graph api for retire device has incorrect spelling for permissions

Jay 1 Reputation point

Using graph explorer (and also postman and python script to test), i am unable to retire a device from AAD/endpoint.

Here is the command i am using

Here are the 2 results for permissions (verified using permissions preview AND manually selecting permissions for account)

  1. DeviceManagementManagedDevices.PrivilegedOperations.All
  • this is one permission i am able to consent to. properly shows okta prompt for SSO and i can sign in
  1. DeviceManagementManagedDevices.PriviligedOperation.All
  • this is the one that i am UNABLE to accept and seemingly the one i need. even with the aforementioned permission accepted, this one still prompts for consent. when i try to consent, the okta sso dialog box pops up really quick and goes away. behavior is not seen on the other permission.

Using this URL format:{my_email)/managedDevices/{aad_device_id}/retire, i get a 400 bad request error
"error": {
"code": "No method match route template",
"message": "No OData route exists that match template ~/entityset/key/navigation/key/action with http verb POST for request /DeviceFE/StatelessDeviceFEService/users('my_email')/managedDevices('aad_device_id')/",
"innerError": {
"date": "2022-04-02T00:19:33",
"request-id": "xxxxxxxx",
"client-request-id": "xxxxxx"

I have also tried with my actual id instead of email without success - the command works if you end at managedDevices, however.

Not sure how to proceed.


Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,133 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. 2022-04-06T05:38:10.567+00:00

    There are API's which can be used for retiring a device can you please try
    API: POST{managedDeviceId}/retire
    Please refer this DOC.

    The permission "DeviceManagementManagedDevices.PrivilegedOperations.All" is the correct one it should be added in both delegated and application permission please refer this DOC.

    Hope this helps.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Jay 1 Reputation point

    Hi Mohammend,

    I had already tried the beta url too.

    Here is the consented permissions using POST, beta, the URL provided, and var replaced with aad device id/device id

    This one is the one that pops up as needing permissions when i run the api call

    Notice that the one i have consented is plural for operations and the one that requires consent is singular.

    For sake of posterity, i have tried with the device ID and object ID of the ipad in question.
    the ipad is managed by intune and compliant as well.

    both attempts give the same error from the original post or this from beta url: "code": "ResourceNotFound"

    This is my set of permissions for the graph explorer (official site) enterprise app:


    0 comments No comments