Graph API endpoint to list Managed Devices throwing 403 Forbidden error

Murali 21 Reputation points
2020-11-17T21:13:51.983+00:00

We're getting an error when we run the GET /deviceManagement/managedDevices endpoint as noted in https://learn.microsoft.com/en-us/graph/api/intune-devices-manageddevice-list?view=graph-rest-1.0.

The call is failing with the following error:


{
"error": {
"code": "Forbidden",
"message": "{\r\n \"_version\": 3,\r\n \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 05fb7d09-0b1e-4fa3-9f10-969b9fec4b4a - Url: https://fef.msua01.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=2018-05-24\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}",
"innerError": {
"date": "2020-11-17T20:46:32",
"request-id": "...",
"client-request-id": "..."
}
}
}


The app we've setup on Azure AD has permissions shown in the screenshot. Here's the full

40512-image.png

Any ideas on what's causing the error?

Thanks

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,029 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,546 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,211 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,811 Reputation points Microsoft Employee
    2020-11-17T22:07:23.37+00:00

    @Murali
    Thank you for the detailed post!

    From your error message it's stating that your Application is not authorized to perform this operation. Your API permissions show that you're using Delegated permissions for "DeviceManagementManagedDevices.Read.All and DeviceManagementManagedDevices.ReadWrite.All".

    There are both Delegated and Application types for these two permissions.
    40420-image.png

    You'll have to add "Application permissions" to your app:
    Navigate to your API permissions -> Add a Permission -> Microsoft Graph -> Application Permissions -> Search for the permissions
    40340-image.png

    I hope this helps!
    Thank you for your time and patience throughout this issue.

    1 person found this answer helpful.

5 additional answers

Sort by: Most helpful
  1. Enrico De Gaudenzi 6 Reputation points
    2022-06-21T14:07:20.24+00:00

    Hi, we just had the same problem with a customer of ours. We have an application that has the DeviceManagementManagedDevices.Read.All correctly set up, but for some reason, while our customers' Global Admin could obtain an access token agains the app so to try to read its managed devices, then the Access Token didn't work for this endpoint. This behavior only affected one customer of ours, all the others were correctly working. Error was:

    Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All

    The solution we've found for this only customer was:
    -go to their portal.azure.com with their own Global Admin user
    -find the App among the Enterprise Applications and click on it
    -on the left-hand panel go to Permissions
    -in the Permissions panel that opens, there was a big blue button saying Grant admin consent to CUSTOMERNAME
    -clicking on it, it will ask to Accept all of our App Permissions
    -from this moment we were able to correctly retrieve an Access Token that worked for getting managed devices

    Still didn't quite get why it has worked, in theory the Global Admin of our customer can... administer globally the tenant?

    Anyway it has worked. Hope this will help someone else!

    1 person found this answer helpful.
    0 comments No comments

  2. Murali 21 Reputation points
    2020-11-20T18:54:46.617+00:00

    Hello, I have sent this to our AD admin to enable the permissions. I believe we tried this before, but, it didn't work. I'm looking to try again and get confirmation on whether it works.

    Thanks for the input. I will post an update in the next few days.

    0 comments No comments

  3. Jonathan G 26 Reputation points
    2021-05-07T20:18:03.987+00:00

    Hello. I am getting a related error when trying to get listed of Managed devices, but its just showing a web exception error. Anyway to get more info or track down what its needing to execute?
    94829-image.png

    0 comments No comments

  4. Bob Lamaster 1 Reputation point
    2022-06-07T13:28:07.75+00:00

    I'm having what seems to be the same issue as this person, but my permissions appear to be set up properly.

    Through a Power Automate connector, I can make many Graph API queries for users, devices and groups that succeed:
    /devices
    /devices/{objectID}/getMemberGroups
    /users
    /users/{objectID}/getMemberGroups
    /groups/{objectID}/getMemberGroups

    However, if I try any query that includes managedDevices (we do have Intune in our environment), it doesn't work.

    For example, I can successfully do "/users/{objectID}", but not "/users/{objectID}/managedDevices"

    The body returned is:
    {
    "error": {
    "code": "Forbidden",
    "message": "{\r\n \"_version\": 3,\r\n \"Message\": \"User is not authorized to perform this operation - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6ca043ea-c795-4e09-957c-f4c65142568d - Url: https://fef.msua06.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/users%28%27robert.lamaster%40aecom.com%27%29/managedDevices?api-version=2021-04-07\\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}",
    "innerError": {
    "date": "2022-06-07T13:15:01",
    "request-id": "6ca043ea-c795-4e09-957c-f4c65142568d",
    "client-request-id": "6ca043ea-c795-4e09-957c-f4c65142568d"
    }
    }
    }

    My app registration has both application and delegated permissions as seen in the image.
    209050-perms.png

    Any ideas why the app can't access managedDevices info?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.