I am unable to use Graph API Beta version API's even though I am an Intune Administrator with licensed MS account. Kindly assist.
What is the exact permission set/access required for me that I can access Beta API's and even execute privileged actions like delete/wipe devices on Intune.
You can see the operations for Intune devices here.
And for wipe action, you need DeviceManagementManagedDevices.PriviligedOperation.All, DeviceManagementManagedDevices.ReadWrite.All Delegated permissions or Application permissions. See details here.
Related
Context
This question has been asked many times already, but I think this is a special case of Microsoft disabling APIs on newly created app registrations.
I use the (soon to be deprecated) AzureAD module and the included Get-AzureADUser in a context, where I cannot easily switch to the AZ.Connect- Module.
How I got there
Last month I registered an app in my development tenant and gave it the permissions
Microsoft Graph
User.Read.All
User.ReadWrite.All
Everything works: Get-AzureADUser can be called by the powershell script using that app.
Today I registered another app in the same tenant. I used the exact same settings and the exact same permissions. But whenever trying this app registration in the powershell script I get the message:
Error occurred while executing GetUsers
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
As soon as I switch back to the "older" app registration it works.
Connect-AZAccount and Get-AzADUser work with both apps, so the issue is not the privileges I think.
Question
Is there any way to make the "new" registration work until I am able to update the code to use the newer modules?
Bonus questions (optional):
Can someone confirm that it is not possible with a newly registered app to use the AzureAD module anymore?
Is this documented anywhere?
I found out the solution together with a colleague of mine: By applying the legacy "Azure Active Directory Graph" permissions you are able to still use the "old" commands even with new apps.
These permissions are "greyed out" in the Dialog under "Microsoft API" with the comment:
Azure Active Directory Graph will be deprecated in June 2022. We recommend using Microsoft Graph APIs for your application. If you are currently using Azure Active Directory Graph, please migrate to Microsoft Graph
But they can still be selected using the "APIs my organization uses" tab by typing "Windows Azure Active Directory" or the Application (Client) ID "00000002-0000-0000-c000-000000000000".
For using Get-AzureADUser you need the "Directory.Read.All" role, to use "Set-AzureADUser" you need the "Directory.ReadWrite.All" role assigned as type "application".
This is how it looks after assignment:
I am new to the Microsoft Graph PowerShell SDK.
The commands below all launch a browser tab where I am prompted to login.
I login with my Microsoft account which has these roles:
SharePoint Administrator
Global Reader
Power Platform Administrator
The account is also specified as an Admin of the global term store taxonomy.
In order to list all sites in a tenant (List sites), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Sites.Read.All", "Sites.ReadWrite.All"
In order to export term store taxonomy (Get store), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "TermStore.Read.All", "TermStore.ReadWrite.All"
In both these instance, after logging in with my admin account, I am getting the error shown below in the browser:
Need admin approval
unverified
needs permission to access resources in your organization that only an admin can grant.
Please ask an admin to grant permission to this app before you can use it
I do not get this error when connecting with the following:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
Troubleshooting
Perhaps the research below can shed some light on an answer as to why this is happening and how to resolve it?
If I look at the docs for the Graph API endpoints I am wanting to query, I can see the Permissions are as follows:
List sites
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
Delegated (personal Microsoft account)
Not supported.
Application
Sites.Read.All, Sites.ReadWrite.All
Get store
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
TermStore.Read.All, TermStore.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Not supported.
How do these permissions relate to using the Graph PowerShell SDK?
Per the quote below from the official docs, I believe using the SDK as I have above is considered delegated access?
The PowerShell SDK supports two types of authentication: delegated
access, and app-only access. In this guide, you'll use delegated
access to sign in as a user, grant consent to the SDK to act on your
behalf, and call the Microsoft Graph.
So I guess my scenario is Delegated (work or school account)?
Questions
01) If so, does that mean I cannot make any request where the API docs define the Permissions as:
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
02) If that is the case, does that mean that the Microsoft Graph PowerShell SDK is not a good tool for administering SharePoint Online (because, according to the API reference docs, many of the endpoints are 'not supported' by a Delegated (work or school account))?
Thanks for reaching out to us , this looks like you are not using your admin account, please cross check the account you are logging in PowerShell. please follow below steps .
Try to disconnect your previous account from PowerShell (use command Disconnect-MgGraph)
Then try connect with your account ,use Connect-MgGraph
You will get a pop up , select the account in which you are the admin.
Then run the command and try again
Edited :
Agree with scottwtang comments ,If you are using the correct account make sure admin consent requests are Enabled in your tenant , you can check by following the below steps and ask your Global Administrator to grant admin consent
To check the admin consent workflow and choose reviewers:
Sign in to the Azure portal with one of the roles listed in the
prerequisites.
Search for and select Azure Active Directory.
Select Enterprise applications.
Under Manage, select User settings. Under Admin consent requests,
select Yes for Users can request admin consent to apps they are
unable to consent to . Configure admin consent workflow settings
ref doc - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Hope this help ,
Thanks
So I can successfully run commands to manage our Microsoft 365/AzureAd/Exchange Online - this involves assigning and removing license, converting user to a shared mailbox, delegating access to a mailbox, etc. I followed the guide here for authentication. But that's me actually logging in with my credentials + MFA (Multi-factor authentication) for authentication.
I want to have a script that does these type of actions triggered by a schedule. I believe I can include the credentials but how to do MFA? Tried to follow this but getting error clientid is not a guid I have registered an app in https://portal.azure.com/ and able to do Graph API calls using that. No luck in PowerShell authentication though. Any thoughts? Thanks!
Maybe try this? It should allow you to connect to all Microsoft online services and includes support for MFA. If it does not work, the website has many other scripts you can try
This is not possible. A potential solution is to set some rules where in specific case, MFA will not be required.
I'm wondering what is the correct way to grant service accounts access to AzureDevOps. Ex: access to source code, API's, etc.
Since "Basic Authentication" was deactivated, I've been using personal access tokens but it seems awkward to login using a service account, generating the PAT, and so on. Also, since they are limited in time, we have to ensure renewal schedules/reminders for each connexions.
I am on the wrong track? Is there a more "natural" way to do it? Is SSH more adapted for this?
I've found this guide which helps but I can't find how (for example) granting a third-party application access to a project's repository.
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
PS: Service Connections and Service Hooks are not what I'm looking for.
What you are looking for probably is OAuth 2.0 Client Credentials Flow for Azure DevOps. Unfortunately Client Credentials Flow is not yet supported on Azure DevOps. See this thread Client Credentials Flow for Azure DevOps.
But, You can check out OAuth 2.0 auth code flow,which is now supported on Azure Devops. Please check out this detailed tutorial Authorize access to REST APIs with OAuth 2.0. This is an example to implement OAuth 2.0 auth code flow.
There are also Codes samples provided in above web link you mentioned in the question. You can checkout these samples to learn their authentication mechanism, and choose one that suits you most.
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow: