Share via

Get-AzureADDevice shows "Insufficient privileges to complete the operation." error.

FENG CHEN 21 Reputation points
2022-09-21T21:22:53.71+00:00

I saw similar questions being asked many times, but still couldn't make it work.

My test code : 

    $azureAplicationId ='ZZZZZZZZZZZZZZ'  
    $passwd="XXXXXXXXXXXXXXXXXXX"  
    $azureTenantId= 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'  
    $azurePassword = ConvertTo-SecureString $passwd -AsPlainText -Force  
    $psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)  
    Connect-AzAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal  
      
      
    $context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext  
    $graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken  
    $aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken  
    Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MsAccessToken $graphToken  
      
      
    $Headers = @{  
        'Authorization' = "Bearer $graphToken"  
    }  
      
    Invoke-WebRequest -H $Headers   "https://graph.microsoft.com/v1.0/users"   ### working as expected   
    Invoke-WebRequest -H $Headers  "https://graph.microsoft.com/v1.0/devices" ### working as expected  
      
    Get-AzADUser #### working as expected  
      
    Get-AzureADUser #### not working   
      
    Get-AzureADDevice #### not working

Get-AzureADDevice shows :

Get-AzureADDevice : Error occurred while executing GetDevices
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

I am trying to use a Azure app to read Azure AD device. Pity new Az module only provide Get-AzADUser, no Get-AzADDevice, so I have to use Get-AzureADDevice, but I just can't get it work.

I have tried AADToken and MSToken, and I have tested the MSToken with Invoke-WebRequest and it's working fine.

But when I run get-AzureADDevice or any GetAzureAD command, it just gave me the error Insufficient privileges to complete the operation.

Get-AzADuser or GetAzADApplication are working fine. I have granted the app all the permission I can think of:

243613-image.png

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. FENG CHEN 21 Reputation points
    2022-09-21T21:44:04.187+00:00

    OK I also thought about MgGraph but didn't like I have to use a certificate to authenticate.

    Now I see I can use following code : 

    $contexts = Get-AzContext -ListAvailable   
  
if ( $contexts -eq $nill ) {  
    $psCred = New-Object System.Management.Automation.PSCredential($ApplicationId , $SecurePasswd)  
    Connect-AzAccount -Credential $psCred -TenantId $TenantId -ServicePrincipal  
}  
  
$token=Get-AzAccessToken -ResourceTypeName MSGraph  
Connect-MgGraph -AccessToken $token.token

    This worked better than AzureAD module.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.