0

I am O Auth 2 authorization code flow to Authenticate to Azure and Invoke Graph APIs for Intune (by delegated app that was created in Intune for access to API).

Following permissions has been provided at the APP registered in Azure under my organization tenant.

https://graph.microsoft.com/DeviceManagementApps.Read.All https://graph.microsoft.com/DeviceManagementConfiguration.Read.All https://graph.microsoft.com/DeviceManagementManagedDevices.Read.All https://graph.microsoft.com/User.Read

API under scope:

https://graph.microsoft.com/v1.0/deviceManagement/detectedApps
https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps```

I am getting the following error both at Mobile APP level and Postman. Could you please help me to identify the issue?

{ "error": { "code": "UnknownError", "message": { "ErrorCode": "Forbidden", "Message": { "_version ": 3, "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: c85eb7ab-687d-4780-bd88-94a3b52e7df7 - Url: https://fef.msub02.manage.microsoft.com/DeviceConfiguration_2008/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations?api-version=2020-02-21", "CustomApiErrorPhrase": "", "RetryAfter": null, "ErrorSourceService": "", "HttpHeaders": { "WWW-Authenticate": "Bearer realm=urn:intune:service,bb7003b9-cb7f-44b2-b534-54f84f2f0d63,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7" } }, "Target": null, "Details": null, "InnerError": null, "InstanceAnnotations": [] }, "innerError": { "date": "2020-09-02T21:09:14" "request-id": "c85eb7ab-687d-4780-bd88-94a3b52e7df7",

}

}```

Prasad9avs
  • 11
  • 2
  • I have tried to reproduce your issue and I have given my user the Global Reader role after giving permissions and I was able to get the data. Please try it and see if it can help. – Shiva Keshav Varma Sep 03 '20 at 09:45
  • Yes, Checked with admins, Global Reader role cannot be given as it will give provides full access to the tenant and member organization data. Anything else? – Prasad9avs Sep 03 '20 at 13:38
  • Please check these [roles](https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control#azure-active-directory-roles-with-intune-access) and see if any of these can help. – Shiva Keshav Varma Sep 03 '20 at 13:41
  • Thanks Shiva, We are moving step by step, appreciate the help. Question: since Global Reader gives access to all the tenants data to a user. What are the mitigating control we can place to avoid this? Any extra filters or scopes, Please advise – Prasad9avs Sep 03 '20 at 17:39
  • Security Operator and Security Reader also worked for me. Please try it and see if this helps. – Shiva Keshav Varma Sep 04 '20 at 08:33
  • Thanks. I tried the same, it worked for me. – Dev Sep 12 '20 at 18:20
  • Thanks Shiva, because of security issues, we proceeding with service account with required roles. – Prasad9avs Sep 29 '20 at 15:20
  • Yeah, that's a good idea. Moving this to answer. – Shiva Keshav Varma Oct 02 '20 at 11:03

1 Answers1

0

You can try using the Global Administrator role or a Global reader role to read the intune data as there is a necessity of having these roles. After giving any of these roles, try the below calls with their respective permissions.

https://graph.microsoft.com/v1.0/deviceManagement/detectedApps
https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps
Shiva Keshav Varma
  • 3,398
  • 2
  • 9
  • 13