时间戳

首页 > 解决方案 > Microsoft Graph PowerShell access permissions - 401 Unauthorized

powershell - Microsoft Graph PowerShell access permissions - 401 Unauthorized

问题描述

I am using the Microsoft PowerShell Intune cmdlets to query configuration settings for audit purposes. I'm unable to connect with an account that does not have Admin access, despite using the AdminConsent to grant the application access. I've also explicitly added my user to the app and can see that "delegated" access has been granted.

I have successfully connected to my Azure environment with my administrator account using:

Connect-MSGraph -AdminConsent
Get-DeviceManagement_DeviceCompliancePolicies

When running this with another account which is not a global administrator I receive the error:

Get-DeviceManagement_DeviceCompliancePolicies : 401 Unauthorized
{
  "error": {
    "code": "UnknownError",
    "message": "{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\r\\n \\\"_version\\\": 3,\\r\\n  \\\"Message\\\": 
\\\"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6407b0fa-a2fd-4564-8895-cc63b49e2201

I can see, however, that my user has the expected delegate access including:

| Microsoft Graph                | Delegated | Perform user-impacting remote actions on Microsoft Intune devices |
| ------------------------------ | --------- | ----------------------------------------------------------------- |
| Microsoft Graph                | Delegated | Read and write Microsoft Intune devices                           |
| Microsoft Graph                | Delegated | Read and write Microsoft Intune RBAC settings                     |
| Microsoft Graph                | Delegated | Read and write Microsoft Intune apps                              |
| Microsoft Graph                | Delegated | Read and write Microsoft Intune Device Configuration and Policies |
| Microsoft Graph                | Delegated | Read and write Microsoft Intune configuration                     |
| Microsoft Graph                | Delegated | Read and write all groups                                         |
| Microsoft Graph                | Delegated | Read directory data                                               |
| Microsoft Graph                | Delegated | Sign users in                                                     |
| Windows Azure Active Directory | Delegated | Sign in and read user profile                                     |
| Windows Azure Active Directory | Delegated | Read all groups                                                   |

The documentation is less than helpful, despite referencing the specific error I'm getting ("Your tenant credentials support administrative functions."). It is unclear whether it's even possible to use a read-only account to gather data.

标签: powershellmicrosoft-graph-api

解决方案

我们遇到了这个问题,时间延迟不是问题。

在我们的案例中,根本原因是我们使用的服务帐户(用户对象)未在 Azure AD 中授予“Intune 管理员”角色,这是此处提到的先决条件:https ://docs.microsoft.com/en -us/samples/microsoftgraph/powershell-intune-samples/intune-graph-samples/

添加该角色后,我们的 Intune cmdlet 立即开始工作。

推荐阅读