'Graph API Device Management Configuration Compliance Policy Search
We have multiple clients that have a security software compliance policy in place. My goal is to look into those policies, and pull out the devices that are notcomplient. Then from there look at the machine and pull what softwares are missing. I am using graph api for this process. Here is the graph I am using:
GET https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies('$PolicyID')/deviceStatuses
Here are the permissions of the appplication:
We don't need the delegated nor do we need the write as we are not writing. I have tested with both and both did not work. Here is the error message I am finding:
Here is my reseach link: https://docs.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicy-get?view=graph-rest-1.0
I feels like a permission for the graph. What do you all think?
Edit: The code above works inside graph explorer. However, it does not work in powershell. The same permissions are granted. Same command is being fired off. I'm not sure why it works in graph but not in pwsh.
Edit: Below is the code I am using.
$TenantID = "<Code>"
$AppID = "<Code>"
$AppKey = "<Code>"
$PolicyID = "<Code>"
$redirect_url = "https://localhost"
$authority = "https://login.microsoftonline.com/$TenantID"
$tokenUrl = "$authority/oauth2/token"
$Body = @{
client_id = "$AppID"
client_secret = "$AppKey"
redirect_url = "$redirect_url"
grant_type = "client_credentials"
scope = "https://graph.microsoft.com/"
}
$response = Invoke-RestMethod -Uri $tokenUrl -Body $body -Method Post
$Access_Token = $response.access_token
#Creates the header
$Header = @{
Authorization = "Bearer $Access_Token"
}
$PolicyURL = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies('$PolicyID')/deviceStatuses"
$PageInfo = Invoke-RestMethod -Headers $header -Uri $PolicyURL -Method Get
Solution 1:[1]
From this post:
OAUTH 2.0 requires multiple steps. The first request returns an OAUTH Code. The next step is converting that OAUTH code into a Bearer Token. This is the step you are missing here.
Are you sending your Bearer Token to authenticate to the endpoint?
Solution 2:[2]
This was indeed an oauth 2.0 issue.
Here is the code below:
$Token = "https://login.microsoftonline.com/$($TenantID)/oauth2/v2.0/token"
$Body = @{
client_id = "$AppID"
client_secret = "$AppKey"
redirect_url = "https://localhost"
grant_type = "client_credentials"
scope = "https://graph.microsoft.com/.default"
}
$request = Invoke-RestMethod -Uri $token -Body $Body -Method Post
$Access_Token = $request.access_token
$Header = @{
Authorization = "Bearer $($Access_Token)"
}
$GraphURL = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies('$PolicyID')/deviceStatuses"
$PageInfo = Invoke-RestMethod -Headers $header -Uri $GraphURL -Method Get
Solution 3:[3]
You are correct , this looks like permission issue. Put your access token jwt.ms and see if the below permission are present or not.
reference doc - https://docs.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicy-get?view=graph-rest-1.0
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Witt |
| Solution 2 | David |
| Solution 3 | vicky kumar |