Reputation: 961
Graph API Device Management Configuration Compliance Policy Search
We have multiple clients that have a security software compliance policy in place. My goal is to look into those policies, and pull out the devices that are notcomplient. Then from there look at the machine and pull what softwares are missing. I am using graph api for this process. Here is the graph I am using:
GET https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies('$PolicyID')/deviceStatuses
Here are the permissions of the appplication:
We don't need the delegated nor do we need the write as we are not writing. I have tested with both and both did not work. Here is the error message I am finding:
Here is my reseach link: https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicy-get?view=graph-rest-1.0
I feels like a permission for the graph. What do you all think?
Edit: The code above works inside graph explorer. However, it does not work in powershell. The same permissions are granted. Same command is being fired off. I'm not sure why it works in graph but not in pwsh.
Edit: Below is the code I am using.
$TenantID = "<Code>"
$AppID = "<Code>"
$AppKey = "<Code>"
$PolicyID = "<Code>"
$redirect_url = "https://localhost"
$authority = "https://login.microsoftonline.com/$TenantID"
$tokenUrl = "$authority/oauth2/token"
$Body = @{
client_id = "$AppID"
client_secret = "$AppKey"
redirect_url = "$redirect_url"
grant_type = "client_credentials"
scope = "https://graph.microsoft.com/"
}
$response = Invoke-RestMethod -Uri $tokenUrl -Body $body -Method Post
$Access_Token = $response.access_token
#Creates the header
$Header = @{
Authorization = "Bearer $Access_Token"
}
$PolicyURL = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies('$PolicyID')/deviceStatuses"
$PageInfo = Invoke-RestMethod -Headers $header -Uri $PolicyURL -Method Get
Upvotes: 0
Views: 1411
Answers (3)
Reputation: 961
This was indeed an oauth 2.0 issue.
Here is the code below:
$Token = "https://login.microsoftonline.com/$($TenantID)/oauth2/v2.0/token"
$Body = @{
client_id = "$AppID"
client_secret = "$AppKey"
redirect_url = "https://localhost"
grant_type = "client_credentials"
scope = "https://graph.microsoft.com/.default"
}
$request = Invoke-RestMethod -Uri $token -Body $Body -Method Post
$Access_Token = $request.access_token
$Header = @{
Authorization = "Bearer $($Access_Token)"
}
$GraphURL = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies('$PolicyID')/deviceStatuses"
$PageInfo = Invoke-RestMethod -Headers $header -Uri $GraphURL -Method Get
Upvotes: 1
Reputation: 679
From this post:
OAUTH 2.0 requires multiple steps. The first request returns an OAUTH Code. The next step is converting that OAUTH code into a Bearer Token. This is the step you are missing here.
Are you sending your Bearer Token to authenticate to the endpoint?
Upvotes: 1
Reputation: 738
You are correct , this looks like permission issue. Put your access token jwt.ms and see if the below permission are present or not.
reference doc - https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicy-get?view=graph-rest-1.0
Upvotes: 0
Related Questions
- Delete policy using Microsoft Graph Powershell
- Microsoft GRAPH query lists an unfamiliar format for detectionscripcontent using endpoint /deviceManagement/deviceHealthScripts
- Accessing Microsoft Graph With PowerShell
- Microsoft Graph Powershell Module
- Getting device list using Microsoft Graph API
- Graph API Update Device Returning 403
- InTune Device Management using Microsoft Graph API
- Managed device - operating system manufacturer
- Identify the current device in Graph
- MS Graph API - ManagedDevices obtaining Scope