Forum Discussion
Managing Intune Device Categories via Graph
Hello ShoneBGD
Welcome to the Microsoft community, my name is Recep I'll be happy to help you today.
Please Follow the below steps to resolve your issue.
- Azure AD App Registration:
- Register an application in the Azure portal to obtain the necessary credentials (Application ID, Directory (Tenant) ID, and Client Secret).
- Grant the required API permissions (Application permissions: DeviceManagementConfiguration.ReadWrite.All).
- Access Token:
- Acquire an access token by authenticating your app using the registered application credentials.
PowerShell Script:
# Install the required module Install-Module -Name Microsoft.Graph.Intune -Force -AllowClobber
# Authenticate to Microsoft Graph $clientID = "YourApplicationID" $tenantID = "YourTenantID" $clientSecret = "YourClientSecret" $tokenEndpoint = "https://login.microsoftonline.com/$tenantID/oauth2/token"
$body = @{ 'grant_type' = 'client_credentials' 'client_id' = $clientID 'client_secret' = $clientSecret 'resource' = 'https://graph.microsoft.com' }
$tokenResponse = Invoke-RestMethod -Uri $tokenEndpoint -Method POST -Body $body
# Set Intune Device Category for devices in a dynamic group $dynamicGroupID = "YourDynamicGroupID" $deviceCategoryID = "YourDeviceCategoryID"
$accessToken = $tokenResponse.access_token $headers = @{ 'Authorization' = "Bearer $accessToken" 'Content-Type' = 'application/json' }
# Get devices in the dynamic group $devicesEndpoint = "https://graph.microsoft.com/v1.0/deviceManagement/dynamicDeviceGroups/$dynamicGroupID/devices" $devices = Invoke-RestMethod -Uri $devicesEndpoint -Headers $headers -Method GET
# Set device category for each device foreach ($device in $devices.value) { $deviceID = $device.id $deviceCategoryPayload = @{ assignedDeviceCategories = @( @{ id = $deviceCategoryID } ) } | ConvertTo-Json $deviceCategoryEndpoint = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$deviceID" Invoke-RestMethod -Uri $deviceCategoryEndpoint -Headers $headers -Method PATCH -Body $deviceCategoryPayload }
Write-Host "Device categories set for devices in the dynamic group." |
Make sure to replace placeholders like YourApplicationID, YourTenantID, YourClientSecret, YourDynamicGroupID, and YourDeviceCategoryID with your actual values
If I have answered your question, please mark your post as Solved If you like my response, please give it a Like Appreciate your Kudos! Proud to contribute! 🙂 |
Hello Deleted,
Many thanks for the response , I manage to set up first step, register the app and set required permissions, but have a question regarding access token when I generate it were to put it in the script?
Actually I think i see were access token should be added, however I still have error after running the script:
Line |
55 | $devices = Invoke-RestMethod -Uri $devicesEndpoint -Headers $headers …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"error":{"code":"InvalidAuthenticationToken","message":"CompactToken parsing failed with error code:
| 80049217","innerError":{"date":"2023-12-14T09:04:48","request-id":"96649000-f2cf-414c-9cb0-cc24a0f2dadc","client-request-id":"96649000-f2cf-414c-9cb0-cc24a0f2dadc"}}}
Thank you,
Regards,
Shone
Hello ShoneBGD
Welcome to the Microsoft community, my name is Recep I'll be happy to help you today.
Here are a few things to check:
- Access Token Availability:
- Print the access token before making the request to see if it is obtained successfully. Add the following line after acquiring the access token:
Write-Host "Access Token: $accessToken
- Headers Configuration:
- Confirm that the headers are configured correctly. You can add more debugging output to print the headers before making the request:
Write-Host "Request Headers: $($headers | Out-String)
- Verify Token Format:
- Ensure that the access token is in the correct format (JWT) and has the necessary claims. You can use an online JWT decoder to check the contents of the token.
If the access token appears to be correct, and the headers are properly configured, the issue might be related to how the token is being used in the request. Make sure the token is included in the "Authorization" header with the "Bearer" scheme, as shown in your script.
Additionally, double-check that the dynamic group ID and other IDs used in the script are valid and exist in your Intune environment.
If the issue persists, please share the relevant parts of your script (specifically, where you acquire the access token and the headers configuration) so that I can provide more targeted assistance.
If I have answered your question, please mark your post as Solved
If you like my response, please give it a Like
Appreciate your Kudos! Proud to contribute! 🙂
Hello Recep,
The problems seems with the script in this part:
# Get devices in the dynamic group
$devicesEndpoint = "https://graph.microsoft.com/v1.0/deviceManagement/dynamicDeviceGroups/$dynamicGroupID/devices"
$devices = Invoke-RestMethod -Uri $devicesEndpoint -Headers $headers -Method GET
It does not find devices under there , I can found all devices that need to be updated with correct deviceCategory under members in Microsoft Graph for example.
If I compare script with one created from ChatGPT it tries to locate them under members here is example:
# Get members of the dynamic group
$group = Get-IntuneGroup -GroupId $groupId -AccessToken $accessToken
$members = Get-IntuneGroupMember -GroupId $group.Id -AccessToken $accessToken
I tried to verify access token on some JWT online site seems token is correct , not sure if something more need to be checked?
Thanks again for the assistance,
Regards,
Nenad
- Access Token Availability: