I am trying to assign groups and devices to a PowerShell script in Microsoft Intune using the following POST request:
URL: https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/%7Bid%7D/Assign
Body:
{
"deviceManagementScriptGroupAssignments": [
{
"#odata.type": "#microsoft.graph.deviceManagementScriptGroupAssignment",
"id": "{ScriptId:GroupId}",
"targetGroupId": "{GroupId}"
}
],
"deviceManagementScriptAssignments": [
{
"#odata.type": "#microsoft.graph.deviceManagementScriptAssignment",
"id": "{ScriptID:DeviceID}",
"target": {
"#odata.type": "#microsoft.graph.allDevicesAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none"
}
}
]
}
However, I am getting a 400 error with the following message:
"{ "_version": 3, "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 615c3437-bd99-2193-9d4b-d9a61deb0340 - Url: https://fef.amsua0102.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/deviceManagementScripts('{id}')/microsoft.management.services.api.assign?api-version=5022-11-08", "CustomApiErrorPhrase": "", "RetryAfter": null, "ErrorSourceService": "", "HttpHeaders": "{}"}"
I base on this document of Microsoft https://learn.microsoft.com/en-us/graph/api/intune-shared-devicemanagementscript-assign?view=graph-rest-beta
I tried to reproduce the same in my environment.
Received the same error:
{
"error": {
"code": "UnknownError",
"message": "{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\ \\\"_version\\\": 3,\\ \\\"Message\\\": \\\"An error has occurred - Operation ID (for customer support): xxxx –
}
When I followed the url in the error and queried, I got that the api version is not supported.
Make sure the authorization header is given with bearer token which has proper permissions to work with intune and device management
Omit the parameter #odata.type in the post request body.
{
"#odata.type": "#microsoft.graph.deviceManagementScript",
…
"runAs32Bit": true
}
Make sure you have DeviceManagementConfiguration.ReadWrite.All Application and delegated permissions.
Note that Intune requires an active Intune license for the tenant.
Related
I am trying to create a schema extension but I get the following error message every time I make a request:
code: 400, error_message: ErrorMessage { error: Some(ErrorStatus { code: Some("Request_BadRequest"), message: Some("Object of class ComplexExtensionDefinition is not valid for Megatenant with ContextId: 11753285-9b24-41e2-bef1-********. Update to segmentation metadata failed.")
According to the error message seems like I cant extend azure AD with schema extension. Any help ?
Thanks
Here's the code for reference:
use graph_rs_sdk::oauth::OAuth;
use reqwest::StatusCode;
use graph_rs_sdk::prelude::*;
use graph_rs_sdk::error::GraphFailure;
pub async fn account_ext(client: OAuth) -> Result<StatusCode, GraphFailure> {
let graph_client = Graph::new_async(client.get_access_token().unwrap().bearer_token());
let properties = serde_json::json!({
"id": "tenantaccountExt",
"description": "Tenant account extension properties",
"targetTypes": [
"Group"
],
"owner": "90fd44ac-18d2-4920-909b-********",
"properties": [
{
"name": "region",
"type": "String"
},
{
"name": "contact",
"type": "String"
},
]
});
match graph_client.v1()
.schema_extensions()
.create_schema_extension(&properties)
.send()
.await {
Ok(response) => Ok(response.status()),
Err(GraphFailure::GraphError(err)) => {
println!("{:?}", err);
Ok(err.code)
},
Err(err) => Err(err)
}
}
I faced similar sort of error towards application :
"code": "Authorization_RequestDenied",
"message": "Attempt to update complex extension definition on application: xxxxxx belonging to different context",
with below query
POST https://graph.microsoft.com/v1.0/schemaExtensions
{
"id": "tenantcountext",
"description": "Graph Learn training courses extensions",
"targetTypes": [
"group"
],
"owner": "dexxxxxxxxxxx64",
"properties": [
{
"name": "region",
"type": "String"
},
{
"name": "contact",
"type": "String"
}
]
}
The id property must be unique string of the schema extension
definition. {domainName}_{schemaName} or echemaName only.
When I tried to check for available extension schema definitions for
id : tenantaccountExt :Add custom data to groups using schema
extensions - Microsoft Graph | Microsoft Docs.
I could not find any available status for that id which may mean that tenant has one or more applications that doesn’t have the owner permissions to add or update extensions or any changes or even the tenant doen not have proper permissions .( For me when I checked the appId in the error in azureAd apps , it is the Microsoft graph explorer)
which means the tenant or apps do not have proper permissions to access graph explorer or do any creation or updates .
So please check if that app or tenant in your case has proper
permissions to add any changes or extensions like
Applications.ReadWrite.All, User.Read.All, User.ReadWrite.All,Group.ReadWrite.All microsoft graph permissions.Please try to get permissions given by admin and
check to try again.
Also check to have ,Any of the following permissions: for
Delegated (work or school account) check Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Application: Directory.Read.All, Directory.ReadWrite.All
Importantly please make sure , the owner property must be having the value of the application Id where you are the owner i.e; you must be the owner of the app for which extension is done and request for creation must also be coming from that application.
If everything is correct, then then the schema extension is executed and we can get its available status like InDevelopment or available.
Reference: exercise-schema-extensions | microsoftDocs
I am trying to share linked variables across projects.
I read that is was not possible but I found this API endpoint that may do the trick.
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/variablegroups/share-variable-group?view=azure-devops-rest-6.0
When I call this API:
PATCH https://dev.azure.com/{organization}/_apis/distributedtask/variablegroups?variableGroupId={variableGroupId}&api-version=6.0-preview.2
with this Body:
{
"variableGroupProjectReferences":[
{
"description":"test1",
"name":"test1",
"projectReference":{
"id":"50f7c113-de21-4e19-b910-b37ebffa984f",
"name":"Customer Services"
}
}]
}
I get this response:
{
"$id": "1",
"innerException": null,
"message": "Value cannot be null.\r\nParameter name: variableGroupProjectReferences",
"typeName": "System.ArgumentNullException, mscorlib",
"typeKey": "ArgumentNullException",
"errorCode": 0,
"eventId": 0
}
Value cannot be null.\r\nParameter name: variableGroupProjectReferences
The request body seems to have issue.
You can refer to the following sample:
[
{
"variableGroupProjectReferences":
{
"projectReference": {
"id": "ProjectID",
"name": "ProjectName"
},
"name": "variablegroupname",
"description": ""
}
}
]
But it will show the error: Sharing of variable group is not allowed.
The cause of this issue is that the variable group property: "isShared": false
You can get the variable group property with the Rest API: Variablegroups - Get
But currently it seems that we cannot change this property. So we couldn't share the variable group.
Refer to this feedback ticket: VariableGroup cannot be shared via REST API.
I suggest that you can report the issue to Developer Community.
I want to purges data for my custom log with TimeGenerated range.
Sample Request
POST https://management.azure.com/subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/OIAutoRest5123/providers/Microsoft.OperationalInsights/workspaces/aztest5048/purge?api-version=2020-08-01
Request Body
{
"table": "MY_CUSTOM_TABLE",
"filters": [
{
"column": "TimeGenerated",
"operator": "between",
"value": ["2022-01-02T04:00:00","2022-01-07T03:59:59"]
}
]
}
Response Code: 400
Response Body:
{
"error": {
"message": "The request had some invalid properties",
"code": "BadArgumentError",
"correlationId": "00000000-0000-0000-0000-00000000000",
"innererror": {
"code": "QueryValidationError",
"message": "The user with object Id '00000000-0000-0000-0000-00000000000' does not have the role 'Data Purger' required to perform purge operation on this resource"
}
}
}
"message": "The user with object Id
'00000000-0000-0000-0000-00000000000' does not have the role 'Data
Purger' required to perform purge operation on this resource"
Looking at the Error Message that you have shared above, it is moreover related to access issue. You need to have DataPurger RBAC role on that resource inorder to perform data purge over a particular table in log analytic workspace.
