search

microsoftgraph / powershell-intune-samples

This repository of PowerShell sample scripts show how to access Intune service resources. They demonstrate this by making HTTPS RESTful API requests to the Microsoft Graph API from PowerShell.
MIT License
1.37k stars 658 forks source link

Enable MDM User scope- "All" #224

Open KarraRoja opened 2 years ago

KarraRoja commented 2 years ago

We are using below code in order to enable MDM user scope in azure active directory. But the token which we are generating using service account is not working. This service account is having gobal administrator permission on tenant level.

CODE $passwd = ConvertTo-SecureString 'XXXXX' -AsPlainText -Force $pscredential = New-Object System.Management.Automation.PSCredential('XXXXXX', $passwd)
$login = Connect-AzAccount -Credential $pscredential -TenantId 'XXXXXX' $token = (Get-AzAccessToken).Token $uri = "https://main.iam.ad.ext.azure.com/api/MdmApplications/7767dbe8-fcac-44bd-bafb-44f83dbfb1b0?mdmAppliesToChanged=true&mamAppliesToChanged=false" $header = @{ 'Authorization' = 'Bearer ' + $token 'Content-Type' = 'application/json' 'X-Requested-With'= 'XMLHttpRequest' 'x-ms-client-request-id'= [guid]::NewGuid() 'x-ms-correlation-id' = [guid]::NewGuid() } $body = @{
"appDisplayName"= "Microsoft Intune" "appCategory"= "Mdm" "logoUrl"= $null "appData"= @{ "enrollmentUrl"= "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc" "complianceUrl"= "https://portal.manage.microsoft.com/?portalAction=Compliance" "termsOfUseUrl"= "https://portal.manage.microsoft.com/TermsofUse.aspx" } "originalAppData"= @{ "enrollmentUrl"= "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc" "complianceUrl"= "https://portal.manage.microsoft.com/?portalAction=Compliance" "termsOfUseUrl"= "https://portal.manage.microsoft.com/TermsofUse.aspx" } } Invoke-WebRequest -Uri $uri -Headers $header -Method Put -ContentType 'application/json' -UseBasicParsing -Body $(ConvertTo-Json $body)

ERROR Invoke-WebRequest : {"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was 'https://management.core.windows.net/' and the expected audience is 'https://main.iam.ad.ext.azure.com' or one of the Application Uris of this application with App ID '74658136-14ec-4630-ad9b-26e160ff0fc6'(ADIbizaUX). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.\r\nTrace ID: df29ce77-ec8a-476b-b94d-1f85c50fc500\r\nCorrelation ID: 8a49a156-28b5-43cf-ba89-3ca30df3f9da\r\nTimestamp: 2022-09-20 11:17:42Z","Data":{},"HResult":-2146233088,"XMsServerRequestId":null,"Source":null,"HttpStatusCode":400,"ClientData":{ "errorCode":"msalautherror_invalid_grant","localizedErrorDetails":{"errorDetail":"AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was 'https://management.core.windows.net/' and the expected audience is 'https://main.iam.ad.ext.azure.com' or one of the Application Uris of this application with App ID '74658136-14ec-4630-ad9b-26e160ff0fc6'(ADIbizaUX). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.\r\nTrace ID: df29ce77-ec8a-476b-b94d-1f85c50fc500\r\nCorrelation ID: 8a49a156-28b5-43cf-ba89-3ca30df3f9da\r\nTimestamp: 2022-09-20 11:17:42Z"},"operationResults":[{"objectId":null,"displayName":null,"status":0,"details":"AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was 'https://management.core.windows.net/' and the expected audience is 'https://main.iam.ad.ext.azure.com' or one of the Application Uris of this application with App ID '74658136-14ec-4630-ad9b-26e160ff0fc6'(ADIbizaUX). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.\r\nTrace ID: df29ce77-ec8a-476b-b94d-1f85c50fc500\r\nCorrelation ID: 8a49a156-28b5-43cf-ba89-3ca30df3f9da\r\nTimestamp: 2022-09-20 11:17:42Z"}],"timeStampUtc":"2022-09-20T11:17:42.5366907Z","cl ientRequestId":"6ebeb5cc-5853-433d-ac2f-33a70012065d","internalTransactionId":"9d50ee49-0929-4064-bfb2-4ca10029d118","tenantId":null,"userObjectId":"452aa556-ea30-4d97-8200-aa354d7 b89af","exceptionType":"MsalUiRequiredException"}} At line:16 char:1

Please let us know if there are any other options in order to enable MDM in AAD.

bgbeaton72 commented 1 year ago

It says that you are using two factor authentication on the service account. You need to allow conditional access on your service account. See here: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa

Your error: "exceptionType":"MsalUiRequiredException"}} Definition: MsalUiRequiredException Class Reference Definition Namespace: Microsoft.Identity.Client Assembly: Microsoft.Identity.Client.dll Package: Microsoft.Identity.Client v4.49.1 This exception class is to inform developers that UI interaction is required for authentication to succeed. It's thrown when calling AcquireTokenSilent(IEnumerable, IAccount)-microsoft-identity-client-iaccount)) or one of its overrides, and when the token does not exists in the cache, or the user needs to provide more content, or perform multiple factor authentication based on Azure AD policies, etc.. For more details, see https://aka.ms/msal-net-exceptions