Share via

Graph API endpoint to list Managed Devices throwing 403 Forbidden error

Murali 21 Reputation points
2020-11-17T21:13:51.983+00:00

We're getting an error when we run the GET /deviceManagement/managedDevices endpoint as noted in https://learn.microsoft.com/en-us/graph/api/intune-devices-manageddevice-list?view=graph-rest-1.0.

The call is failing with the following error:

{
"error": {
"code": "Forbidden",
"message": "{\r\n \"_version\": 3,\r\n \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 05fb7d09-0b1e-4fa3-9f10-969b9fec4b4a - Url: https://fef.msua01.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices?api-version=2018-05-24\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}",
"innerError": {
"date": "2020-11-17T20:46:32",
"request-id": "...",
"client-request-id": "..."
}
}
}

The app we've setup on Azure AD has permissions shown in the screenshot. Here's the full

40512-image.png

Any ideas on what's causing the error?

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
Microsoft Security | Microsoft Graph
0 comments
Answer accepted by question author
  1. JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator
    2020-11-17T22:07:23.37+00:00

    @Murali
    Thank you for the detailed post!

    From your error message it's stating that your Application is not authorized to perform this operation. Your API permissions show that you're using Delegated permissions for "DeviceManagementManagedDevices.Read.All and DeviceManagementManagedDevices.ReadWrite.All".

    There are both Delegated and Application types for these two permissions.
    40420-image.png

    You'll have to add "Application permissions" to your app:
    Navigate to your API permissions -> Add a Permission -> Microsoft Graph -> Application Permissions -> Search for the permissions
    40340-image.png

    I hope this helps!
    Thank you for your time and patience throughout this issue.

    1 person found this answer helpful.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bob Lamaster 1 Reputation point
    2022-06-21T21:15:24.073+00:00

    I finally found the cause. When I set up the application registration and generated the "client secret", I copied that secret to a Notepad file. What I didn't know was that I missed copying one character on the end. So, whenever I tried to test the application, it was not using the application credentials, it was using my (delegated) credentials. My credentials do not have the permission to query the deviceManagement branch of Graph, but they do have the permission to query several other branches. To fix this, I simply re-generated the client secret and used that in my custom Power Automate connector. From then on, the application credentials (which had the necessary API permissions) were used.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.