0

Does anyone know how I can connect to the Intune API using MS Graph with a Access/Refresh token?

I'm using AADInternals module.

Get-AccessTokenWithRefreshToken -Resource "https://graph.microsoft.com" -ClientId "00000000-0000-0000-0000-000000000000" -RefreshToken $refreshtoken -TenantId $Tenant

I've tried all kind of resources and clientid, but when I make a call I keep getting errors like:

{"error":"invalid_grant","error_description":"AADSTS70000: Provided grant is invalid or malformed.\r\n"

{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid"

{"error":"unauthorized_client","error_description":"AADSTS700038: 00000000-0000-0000-0000-000000000000

Or when I use a default MSGraph API clientid & resource:

$apiUrl = "https://graph.microsoft.com/v1.0/deviceManagement/managedDeviceOverview"

Invoke-RestMethod -Headers @{Authorization = "Bearer " + $attributes.MSGraph} -Uri $apiUrl -Method GET -ContentType 'application/json'

Invoke-RestMethod : The remote server returned an error: (403) Forbidden.

or:

Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

Update 1

DeviceCompliance seems to be working, I just can't get managedDeviceOverview to work.... Even in Graph Explorer Developer it's giving errors...

https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies https://graph.microsoft.com/v1.0/deviceManagement/managedDeviceOverview"

fabrisodotps1
  • 117
  • 1
  • 10
H1dden69
  • 1
  • 4
  • 1
    Can you get the full response from a tool like fiddler? perhaps an additional header is needed for that API call – Isaac Apr 10 '22 at 08:56
  • The headers is indeed different, so is the accesstoken. – H1dden69 Apr 12 '22 at 10:50
  • I'm even getting a error in MS Graph Explorer Developer, and can't seem to assign any rights to the application (no consent is asked).. Bit weird.. Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, ReadWrite... – H1dden69 Apr 12 '22 at 10:51
  • Have you granted admin permission to the app in azure with those requested permissions. Also what headers does it say you're missing? – Isaac Apr 13 '22 at 06:27

1 Answers1

0

If /deviceManagement/deviceCompliancePolicies is working and /deviceManagement/managedDeviceOverview is not, my guess is that there are permissions missing on the enterprise application in AAD (application with the clientid which you pass to the -ClientId parameter in Get-AccessTokenWithRefreshToken).

Permissions for /deviceManagement/deviceCompliancePolicies

DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All

These permissions might already be set (because the api call is working).

Check this link (chapter prerequisites): https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicy-get?view=graph-rest-1.0#prerequisites

Permissions for /deviceManagement/managedDeviceOverview

DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All

These permissions might not be set (because the api call is not working).

Check this link (chapter prerequisites): https://learn.microsoft.com/en-us/graph/api/intune-devices-manageddeviceoverview-get?view=graph-rest-1.0#prerequisites

Check the permissions in the Azure portal: Azure Active Directory --> Enterprise applications --> Your enterprise app (with the right clientid) --> Permissions

fabrisodotps1
  • 117
  • 1
  • 10