Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when exporting device configuration objects with custom OMA-URI settings when using Read-Only servicePrincipal #263

Closed
MarcoJanse opened this issue Sep 5, 2024 · 2 comments
Closed

Error when exporting device configuration objects with custom OMA-URI settings when using Read-Only servicePrincipal #263

MarcoJanse opened this issue Sep 5, 2024 · 2 comments

Comments

@MarcoJanse
Copy link

MarcoJanse commented Sep 5, 2024
edited
Loading

I am experiencing some issues when exporting certain Device Configuration profiles while using a service principal with only read permissions.

The tool shows all components as orange and the GUI and I can browse trough all components.

However, when looking at the PowerShell console log, I see the following error messages for certain profiles:

Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations//getOmaSettingPlainTextValue(secretReferenceValueId='') (Request ID: ). Status code: Forbidden. Response message: . Response message: Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementConfiguration.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 143eb7cc-897a-419c-b46f-3e506acbc940 - Url: https://fef.msub02.manage.microsoft.com/DeviceConfiguration_2408/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations('')/microsoft.management.services.api.getOmaSettingPlainTextValue(secretReferenceValueId='')?api-version=5024-05-08 Exception: The remote server returned an error: (403) Forbidden.

The policies that fail are all configured with custom OMA-URI settings.

When I look at the results of the policies when I export them with readOnly permissions, the following values are different

    "omaSettings":  [
                        {
                            "secretReferenceValueId":  "<referenceID",
                            "isEncrypted":  true,
                            "value":  "****"
                        }

The service principal has been granted these permissions:

  • 'Agreement.Read.All'
  • 'Application.Read.All'
  • 'CloudPC.Read.All'
  • 'DeviceManagementApps.Read.All'
  • 'DeviceManagementConfiguration.Read.All'
  • 'DeviceManagementManagedDevices.Read.All'
  • 'DeviceManagementRBAC.Read.All'
  • 'DeviceManagementServiceConfig.Read.All'
  • 'Group.Read.All'
  • 'Organization.Read.All'
  • 'Policy.Read.All'
  • 'Policy.Read.ConditionalAccess'
  • 'User.Read.All'

When connecting with my own admin user that also has write access on above scopes, I can export all settings.
Should I really need to configure DeviceManagementConfiguration.ReadWrite.All to properly read the OMA-URI settings?
@Micke-K
Copy link
Owner

Micke-K commented Sep 6, 2024

Hello,

Yes, you will need ReadWrite permissions to get the Oma-Uri values. It's a requirement of the Graph API.

It's documented here:
getOmaSettingPlainTextValue

Cheers!

@MarcoJanse
Copy link
Author

I see! Thanks for the quick response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MarcoJanse @Micke-K