search

Micke-K / IntuneManagement

Copy, export, import, delete, document and compare policies and profiles in Intune and Azure with PowerShell script and WPF UI. Import ADMX files and registry settings with ADMX ingestion. View and edit PowerShell script.
MIT License
1.02k stars 183 forks source link

Import App Configuration (Device) policy fails #255

Open jimmywinberg opened 1 month ago

jimmywinberg commented 1 month ago

When trying to import an App Configuration (Device) policy it will fail with the following error message.

Android - Defender for Endpoint app config

Running version: 3.9.7

WARNING: Could not find migration table Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations (Request ID: 68262225-ef94-424d-9d78-396ad05dc060). Status code: BadRequest. Response message: . Response message: An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 12395d9e-ecd3-4cfd-bc16-fbc508645554 - Url: https://fef.amsub0202.manage.microsoft.com/AppLifecycle_2406/StatelessAppMetadataFEService/deviceAppManagement/mobileAppConfigurations?api-version=5024-05-15 Exception: The remote server returned an error: (400) Bad Request.

Micke-K commented 1 month ago

Hello,

What folder did you import the policy from?

It must be imported from the same folder name as it was exported. This is how the script knows which API to use. Wrong folder normally generates 400 error.

Cheers!

jimmywinberg commented 1 month ago

This is my exact steps.

  1. Tenant 1, export the policy to c:\tempPolicies\AppConfigurationManagedDevice
  2. Tenant 2, import the policy, select the policy from the location in step 1 and click import.

Can add that all other policies except the app config one is getting imported without any issues

Micke-K commented 1 month ago

Hello,

App Configuration (Device) policies has Apps as dependency.

Does the target app exist in the destination tenant?

Cheers!

jimmywinberg commented 1 month ago

Yes the target app is in the tenant from Managed google play store. I can also confirm that for iOS policies the import is working but not for Android.

The Microsoft Defender app is added in both tenants for Android. One tenant dont have the app assigned yet.

jimmywinberg commented 1 month ago

Exporting from the same tenant and importing to the same tenant works. But as soon as i try to import to another tenant then Android App configs fails.

Micke-K commented 1 month ago

Thank you for the troubleshooting!

Could be that the App has different IDs in different tenants.

Can you upload a policy from each tenant or can you check the exported policies if that is the case?

Cheers! No

jimmywinberg commented 1 month ago

Think you are correct the app id is different.

Tenant 1: "targetedMobileApps": ["e22b3aef-5b07-46dc-ab2e-5647885cf4b6"]

Tenant 2: "targetedMobileApps": ["1d3a9069-ae65-4173-b7f0-95b276a5e99d"]

I can import and export in the same tenants no issue, but moving the export to another tenant fails.

Micke-K commented 1 month ago

Does it work if you change the Id to the target tenant App Id?

This is not good. This means it's not supported as is. Might be possible to fix but will require additional development. And it's going to be a challenge since I don't have access to test.

Cheers!

jimmywinberg commented 1 month ago

Yes it works if i change the app id manually, then I can import it to the new tenant. Thank you for a super great tool

Micke-K commented 1 month ago

Thank you!

I'll see if I can figure this out in a future version.

Cheers!

Micke-K commented 1 month ago

Hello,

I had to spend some time on a bus, so I thought I'd try to fix this. I got it to work for iOS by faking new IDs after export etc. I changed it so it will only use this for Android policies now.

Note that you have to re-export and import with the attached file to make it work. This will add an additional property to the export file, "#CustomRefTargetedApps. This will be used during import to identify the app in the target tenant.

Let me know how it goes if you test it. Would be good if you could test both import in same tenant and a different tenant.

Cheers!

EndpointManager.zip

jimmywinberg commented 1 month ago

Thank you, but when i replace this file and try to run the application again, I'm unable to see tenants and in the menu i get the text Object Array on top and then all the settings, Im also unable to see what accounts logged in etc no menu on top right corner for switching accounts

Micke-K commented 1 month ago

Hmmmm that is weird. I'll have a look at this later. Might not be able to do it this weekend.

Cheers!

jimmywinberg commented 1 month ago

When ever you have time, have great weekend and day

From: Mikael Karlsson @.> Sent: Thursday, July 18, 2024 5:22:45 PM To: Micke-K/IntuneManagement @.> Cc: Jimmy Winberg @.>; Author @.> Subject: Re: [Micke-K/IntuneManagement] Import App Configuration (Device) policy fails (Issue #255)

Hmmmm that is weird. I'll have a look at this later. Might not be able to do it this weekend.

Cheers!

— Reply to this email directly, view it on GitHubhttps://github.com/Micke-K/IntuneManagement/issues/255#issuecomment-2236851208, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHHIZO5DQK6HAK2KM3XUPKLZM7MULAVCNFSM6AAAAABLA7OTLCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMZWHA2TCMRQHA. You are receiving this because you authored the thread.Message ID: @.***>

Micke-K commented 1 month ago

Hello,

I cannot replicate this. Did you replace completely, or did you rename the original file?

Can you attach the full log?

Cheers!

jimmywinberg commented 1 month ago

I renamed the original file, sorry my bad.

  1. Unpacked fresh version of your app.
  2. Ovewrote the file you packaged here seperatly.
  3. Exported the files again and imported.

But the outcome is the same. Just tested export from tenant 1 import to tenant 2, same error. I dont see a CustomRefTargetedApps in the exported file however.

