I have a script generating a report of all newly enrolled devices in Intune. The script pulls the data using API permissions in a registered application in entra. It’s generating a (401) unauthorized error accessing the graph URI and am global admin of the tenant.
When testing logging into the MS.Graph outside the script, I get the same 401 error:
PS C:\Windows\system32> Connect-MSGraph -AdminConsent
UPN TenantId
--- --------
adminxxx@xxxx.com 7bjd3a68-6d43-4699-a397-0287245516f6
PS C:\Windows\system32> Invoke-RestMethod
cmdlet Invoke-RestMethod at command pipeline position 1
Supply values for the following parameters:
Uri: https://graph.microsoft.com/v1.0/deviceManagement/managedDevices
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:1 char:1
+ Invoke-RestMethod
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Has no clue about you connecting to graph. How would it? You aren’t providing it with any type of access token or anything, so a 401 is expected.
I would take a step back and detail what module you’re using (which module contains the Connect-MSGraph cmdlet.) Then I would look in that module for a cmdlet that retrieves devices. The module should offer cmdlets that can utilize the connection you established with Connect-MsGraph.
Do I need to use the Connect-MSGraph cmdlet when it’s in a registered application in the tenant? I didn’t think so if I registered and granted apps the API permissions. Here’s the entire script:
No I wouldn’t think so. I was going off the only information I had which is the 2 lines you provided originally. This script is much, much different than you example.
You can. The powershell SDK let’s you connect with delegated permissions (running commands on behalf of as a signed in user) or with a client secret/cert. Using a cert is better and more secure IMO. There’s some docs online for client secret, that may be better than my code below, but if you can, just use cert based auth because it’s super easy and you can self a signed cert and set it up really quickly. I did demo client secret auth a few weeks ago and it was something like the code below., though I think I actually did a secure string (PSCRED object) and converting itbut you probably just need to play with it some.:
By using the Connect-MgGraph cmdlet, once you connect you’ll be able to run all the powershell wrapped graph commands, so you can do what your script is doing manually. I’d make sure that you connecting using app-based perms and the app actually has the proper permissions needed. If you use delegated, it only will have the permissions of the signed in user.
Lastly, with cert based auth, you don’t have to worry about grabbing a token you literally just install the cert, and use it to auth (it really is as simple as creating a self signed cert, exporting it without the public key and uploading it to the app). However, client secret works too.