search

Micke-K / IntuneManagement

Copy, export, import, delete, document and compare policies and profiles in Intune and Azure with PowerShell script and WPF UI. Import ADMX files and registry settings with ADMX ingestion. View and edit PowerShell script.
MIT License
1.17k stars 210 forks source link

Error when importing 'Enrollment Restrictions objects' in a Silent Batch Job using an Azure Service principal with secret. #259

Open dominiquestabile opened 3 months ago

dominiquestabile commented 3 months ago

Hello Micke,

Thank again for your wonderfull tool :)

I'm getting the following error when I run an import with 'Enrollment Restrictions objects' in any import mode (skipIfExist, alwaysImport, update or replace) With a service principal and secret.

Import Enrollment Restrictions objects
Get Enrollment Restrictions objects
Import Enrollment Restrictions object Deny Windows personally owned devices (Pilot only)
##[error]Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations (Request ID: 237bde61-2373-4777-8d13-13c6a324b834). Status code: Forbidden. Response message: . Response message: Tenant is not Global Admin or Intune Service Admin. Operation is restricted. - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 0d267d53-3b29-44e8-930b-2c0193bc2cba - Url: https://fef.msub06.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations?api-version=5023-03-29 Exception: The remote server returned an error: (403) Forbidden.

If I login interactively through the GUI, it works perfectly. I compared the API permissions and I have only three differences 'openid, profile, email ' which are only available as delegated permissions and not as application permissions. Besides the API permissions, I also compared the permissions bewteen my global admin user and the service principal, they have the same roles: global reader, global administrator, security administrator, exchange administrator and intune administrator. Any idea or suggestions ? Thanks a lot for your help.

BR

Dominique

Micke-K commented 3 months ago

Hello,

I can't find any restriction on the API. The application permissions should be supported.

Anything else in the logs? Can you see that you have DeviceManagementServiceConfig.ReadWrite.All in the list of permissions?

Cheers!

dominiquestabile commented 2 months ago

Hello Micke, Thanks for your reply. Nothing else in the logs. And yes the permission is there:

Microsoft Edge-sp-bte1-bwsfactory-nch-0 - Microsoft Azure-20240828T190513@2x

Thanks for your help.