powershell - Microsoft Graph PowerShell access permissions - 401 Unauthorized
问题描述
I am using the Microsoft PowerShell Intune cmdlets to query configuration settings for audit purposes. I'm unable to connect with an account that does not have Admin access, despite using the AdminConsent to grant the application access. I've also explicitly added my user to the app and can see that "delegated" access has been granted.
I have successfully connected to my Azure environment with my administrator account using:
Connect-MSGraph -AdminConsent
Get-DeviceManagement_DeviceCompliancePolicies
When running this with another account which is not a global administrator I receive the error:
Get-DeviceManagement_DeviceCompliancePolicies : 401 Unauthorized
{
"error": {
"code": "UnknownError",
"message": "{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\r\\n \\\"_version\\\": 3,\\r\\n \\\"Message\\\":
\\\"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6407b0fa-a2fd-4564-8895-cc63b49e2201
I can see, however, that my user has the expected delegate access including:
| Microsoft Graph | Delegated | Perform user-impacting remote actions on Microsoft Intune devices |
| ------------------------------ | --------- | ----------------------------------------------------------------- |
| Microsoft Graph | Delegated | Read and write Microsoft Intune devices |
| Microsoft Graph | Delegated | Read and write Microsoft Intune RBAC settings |
| Microsoft Graph | Delegated | Read and write Microsoft Intune apps |
| Microsoft Graph | Delegated | Read and write Microsoft Intune Device Configuration and Policies |
| Microsoft Graph | Delegated | Read and write Microsoft Intune configuration |
| Microsoft Graph | Delegated | Read and write all groups |
| Microsoft Graph | Delegated | Read directory data |
| Microsoft Graph | Delegated | Sign users in |
| Windows Azure Active Directory | Delegated | Sign in and read user profile |
| Windows Azure Active Directory | Delegated | Read all groups |
The documentation is less than helpful, despite referencing the specific error I'm getting ("Your tenant credentials support administrative functions."). It is unclear whether it's even possible to use a read-only account to gather data.
解决方案
我们遇到了这个问题,时间延迟不是问题。
在我们的案例中,根本原因是我们使用的服务帐户(用户对象)未在 Azure AD 中授予“Intune 管理员”角色,这是此处提到的先决条件:https ://docs.microsoft.com/en -us/samples/microsoftgraph/powershell-intune-samples/intune-graph-samples/
添加该角色后,我们的 Intune cmdlet 立即开始工作。
推荐阅读
- mysql - 如何将mysql行转换为没有标签的列
- python - 我需要从 PDF 文件中提取文本并制作一个新的 .txt 文件以放入
- python - 错误 1053:“服务未及时响应”
- visual-studio - “解析应用程序包时出错。” 从 Web (MSIX) 打开 Windows 10 .appinstaller 文件时
- swift - 如何在桌子上创建两个不同的部分?
- reactjs - Redux 商店,“属性 XX 不存在”
- asp.net - 如何获得在 ashx 文件中编写不安全代码的权限?
- javascript - 单选按钮的 disabled 属性在反应式表单中不起作用
- python - 如何从 np.genfromtxt 添加的 ndarray 中删除“b”字符
- reporting-services - 如何限定使用 First 以仅获取组中的第一个值?