Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when importing 'Enrollment Restrictions objects' in a Silent Batch Job using an Azure Service principal with secret. #259

Open
dominiquestabile opened this issue Aug 22, 2024 · 2 comments
Open

Error when importing 'Enrollment Restrictions objects' in a Silent Batch Job using an Azure Service principal with secret. #259

dominiquestabile opened this issue Aug 22, 2024 · 2 comments

Comments

@dominiquestabile
Copy link

Hello Micke,

Thank again for your wonderfull tool :)

I'm getting the following error when I run an import with 'Enrollment Restrictions objects' in any import mode (skipIfExist, alwaysImport, update or replace) With a service principal and secret.

Import Enrollment Restrictions objects
Get Enrollment Restrictions objects
Import Enrollment Restrictions object Deny Windows personally owned devices (Pilot only)
##[error]Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations (Request ID: 237bde61-2373-4777-8d13-13c6a324b834). Status code: Forbidden. Response message: . Response message: Tenant is not Global Admin or Intune Service Admin. Operation is restricted. - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 0d267d53-3b29-44e8-930b-2c0193bc2cba - Url: https://fef.msub06.manage.microsoft.com/StatelessOnboardingService/deviceManagement/deviceEnrollmentConfigurations?api-version=5023-03-29 Exception: The remote server returned an error: (403) Forbidden.

If I login interactively through the GUI, it works perfectly.
I compared the API permissions and I have only three differences 'openid, profile, email ' which are only available as delegated permissions and not as application permissions.
Besides the API permissions, I also compared the permissions bewteen my global admin user and the service principal, they have the same roles: global reader, global administrator, security administrator, exchange administrator and intune administrator.
Any idea or suggestions ?
Thanks a lot for your help.

BR

Dominique
@Micke-K
Copy link
Owner

Micke-K commented Aug 22, 2024

Hello,

I can't find any restriction on the API. The application permissions should be supported.

Anything else in the logs? Can you see that you have DeviceManagementServiceConfig.ReadWrite.All in the list of permissions?

Cheers!

@dominiquestabile
Copy link
Author

Hello Micke,
Thanks for your reply.
Nothing else in the logs. And yes the permission is there:

Microsoft Edge-sp-bte1-bwsfactory-nch-0 - Microsoft Azure-20240828T190513@2x

Thanks for your help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dominiquestabile @Micke-K