Hardexit commented 1 month ago

I have also just encountered the problem, how do I have to set the app so that it works again? I have created an app and add a client secret and given it the DeviceManagementApps.ReadWrite.All Application api permission, but I still get error messages when executing the commands:

Get-IntuneWin32App -DisplayName "7-zip"
WARNING: Graph request failed with status code '401 (Unauthorized)'. Error details: UnknownError - {"ErrorCode":"Forbidden","Message":"{\r\n  \"_version\": 3,\r\n  \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: f48ecac5-fe6b-4b5f-a40e-a64e60503fe0 - Url: https://fef.amsub0502.manage.microsoft.com/AppLifecycle_2405/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5024-03-08&$filter=isof(%27microsoft.management.services.api.win32LobApp%27)\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\": \"{\\\"WWW-Authenticate\\\":\\\"Bearer realm=\\\\\\\"urn:intune:service,9225b241-44e1-44a8-8bfe-c10e39177505,3e9c57b9-808d-4aa0-9500-4b2d369279e7\\\\\\\"\\\"}\"\r\n}","Target":null,"Details":null,"InnerError":null,"InstanceAnnotations":[]}
WARNING: Query for Win32 apps returned an empty result, no apps matching type 'win32LobApp' was found in tenant

//Edit Ok I forgot to press the button Grant admin consent for xxx

MichaelGerman commented 1 month ago

To use the IntuneWin32AppAssignment features, you also need the Group.Read.All permission

aCID-sLAM commented 1 month ago

Run my script here which will create an Azure application called "IntuneWin32App" and add the permissions... DeviceManagementApps.ReadWrite.All and DeviceManagementConfiguration.ReadWrite.All

You'll need the PowerShell module Microsoft.Graph installed to run it successfully

There is no script ;)

alexhass commented 1 month ago

@twelch-ricohnz May you able to share your script again, please? It is not available anymore.

twelch-ricohnz commented 4 weeks ago

@aCID-sLAM , @alexhass Here is a basic version of it. It will create an application called IntuneWin32App with the correct permissions assigned.

Connect-MgGraph -Scopes "Application.ReadWrite.All, Directory.Read.All" -TenantId (Read-Host -Prompt "Enter Tenant ID or FQDN")
$NewApp = New-MgApplication -DisplayName "IntuneWin32App"
$BodyParams = '{
    "requiredResourceAccess": [
      {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
          {
            "id": "78145de6-330d-4800-a6ce-494ff2d33d07",
            "type": "Role"
          },
          {
            "id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4",
            "type": "Role"
          },
          {
            "id": "5b567255-7703-4780-807c-7be8301ae99b",
            "type": "Role"
          }
        ]
      }
    ]
}'

Update-MgApplication -ApplicationId $NewApp.Id -BodyParameter $BodyParams

Once you have this in place you'll have to work out how you are authenticating against it. We're using a self-signed certificate and storing the tenant id and application id within a JSON file. The below gets added to every application upload script...

$Cert = Get-ChildItem "Cert:\CurrentUser\My" | Where-Object FriendlyName -eq "IntuneWin32App"
Try {
    $Tenant = (Get-ChildItem -Path ".\tenant" -File *.json).Name |
        ForEach-Object {
        [PSCustomObject]@{
            Tenant = $_  # Set the property name to "Tenant"
        }
        } | Out-GridView -Title "Select a Tenant" -OutputMode Single
    $Params = Get-Content -Path ".\tenant\$($Tenant.Tenant)"
    If (-not($Params)) { Write-Warning "Tenant not selected"; Exit 1}
    Connect-MSIntuneGraph -TenantID $Params.TenantId -ClientID $Params.AppId -ClientCert $Cert
} Catch {
    Write-Warning "Error connecting to Tenant"
    Exit 1
}
l4m3us3r commented 1 week ago

It would be good to have this issue marked as a bug and the module updated so that users can at least register an azure app and then connect the module with something like: Connect-MSIntuneGraph -TenantID "yourtenant.onmicrosoft.com" -ClientID "yourappregistrationid"

(The above doesn't currently work for me).

Below are the steps that I have compiled for the current user based auth workaround:

In azure, go to azure app registrations and register an app. set the RedirectUri (public client/native) = "https://login.microsoftonline.com/common/oauth2/nativeclient" Go to api permissions, add a permission, Microsoft graph, delegated permissions, add: DeviceManagementManagedDevices.ReadWrite.All DeviceManagementApps.ReadWrite.All Group.Read.All

(note that application permissions for these 3 roles may also be needed)

Get the appid for the app you just registered.

Edit the powershell module

Edit the Connect-MSIntuneGraph.ps1 You must update lines #106 and #107 in the Connect-MSIntuneGraph.ps1 file located in the C:\Program Files\WindowsPowerShell\Modules\IntuneWin32App\1.4.4\Public folder If installed in a user area… C:\Users\username\OneDrive\Documents\PowerShell\Modules\IntuneWin32App\1.4.4\Public

in Connect-MSIntuneGraph.ps1, set the following old values > new values. Old values: 

$ClientID = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
            $RedirectUri = `"urn:ietf:wg:oauth:2.0:oob"

New Values:

 # Define static variables
 $ClientID = "Your client ID/App ID (not object ID) of the custom App reg with proper DeviceManagement related permissions (Application permissions)"
            $RedirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient"

Now you should be able to connect with Connect-MSIntuneGraph -TenantID "yourtenant.onmicrosoft.com”

xenadmin commented 1 week ago

I created an App registration with the following API permissions: grafik I altered Connect-MSIntuneGraph.ps1 with mit App-ID and the Redirect-Uri. But when I execute Add-IntuneWin32App I still get an error: WARNING: An error occurred while creating the Win32 application. Error message: UnknownError: {"ErrorCode":"Forbidden","Message":"{\r\n \"_version\": 3,\r\n \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 962e5aff-dax3-485e-94xa-a0941f993535 - Url: https://fef.msub03.manage.microsoft.com/AppLifecycle_2406/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5024-03-08\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{\\\"WWW-Authenticate\\\":\\\"Bearer realm=\\\\\\\"urn:intune:service,9225x241-44e1-44a8-8bfe-c10e3917x505,3e9c57b9-808d-4aa0-9500-4b2x369279e7\\\\\\\"\\\"}\"\r\n}","Target":null,"Details":null,"InnerError":null,"InstanceAnnotations":[]} And idea what I might have done wrong? I need to upload additional apps :-/