Assignments only updating on certain policy types

[havard105]

Hey!

I am having issues with getting assignments to be properly updated through IntuneCD. I have 10 tenants connected to one baseline tenant, and assignments either only work on some settings categories, or not at all.

Backup is running through an Azure DevOps Pipeline, but we do updates through IntuneCD Monitor. The tenants are set up in IntuneCD Monitor with the update argument "-u". Assignments work fine on policies with the "Settings Catalog" policy type, as well as Security Baselines and some of the other categories under the security blade in Intune.

However i cannot seem to get it to update assignments for any of the other policy types under "Device Configuration", such as "Endpoint Protection", "Device Restriction", or "Custom".

On one of the tenants, no assignments at all were imported.

I can see in the backup files that the assignments are exported. I have also tried updating through an Azure Devops pipe, but the results are the same.

Do you have any idea why this is, and any steps we can take to remediate the issue?

På förhand, tack!

[almenscorner]

Hi, does the groups you are targeting exist in the tenant you are running the update towards? if the groups does not exist (checked by name) assignment will simply be skipped. If you want to create non-existing groups you can use the -g parameter.

[havard105]

Yes, the groups exist with identical names in all tenants.

[almenscorner]

Can you see more information when running with -v to get some verbose output?

[havard105]

Here is an example of the error i get on the policies failing to update assignments:

Mon May 6 13:32:08 2024 [ERROR] Error updating Device Configuration Mandatory - MacOS_BackgroundServices: Request failed with 400 - {"error":{"code":"BadRequest","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"The assignment and its target should not be null. - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: b6e47704-b1a0-4f1a-a9e3-b0dd216ed0a8 - Url: https://fef.msub06.manage.microsoft.com/DeviceConfiguration_2404/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations('81dfaa63-1805-465d-a0bf-d5694c132557')/assignments?api-version=5023-12-15\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2024-05-06T13:32:08","request-id":"b6e47704-b1a0-4f1a-a9e3-b0dd216ed0a8","client-request-id":"b6e47704-b1a0-4f1a-a9e3-b0dd216ed0a8"}}}

[almenscorner]

Thank you, is this for a custom macOS policy?

[havard105]

Yes, correct. The same error ("The assignment and its target should not be null") also occur on policies with the policy type Device Restrictions, Wi-Fi, Delivery Optimization, and Custom, all of which are Windows policies.

[almenscorner]

I was able to replicate and it seems like the assignment endpoint has changed for device configurations. I was able to successfully update assignments using IntuneCD 2.2.3-beta1, try this version and report back: pip3 install IntuneCD==2.3.3b1. Note that you cannot test this in IntuneCD Monitor but instead it must be tested in a pipeline or running locally.

[havard105]

Just tested, and assignments updated as expected. Great!