WARNING: Could not find migration table Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations (Request ID: 1dafc0cc-a616-48d7-b6ae-e7176addedb9). Status code: BadRequest. Response message: . Response message: An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 68be0173-dc12-476c-a562-a387c4fda131 - Url: https://fef.amsub0202.manage.microsoft.com/AppLifecycle_2407/StatelessAppMetadataFEService/deviceAppManagement/mobileAppConfigurations?api-version=5024-05-15 Exception: The remote server returned an error: (400) Bad Request. Loading App Configuration (Device) objects

Micke-K commented 1 month ago

Hello,

Sounds like it doesn't detect the type. Can you attach the json or at least the top 5 rows of it?

Cheers!

jimmywinberg commented 1 month ago

TEST - Microsoft Defender for Endpoint_504a5603-8e77-4a4a-a7f2-41fe2999c8e3.json

Micke-K commented 1 month ago

Let's try this. Updated after midnight with laptop in bed so no clue if it will work :)

EndpointManager.zip

Cheers!

jimmywinberg commented 1 month ago

I just went to bed so I have to test it tomorrow, u need to sleep to haha, have a great day tomorrow i update you once i tested, again thank you so much for this awesome tool

From: Mikael Karlsson @.> Sent: Saturday, July 20, 2024 12:10:28 AM To: Micke-K/IntuneManagement @.> Cc: Jimmy Winberg @.>; Author @.> Subject: Re: [Micke-K/IntuneManagement] Import App Configuration (Device) policy fails (Issue #255)

Let's try this. Updated after midnight with laptop in bed so no clue if it will work :)

EndpointManager.ziphttps://github.com/user-attachments/files/16317396/EndpointManager.zip

Cheers!

— Reply to this email directly, view it on GitHubhttps://github.com/Micke-K/IntuneManagement/issues/255#issuecomment-2240341677, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHHIZOYLLVW6RJ3DYV423CDZNGFFJAVCNFSM6AAAAABLA7OTLCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBQGM2DCNRXG4. You are receiving this because you authored the thread.Message ID: @.***>

jimmywinberg commented 1 month ago

Tested same error. I do see the targetMobileApps int the exported file now, however import to new tenant same error as before.

{ "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceAppManagement/mobileAppConfigurations(assignments())/$entity", "@odata.type": "#microsoft.graph.androidManagedStoreAppConfiguration", "@odata.id": "deviceAppManagement/mobileAppConfigurations(\u0027504a5603-8e77-4a4a-a7f2-41fe2999c8e3\u0027)", "@odata.editLink": "deviceAppManagement/mobileAppConfigurations(\u0027504a5603-8e77-4a4a-a7f2-41fe2999c8e3\u0027)/microsoft.graph.androidManagedStoreAppConfiguration", "id": "504a5603-8e77-4a4a-a7f2-41fe2999c8e3", "targetedMobileApps@odata.type": "#Collection(String)", "targetedMobileApps": [ "1d3a9069-ae65-4173-b7f0-95b276a5e99d" ], "roleScopeTagIds@odata.type": "#Collection(String)", "roleScopeTagIds": [ "0" ],

WARNING: Could not find migration table Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations (Request ID: f76f08a1-7ae1-4e34-a585-5d9b217f0240). Status code: BadRequest. Response message: . Response message: An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6f6758bd-147f-4dd5-b01d-cad244eaf926 - Url: https://fef.amsub0202.manage.microsoft.com/AppLifecycle_2407/StatelessAppMetadataFEService/deviceAppManagement/mobileAppConfigurations?api-version=5024-05-15 Exception: The remote server returned an error: (400) Bad Request.

Micke-K commented 1 month ago

Hello,

No #CustomRefTargetedApps property in the json file. It will not work as long as that property is not there.

I'll gave to add some additional logging to see what is happening.

Out on a boat trip now but will try to add that tonight.

Cheers!

Micke-K commented 1 month ago

Hello,

Another version to try. I added some additional logging to this so attach the log if it fails. I hope you will have the #CustomRefTargetedApps property in the json this time. Skip import if you don't. It won't work without it.

Cheers!

EndpointManager.zip

jimmywinberg commented 1 month ago

TEST - Microsoft Defender for Endpoint_504a5603-8e77-4a4a-a7f2-41fe2999c8e3.json logfilecleaned.txt

Same error attached newly exported file and log file.

Micke-K commented 1 month ago

That looks better!

The #CustomRefTargetedApps property is there. I'm on another boat trip in the Stockholm archipelago. I'll check the import when I get back tonight. I only focused on the export yesterday. We are finally on the right track.

Thank you for the troubleshooting!

Cheers!

Micke-K commented 1 month ago

My bad...it used the id from the source tenant.

New version to try.

Cheers!

EndpointManager.zip

jimmywinberg commented 1 month ago

All good working now, awesome work, next time enjoy your boat trips the tool can wait :) Importing and exporting between tenants is now working in the latest version you sent.

Micke-K commented 1 month ago

Great news!

Thank you for the update and all the testing.

Cheers!

jimmywinberg commented 1 month ago

Thank you for allt the work you put in and have a great night

From: Mikael Karlsson @.> Sent: Sunday, July 21, 2024 9:51:27 PM To: Micke-K/IntuneManagement @.> Cc: Jimmy Winberg @.>; Author @.> Subject: Re: [Micke-K/IntuneManagement] Import App Configuration (Device) policy fails (Issue #255)

Great news!

Thank you for the update and all the testing.

Cheers!

— Reply to this email directly, view it on GitHubhttps://github.com/Micke-K/IntuneManagement/issues/255#issuecomment-2241755164, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHHIZO643DH53PZOX7NEHF3ZNQGL7AVCNFSM6AAAAABLA7OTLCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBRG42TKMJWGQ. You are receiving this because you authored the thread.Message ID: @.***>