Forum Discussion
Intune Graph API permissions - no Application permissions - why?
- Application support for all Intune endpoints have been added, but it's still in the beta Graph though
https://docs.microsoft.com/en-us/graph/api/resources/intune-device-mgt-conceptual?view=graph-rest-beta
Thijs Lecomte Thanks very much for this.
https://github.com/JeremyTBradshaw/PowerShell/blob/master/.Modules/msGraphFunctions.psm1 - that is my module. It currently is setup to accommodate certificate authentication in the client credential flow. The functions are:
Get-MSGraphAccessToken
New-SelfSignedAzureADRegisteredAppCertificate
New-MSGraphQuery
For my example which is was failing, I'm I was getting an access token successfully, and then with New-MSGraphQuery can could successfully list devices using v1.0 or beta:
# list devices via v1.0:
>$q1 = New-MSGraphQuery -AccessToken $Token -API v1.0 -Method GET -Query deviceManagement/managedDevices
>$q1.value | select deviceName, model
deviceName model
---------- -----
HTPC-G1 Z390 I AORUS PRO WIFI
j_AndroidForWork_6/9/2020_10:12 PM ONEPLUS A5010
# list devices via beta:
>$q2 = New-MSGraphQuery -AccessToken $Token -API beta -Method GET -Query deviceManagement/managedDevices
>$Q2.value | select deviceName, model
deviceName model
---------- -----
HTPC-G1 Z390 I AORUS PRO WIFI
j_AndroidForWork_6/9/2020_10:12 PM ONEPLUS A5010
# fail to remoteLock via Beta:
>New-MSGraphQuery -AccessToken $Token -API beta -Method POST -Query deviceManagement/managedDevices/9e250f72-a995-401d-8e32-7edf7fdb2eba/remoteLock
Invoke-RestMethod : {
"error": {
"code": "No method match route template",
"message": "No OData route exists that match template ~/singleton/navigation/key/action with http verb GET for request
/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices('9e250f72-a995-401d-8e32-7edf7fdb2eba')/microsoft.management.services.api.remoteLock.",
"innerError": {
"request-id": "01f99d16-88e2-4b2c-b053-0fbfaec43947",
"date": "2020-06-11T12:39:08"
}
}
}
At C:\Users\<myProfile>\GitHub\PowerShell\.Modules\msGraphFunctions.psm1:125 char:5
+ Invoke-RestMethod @QueryProps -OutVariable QueryResponse
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Upon crafting this reply, I noticed in the error "No OData route exists ....... with http verb GET for request". This made me realize my problem. I had hard-coded "Get" as the method in my New-MSGraphQuery function, where I should have set it to my parameter -Method's value ($Method).
Original, non-working code:
$QueryProps = @{
Headers = @{ Authorization = "Bearer $($AccessToken.access_token)" }
Uri = "https://graph.microsoft.com/$($API)/$($Query)"
Method = 'Get'
ContentType = 'application/json'
}
Fixed, working code:
$QueryProps = @{
Headers = @{ Authorization = "Bearer $($AccessToken.access_token)" }
Uri = "https://graph.microsoft.com/$($API)/$($Query)"
Method = $Method
ContentType = 'application/json'
}
Again, thanks very much! I still needed this post and your response to get me looking at the Beta reference instead of v1.0. It was only after that, that I could flush out this error in my script. The -Method parameter was added to the function after a while, and I must have gotten distracted in the process and forgot to actually incorporate the parameter into the script after declaring in my params block. All good now though!
Have fun automating Intune 🙂