search

microsoftgraph / msgraph-sdk-powershell

Powershell SDK for Microsoft Graph
https://www.powershellgallery.com/packages/Microsoft.Graph
Other
696 stars 168 forks source link

Intune Autopilot commands throwing an error #1257

Closed mabster closed 2 years ago

mabster commented 2 years ago

Hi gang,

I don't know if this is an "issue" in the module or if it's something I'm doing wrong.

I connect to Graph with the required scopes and then try to query deviceManagement/windowsAutopilotDeviceIdentities, like this:

PS>Connect-MgGraph -Scopes DeviceManagementManagedDevices.Read.All, DeviceManagementServiceConfig.ReadWrite.All
PS>Invoke-MgGraphRequest -Method GET -Uri "v1.0/deviceManagement/windowsAutopilotDeviceIdentities"

... and I get this error:

Invoke-MgGraphRequest : GET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: c64ee84a-7c55-46ab-9181-fb075f6457a1
client-request-id: c64ee84a-7c55-46ab-9181-fb075f6457a1
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"4","ScaleUnit":"000","RoleInstance":"ML1PEPF00004AEB"}}
Date: Thu, 12 May 2022 22:47:22 GMT
Content-Encoding: gzip
Content-Type: application/json
{"error":{"code":"UnknownError","message":"{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\r\\n  \\\"_version\\\": 3,\\r\\n  \\\"Message\\\": \\\"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000
- Activity ID: c64ee84a-7c55-46ab-9181-fb075f6457a1 - Url: https://fef.msuc05.manage.microsoft.com/DeviceEnrollmentFE_2204/StatelessDeviceEnrollmentFEService/deviceManagement/windowsAutopilotDeviceIdentities?api-version=2021-01-22\\\",\\r\\n
 \\\"CustomApiErrorPhrase\\\": \\\"\\\",\\r\\n  \\\"RetryAfter\\\": null,\\r\\n  \\\"ErrorSourceService\\\": \\\"\\\",\\r\\n  \\\"HttpHeaders\\\": \\\"{\\\\\\\"WWW-Authenticate\\\\\\\":\\\\\\\"Bearer realm=\\\\\\\\\\\\\\\"urn:intune:service,f
2f6fa41-932f-4d25-9e56-14ec49d3405a,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7\\\\\\\\\\\\\\\"\\\\\\\"}\\\"\\r\\n}\",\"Target\":null,\"Details\":null,\"InnerError\":null,\"InstanceAnnotations\":[]}","innerError":{"date":"2022-05-12T22:47:22","reque
st-id":"c64ee84a-7c55-46ab-9181-fb075f6457a1","client-request-id":"c64ee84a-7c55-46ab-9181-fb075f6457a1"}}}
At line:1 char:1
+ Invoke-MgGraphRequest -Method GET -Uri "v1.0/deviceManagement/windows ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Method: GET, Re...coding: gzip
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest

It's returning a 401 unauthorized, but I have the scopes:

PS>Get-MgContext | fl Scopes

Scopes : {DeviceManagementManagedDevices.Read.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.Read.All, Group.Read.All...}

If I PIM to Global Admin this works, but as a standard user I get the "forbidden" error.

What am I missing? Or is there a problem in the module?

peombwa commented 2 years ago

Thank you for taking the time to open this issue.

Please open a question/ticket with service at https://developer.microsoft.com/en-us/graph/support as this is a service issue (it works with a global admin and not a standard user). This repo is meant for issues related to the SDK.

ghost commented 2 years ago

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

mabster commented 2 years ago

Looks like I had to be added to a specific Intune role for the commands to work. All good now. Will close this one.