Forum Discussion
Windows 365 Administrator built-in role getting 401 unauthorized when enrolling devices
I'm trying to enroll new devices using the get-windowsautopilotinfo script. For this task, I'm trying to use a user assigned with the built-in role "Windows 365 Administrator", which is a new role.
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#windows-365-administrator
Based on the above article, the role has the "microsoft.directory/devices/create" action, with description "Create devices (enroll in Azure AD)". It even says the role can "Enroll and manage devices in Azure AD, including assigning users and policies".
But when I execute get-windowsautopilotinfo -online in Windows 10 OOBE Powershell, and login with the Windows 365 Admin. user, I encounter the following error:
add-autopilotimportedevice: system.net.http.httprequestexception: 401 unauthorized
Anyone else encounter the same problem? Should I just wait a few months for Microsoft to fix the role? 🙂
I've tried waiting 24 hours after assigning the role, same error. It might be unlikely a delay-related issue, a few seconds after assigning the Intune Admin. role, the script executes flawlessly.
I've also tried 2 users, 2 separate devices, same error.
1 Reply
- Managed to get an official answer from intune support..
get-windowsautopilotonline calls on other Intune workflows in the backend, which is not broken down into specific role actions. Only intune admin and global admin can access said workflows.
"microsoft.directory/devices/create - Create devices (enroll in Azure AD)" is not the same as enrolling devices in autopilot.