Here is the reference documentation for more information about DataPurger RBAC role.
We have tested this in our local environment , it is working fine.
In our local environment , we have tried to purge the heartbeat table using the above shared Purge REST API of Azure Log Analytics workspace.
if you are using the between operator in the body of your restAPI , the value should be array of items.
Here is the sample request & body of the Rest API :
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/purge?api-version=2020-08-01
Body:
{
"table": "Heartbeat",
"filters": [
{
"column": "TimeGenerated",
"operator": "between",
"value": ["2022-01-18T05:40:00","2022-01-18T05:50:59"]
}
]
}
Here is the sample Output for reference:
I am trying to retrieve a list of enrolled devices using the microsoft graph api. The authenticated GET request to https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries
{
"error": {
"code": "UnknownError",
"message": "{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\r\\n \\\"_version\\\": 3,\\r\\n \\\"Message\\\": \\\"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: dd0e2f48-90b3-49e0-bb9a-b3b02e4b9482 - Url: https://fef.msua08.manage.microsoft.com/DeviceConfiguration_2005/StatelessDeviceConfigurationFEService/deviceManagement/deviceCompliancePolicySettingStateSummaries?api-version=2020-02-21\\\",\\r\\n \\\"CustomApiErrorPhrase\\\": \\\"\\\",\\r\\n \\\"RetryAfter\\\": null,\\r\\n \\\"ErrorSourceService\\\": \\\"\\\",\\r\\n \\\"HttpHeaders\\\": \\\"{\\\\\\\"WWW-Authenticate\\\\\\\":\\\\\\\"Bearer realm=\\\\\\\\\\\\\\\"urn:intune:service,bb7003b9-cb7f-44b2-b534-54f84f2f0d63,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7\\\\\\\\\\\\\\\"\\\\\\\"}\\\"\\r\\n}\",\"Target\":null,\"Details\":null,\"InnerError\":null,\"InstanceAnnotations\":[]}",
"innerError": {
"request-id": "dd0e2f48-90b3-49e0-bb9a-b3b02e4b9482",
"date": "2020-05-28T11:34:16"
}
}
}
I am following the documentation here.
We just needed to add these resource permissions DeviceManagementConfiguration.ReadWrite.All and DeviceManagementConfiguration.Read.All in Azure AD permissions.
I am using Azure AD B2C to create users.
After a user is created I would like to add them to a Group
Using Postman I have made the following request (with access token in the header). Note: I have managed to successfully create a group using the Api.
POST
https://graph.windows.net/{azure-tenant}/groups/{group-objectId/members/$ref?api-version=1.6
With Body:
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/directoryObjects/{user-objectId}"
}
Which is what the documentation specifies. No matter the body that is sent I get the following error
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "The request URI is not valid. Since the segment 'members' refers to a collection, this must be the last segment in the request URI. All intermediate segments must refer to a single resource."
},
"requestId": "48cf65f3-20ba-411e-8121-f7ea54252f3a",
"date": "2019-05-27T06:09:25"
}
}
I tried removing the /$ref
POST
https://graph.windows.net/{azure-tenant}/groups/{group-objectId/members?api-version=1.6
Body:
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/directoryObjects/{user-objectId}"
}
as well as
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/users/{user-objectId}"
}
Now the error that gets returned now is:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Unsupported resource type 'DirectoryObject' for operation 'Create'."
},
"requestId": "2c36cc6d-383c-44f8-8609-2ac3e3efc862",
"date": "2019-05-27T06:15:26"
}
}
The documentation that I have been using https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=javascript
You are using graph.windows.net endpoint, so you should refer to azure ad graph api.
POST https://graph.windows.net/myorganization/groups/b4bda672-1fba-4711-8fb1-5383c40b2c14/$links/members?api-version=1.6
{
"url": "https://graph.windows.net/myorganization/directoryObjects/3eb6055a-baeb-44d4-a1ea-2fee86d8891b"
}
The document you referred to is microsoft graph api. The endpoint should be https://graph.microsoft.com.
You can use Microsoft Graph explorer to call these apis.