Issue creating a Device using Graph API

Question

Hi,
I raised an issue on the documentation of github but was suggest that I raise it here.

Issue is that I'm trying to create devices for some test scenarios, found the following references:

• https://learn.microsoft.com/en-us/graph/api/device-post-devices?view=graph-rest-1.0&tabs=http

But when I follow the example I get the following error back:

"code": "Request_BadRequest",
"message": "Cannot convert the literal 'base64Y3YxN2E1MWFlYw==' to the expected type 'Edm.Binary'.",

The response on the github issue:

The key value in the documentation is just a sample and has been truncated. Please use your own key instead for this operation.

But there is no example or reference that I can see to how I create/obtain the key value..

Any thoughts/suggestions?

Thanks

Answer 1

OK so did some more testing noticed that the key value wasn't base64 encoded, seems to be a typo in the documentation.. Try the following:

{
  "accountEnabled":false,
  "alternativeSecurityIds":
  [
    {
      "type": 2,
      "key": "Y3YxN2E1MWFlYw=="
    }
  ],
  "deviceId":"4c299165-6e8f-4b45-a5ba-c5d250a707ff",
  "displayName":"Test device",
  "operatingSystem":"linux",
  "operatingSystemVersion":"1"
}

Now it returns

 "message": "Insufficient privileges to complete the operation.",

Yet the token the application is using has the following scopes:

  "roles": [
    "User.ReadBasic.All",
    "Device.Read.All",
    "Device.ReadWrite.All",
    "User.ReadWrite.All",
    "Domain.ReadWrite.All",
    "Group.Read.All",
    "Group.Create",
    "Group.ReadWrite.All",
    "User.Read.All",
    "Domain.Read.All",
    "Organization.Read.All"
  ],

Answer 2

So did some additional testing.. Noticed that the key value was not base64.. Changed to Base64:

{
  "accountEnabled":false,
  "alternativeSecurityIds":
  [
    {
      "type": 2,
      "key": "Y3YxN2E1MWFlYw=="
    }
  ],
  "deviceId":"4c299165-6e8f-4b45-a5ba-c5d250a707ff",
  "displayName":"Test device",
  "operatingSystem":"linux",
  "operatingSystemVersion":"1"
}

But now get

    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",

Token has the following roles:

  "roles": [
    "User.ReadBasic.All",
    "Device.Read.All",
    "Device.ReadWrite.All",
    "User.ReadWrite.All",
    "Domain.ReadWrite.All",
    "Group.Read.All",
    "Directory.ReadWrite.All",
    "Group.Create",
    "Group.ReadWrite.All",
    "User.Read.All",
    "Domain.Read.All",
    "Organization.Read.All"
  ],

What am I missing?

Answer 3

Hi @whgibbo - I see you don't have the permission indicated in the doc as required for the Create device: Permissions. Can you assign the permission and any one of the Azure AD admin roles?

Answer 4

Thanks @Anonymous

Seems like if I read this correctly.. I can't use it from application :(
Also doesn't seem like it is possible to add the application into any of the groups mentioned.

Any reason for this ?

Answer 5

Hi @whgibbo

Your token only contains application permissions, but creating a device doesn't support application permissions, which is the cause of the problem.

You should grant Directory.AccessAsUser.All delegated permissions to your app, and then use the delegated authentication flow (such as auth code flow or ROPC flow) to obtain an access token. Also, note that the calling user must also have one of the following Azure AD roles: Global Administrator, Intune Administrator, or Windows 365 Administrator.

Refer to the API documentation:

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".