search

MSEndpointMgr / IntuneWin32App

Provides a set of functions to manage all aspects of Win32 apps in Microsoft Intune.
MIT License
345 stars 88 forks source link

As a Restrictive Intune Admin, unable to retrieve the Scope Tag #77

Open ashishjaswal2003 opened 1 year ago

ashishjaswal2003 commented 1 year ago

I have a Restrictive Intune Admin on which a Custom Role along with a Scope Tag is assigned. This user can now only create and manage apps that he/she creates and not any other apps in the tenant and also can deploy to only certain Azure AD Groups as per the scope and role.

Using the portal, this requirement is achieved, however when using the Add-IntuneWin32App.ps1, where we specify the Scope Tag parameter, it fails stating the following error:

Graph request failed with status code '403 (Forbidden)'.

When i looked at the code, you have used this API - $ScopeTag = (Invoke-IntuneGraphRequest -APIVersion "Beta" -Route "deviceManagement" -Resource "roleScopeTags?$filter=displayName eq '$($ScopeTagItem)'" -Method "GET" -ErrorAction "Stop").value

To achieve this specific requirement, I changed the API to - $ScopeTag = (Invoke-IntuneGraphRequest -APIVersion "Beta" -Route "deviceManagement" -Resource "getRoleScopeTagsByResource(resource='MobileApps')?$filter=displayName eq '$($ScopeTagItem)'" -Method "GET" -ErrorAction "Stop").value`

And this worked!

Please update accordingly.

NickolajA commented 1 year ago

Will be fixed in 1.4.1, thank you for sharing this!