Intune Graph PowerShell – An internal server error has occurred

I wasted an inordinate amount of time chasing this issue. Hopefully it saves others.

I wanted to create Apple Enrollment profiles in Intune using Graph PowerShell (or even just Graph API). Creating is easy, just use the beta cmdlets like this:

You do need to give a description, even though it’s optional in the portal. Else the cmdlet throws an error.

Assigning it to someone is a different story though – doesn’t work! Through a lot of trial and error I figured out the correct cmdlets to do this:

The documentation is useless and not helpful. But that in itself would have been fine, except that even this does not work. You get errors like this:

I tried other variants like:

But no use. Ditto if I try Invoke-MgGraphRequest or Invoke-RestMethod directly. They all fail!

Ok, and what about if I want to delete one of these via PowerShell? Same error:


Crazy thing is both operations work fine via the portal. I use Firefox, so if I right click the page, go to Inspect, and then the Network tab I can see the operations working.

Here’s delete, for instance.

And here’s a group assignment:

And here’s the request body that Firefox sends:

Everything matches what I am doing. Heck, I even copy pasted the request as is from Firefox and tried but it doesn’t work.

Worse, if I hit Resend:

That too works!

Out of frustration I tried copying the headers in the request Firefox makes and adding them to my Invoke-RestMethod requests, but nothing helped. What finally helped though, was copying the bearer token from Firefox and using that in Graph. That is to say, copy the entirety of the highlighted text:

Paste it into PowerShell thus and connect:

Now all the cmdlets above that didn’t work run successfully! Magic.

I don’t know why this works but the way I was trying previously didn’t. I was using an App Registration with pretty much the same permissions as what I see in this access token (difference being the App Registration had application permissions while the token had delegated permissions) so I am not sure what’s different (except the access token being for the Intune portal and maybe that matters). But at least this way I can use PowerShell to manipulate things, rather than use the portal. It won’t work for any scripts, but is useful to create a bunch of profiles for instance or do assignments.