Refreshing service map from Microsoft.Graph 403 Forbidden

[gustav-mattsson]

Hi!

I am trying to setup a new test environment for Intune to allow us to implement the Intune Revocation workflow as described in this example

After having setup App Registration, SCEP Profile, Trusted Certificate profiles, etc. and then trying to enroll an end-user Windows 10 device, we get the following error on our server side:

2021-09-29 14:51:27.514 INFO: Refreshing service map from Microsoft.Graph 2021-09-29 14:51:27.529 INFO: [Correlation ID: 1d5d2c6b-3829-475e-86ef-e4a9dabe9e6e] Instance discovery was successful 2021-09-29 14:51:28.548 SEVERE: Request to: https://graph.windows.net/nexusgo.onmicrosoft.com/servicePrincipalsByAppId/0000000a-0000-0000-c000-000000000000/serviceEndpoints?api-version=1.6 returned: HTTP/1.1 403 Forbidden com.microsoft.intune.scepvalidation.IntuneClientHttpErrorException: {"odata.error":{"date":"2021-09-29T14:51:28","code":"Authorization_RequestDenied","requestId":"fe36e250-b195-4663-8d97-7f41161dd500","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}} at com.microsoft.intune.scepvalidation.IntuneClient.ParseResponseToJSON(IntuneClient.java:443) at com.microsoft.intune.scepvalidation.IntuneClient.RefreshServiceMap(IntuneClient.java:384) at com.microsoft.intune.scepvalidation.IntuneClient.GetServiceEndpoint(IntuneClient.java:349) at com.microsoft.intune.scepvalidation.IntuneClient.PostRequest(IntuneClient.java:285) at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.PostRequest(IntuneScepServiceClient.java:40) at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.Post(IntuneScepServiceClient.java:231) at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.ValidateRequest(IntuneScepServiceClient.java:121) at com.nexussafe.cm.pgwy.scep.ScepIntune.modify(ScepIntune.java:66)

Does anyone know which permission we are [presumably] lacking from our App Registration to allow for this call to pass? Trying to test each permission one by one seems like a bit much considering there are quite a few. Or is there some documentation somewhere that I have missed?

This set of permissions were not sufficient:

// Gustav Mattsson

[torontojc]

You need to add the application read all permission now. Once you add that it works. The problem is that it uses the old AAD graph so it will eventually stop working in June 2022.

You need to add the AAD Graph permission and Microsoft Graph permission. https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-intune-service-discovery-api-endpoint-will-require/ba-p/2428040

Unfortunately their documentation is wrong. To add the permission you need to go to the "api my organization uses" tab. Search Windows. Then select Azure Active Directory Graph and the application read all permission.

[gustav-mattsson]

Thank you very much @torontojc ! Adding the permission made it work

The full steps I performed to resolve this Permissions issue:

• Navigate to your Azure App
• Go to API permissions
• Click 'Add a permission'
• Select the 'APIs my organization uses' tab
• Search for 'windows'
• Select 'Windows Azure Active Directory'
• Select 'Application permissions'
• Select 'Application.Read.All'
• Then grant admin consent to this permission
• It started working instantly after a re-sync of the device