Azure REST access token doesn't work - looks like one of commands is wrong?

Question

So for last few days I've been working on getting REST working with our azure to perform a couple thousand of small changes. I think have the REST command to do it, but I am still struggling connecting with getting myself authenticated correctly. So yesterday I found this code on stackoverflow (in question 49211916)

##get token
$TENANTID=""
$APPID=""
$PASSWORD=""
$result=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = "$APPID"; "client_secret" = "$PASSWORD" }
$token=$result.access_token

$Headers=@{
    'authorization'="Bearer $token"
    'host'="management.azure.com"
    'contentype'='application/json'
}

Looks good for me. I already have created an app in AAD, so I copy and paste the 3 first values for it.

Then I get to my actual task - changing the device category in Intune. So I run the code I've found in question 957046 a few days ago:

     #this is an example for 1 device:
 $intuneDeviceId = 'deadbeef-aaaa-bbbb-cccc-0123456789ab' #update the IntuneDeviceID, you will need to implement a loop for mutiple devices
 $deviceCategoryReqBody = '{"@odata.id":"https://graph.microsoft.com/beta/deviceManagement/deviceCategories/98765432-aaaa-bbbb-cccc-0123456789ab"}' #update the deviceCateg id
 $patchDeviceReqBody = '{}'

 #Running a GET method on the device ID to check its validity
 Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$intuneDeviceId/deviceCategory" -Headers $authToken -Method Get

 #calling the PUT method to update device category for that specific device
 Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$intuneDeviceId/deviceCategory/`$ref" -Headers $authToken -Method Put -Body $deviceCategoryReqBody

 #calling the PATCH method to update device details about device category
 Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$intuneDeviceId" -Headers $authToken -Method Patch -Body $patchDeviceReqBody

  #Running a GET method on the device ID to check its validity
 Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceCategories/" -Headers $authToken -Method Get

#endregion

I substitute the variables and I get an error when running the first GET command already:

Invoke-RestMethod : The underlying connection was closed: Could not establish trust rel
ationship for the SSL/TLS secure channel.

What am I missing? As I said - I have registered an app in AAD (that's where I get tenant ID, app ID and password). I have added API permissions, but I am not a global admin for our tenant so they currently have "Not granted for Contoso" status. Does the global admin have to aprove it before I invoke the rest method, or is that in further steps, not my concern now?

Answer 1

Not sure about the TLS error, but this is definitely not right:

"resource" = "https://management.core.windows.net/"

Replace this with https://graph.microsoft.com to get a token for Microsoft Graph API.

Also, an application admin / cloud app admin / global admin needs to consent to your permissions in API permissions tab before it works. Application-level permissions always require admin consent.