Can't deploy an app to Intune store via graph API - DeviceManagementApps.ReadWrite.All is an invalid scope?

Question

We want to enable uploading apps to the Intune store via an API. I saw this example on GitHub, and want to do something similar in JS, so I've tried using the same REST calls. The problem is, I can't seem to make the https://graph.microsoft.com/beta/deviceAppManagement/mobileApps request properly - I always get 401. When making the same request via the Graph API Explorer it works fine.

I tried fixing my permissions, and I'm kinda stuck getting the correct token. I did the following steps with an admin account, on both the "common" and our own tennant:

1. Called the admin consent - https://login.microsoftonline.com/nativeflow.onmicrosoft.com/adminconsent?client_id=<ID>&redirect_uri=<URI>

2. Got authorization from the user - https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<ID>&response_type=code&redirect_uri=<URI>&response_mode=query&scope=DeviceManagementApps.ReadWrite.All

3. POST request to get the actual token - https://login.microsoftonline.com/nativeflow.onmicrosoft.com/oauth2/v2.0/token

   with the following body:

   client_id: <ID>
   scope: https://graph.microsoft.com/.default
   client_secret: <secret>
   grant_type: client_credentials
   requested_token_use: on_behalf_of
   code: <The code I got in step 2>
   

I tried changing the scope in step 3 to https://graph.microsoft.com/DeviceManagementApps.ReadWrite.All or simply to DeviceManagementApps.ReadWrite.All, but it says that it's not a valid scope.

I got a token in step 3, but when I try calling the actual API I receive this error:

{
  ErrorCode:"Forbidden",
  Message:{
    _version: 3,
    Message: "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 7b5c3841-976d-4509-b946-f7fdabd047d7 - Url: https://fef.msub02.manage.microsoft.com/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5018-05-02",
    CustomApiErrorPhrase: "", 
    RetryAfter: null, 
    ErrorSourceService: "", 
    HttpHeaders: {"WWW-Authenticate":"Bearer realm=urn:intune:service,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7"}
  },
  Target:null,
  Details:null,
  InnerError:null,
  InstanceAnnotations:[]
}

So yeah, I'm pretty much stuck. Anyone have any experience with it? I've tried making the calls in Postman, curl and via code, but nothing works.

Cheers :)

Answer 1

You have a couple issues going on:

1. You're using the Authorization Code Grant workflow but requesting Client Credentials.

2. The scope Device.ReadWrite.All is an application scope, it is only applicable to Client Credentials. It isn't a valid Delegated scope so it will return an error when you attempt to authenticate a user (aka delegate) using Device.ReadWrite.All.

3. Your body is using key:value but it should be using standard form encoding (key=value).

To get this working, you need to request a token without a user. This is done by skipping your 2nd step and moving directly to retrieving a token (body line-breaks are only for readability):

POST https://login.microsoftonline.com/nativeflow.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={id}
&client_secret={secret}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&grant_type=client_credentials