DeviceRegistrationPolicy through beta graph API -Failed to authorize, token doesn't have the required permissions

Krupa Gundraju (Larsen & Toubro Infotech Limit) 121 Reputation points
2022-10-21T10:21:01.333+00:00

Hi Team,

When we try to set userDeviceQuota to a custom value using below code always gives "The request failed with status BadRequest (400). Failed to authorize, token doesn't have the required permissions."
252936-image.png 

$method = "PUT"  
$uri = "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy"  
  
$ClientID = 'xxx'  
$TenantID = 'xxx'  
$thumbPrint = 'xxx'  
  
$test = Connect-MgGraph -ClientID $ClientID -TenantId $TenantID -CertificateThumbprint $thumbPrint  
  
 $body = '{  
    "userDeviceQuota": 1,  
    "multiFactorAuthConfiguration": "0",  
    "azureADRegistration": {  
        "appliesTo": "1",  
        "isAdminConfigurable": false,  
        "allowedUsers": [],  
        "allowedGroups": []  
    }  
}'  
Invoke-MgGraphRequest -Method $method -uri $uri -Body $body

I could see that proper permissions also exists252947-image.png to the app.

As it only supports delegated permissions so it may require user sign in flow but is there any way to generate token using username, password, ClientID and certificate??
Can someone help how to resolve this?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,116 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,543 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 6,146 Reputation points Microsoft Employee
    2022-10-21T10:45:33.987+00:00

    Hello @Krupa Gundraju (Larsen & Toubro Infotech Limit)

    Thank you for reaching out. Delegated permissions are used by apps that have a signed-in user present and I made certain changes in your script to generate access token using username and password. You can use this and confirm if it fulfils your requirement. 

     $TokenBody = 'grant_type=password' + `  
 '&client_id=12345678-2b13-444b-9631-f2ff99c34e77' + `  
 '&username=harpreet@contoso.com' +`  
 '&password=testpassword!' +`  
 '&resource=https://graph.microsoft.com' +`  
 '&client_secret=12345~cRUe8o1AIyt7zLx7._NGREHcMhRXCvacgb' +`  
 '&scope=Policy.Read.All,Policy.ReadWrite.MobilityManagement '  
 $token = (Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/common/oauth2/token -Body $TokenBody).access_token  
   
$method = "PUT"  
$uri = "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy"  
$body = '{  
     "userDeviceQuota": 1,  
     "multiFactorAuthConfiguration": "0",  
     "azureADRegistration": {  
         "appliesTo": "1",  
         "isAdminConfigurable": false,  
         "allowedUsers": [],  
         "allowedGroups": []  
     }  
 }'  
  
Connect-MgGraph -AccessToken $token  
Select-MgProfile -Name beta  
Invoke-MgGraphRequest -Method $method -uri $uri -Body $body

    I hope this helps and resolves your concern.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.