Powershell Microsoft Graph SDK issues, insufficient permissions

Occasional Contributor

I'm new to Microsoft Graph.  I seem to be having basic authentication issues that I do not know how to work past.


I'm trying to get information out of Azure AD and/or Intune to gather information regarding devices, specifically bitlocker recovery keys.


Before getting that far, I'm just doing basic Get-mgdevice but I get insufficient privileges.  I'm just using the Connect-MgGraph cmdlet with no parameters.  Doing this I get connected but I guess my default permissions are too limited in this method.  I am a Cloud Device Administrator though for testing purposes but at some point need to narrow down these permissions.


At any rate if I try to connect with Connect-MgGraph -Scopes "Device.Read.All" I'm lead to a page that says admin consent is required.  Apparently I'm not the correct sort of admin so I cannot consent.  With that said I'm trying to right a script for many users to run so I don't want them to all have ability to consent anything.  I just want the script to run.


So I don't know what I'm doing and am at a roadblock.  All the documentation I find makes little sense to me so apparently.


Note:  I have another script that uses Connect-MSGraph cmdlet (like many sample scripts I find) but I cannot find the difference between MSGraph and MgGraph.   Also it is my understanding this information can be found both in AzureAD as well as Intune with Intune possibly having different cmdlets?  So confusing.


Any guidance is appreciated.  TIA.

2 Replies
best response confirmed by MatthewMcDonald_ews (Occasional Contributor)
Your administrator(s) have locked down the permissions in the tenant. Could have also perfoemd application restrictions specifically for the Microsoft Graph. Hence, you are being challenged for Admin consent. The administrator(s) need to allow your UPN the API permission.
It can get down in the weeds, but if someone configured the restrictions, they should know how to allow access.
Thanks. I've since worked this out and we ended up building an Azure app that has the requisite permissions to run.