I wasted an inordinate amount of time chasing this issue. Hopefully it saves others.
I wanted to create Apple Enrollment profiles in Intune using Graph PowerShell (or even just Graph API). Creating is easy, just use the beta cmdlets like this:
|
1 |
New-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfile -Platform 'iOS' -DefaultEnrollmentType 'device' -DisplayName "<insert name>" -Description "<insert description>" |
You do need to give a description, even though it’s optional in the portal. Else the cmdlet throws an error.
Assigning it to someone is a different story though – doesn’t work! Through a lot of trial and error I figured out the correct cmdlets to do this:
|
1 2 3 4 5 6 7 8 |
$target = @{ '@odata.type' = "#microsoft.graph.groupAssignmentTarget" 'deviceAndAppManagementAssignmentFilterId' = $null 'deviceAndAppManagementAssignmentFilterType' = 'none' 'groupId' = '<put entra group Id>' } New-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfileAssignment -AppleUserInitiatedEnrollmentProfileId '<put profile Id>' -Target $target |
The documentation is useless and not helpful. But that in itself would have been fine, except that even this does not work. You get errors like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
New-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfileAssignment_CreateExpanded: { "_version": 3, "Message": "An internal server error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6be199a3-0fb5-4a3a-a0be-462341e3e050 - Url: https://fef.msua02.manage.microsoft.com/DeviceEnrollmentFE/StatelessDeviceEnrollmentFEService/deviceManagement/appleUserInitiatedEnrollmentProfiles('04719205-e852-461a-bb68-46c668cb7c28')/assignments?api-version=5023-06-28", "CustomApiErrorPhrase": "", "RetryAfter": null, "ErrorSourceService": "", "HttpHeaders": "{}" } Status: 500 (InternalServerError) ErrorCode: InternalServerError Date: 2024-01-29T14:32:26 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : a8faebaa-91f0-43dc-a11d-7f2616fba1bf client-request-id : 6bf199a3-0fb5-4a3a-a0be-462341e3e050 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US East","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"YT1PEPF00001D90"}} Date : Mon, 29 Jan 2024 14:32:26 GM |
I tried other variants like:
|
1 2 3 4 5 6 7 8 9 10 |
$body = @{ 'target' = @{ '@odata.type' = "#microsoft.graph.groupAssignmentTarget" 'deviceAndAppManagementAssignmentFilterId' = $null 'deviceAndAppManagementAssignmentFilterType' = 'none' 'groupId' = 'put entra group Id' } } New-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfileAssignment -AppleUserInitiatedEnrollmentProfileId '<put profile Id>' -BodyParameter $body |
But no use. Ditto if I try Invoke-MgGraphRequest or Invoke-RestMethod directly. They all fail!
Ok, and what about if I want to delete one of these via PowerShell? Same error:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
Remove-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfile_Delete: { "_version": 3, "Message": "An internal server error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 533345e0-cae9-4711-85e8-cb55d7a16e41 - Url: https://fef.msua02.manage.microsoft.com/DeviceEnrollmentFE/StatelessDeviceEnrollmentFEService/deviceManagement/appleUserInitiatedEnrollmentProfiles('636b9e2b-f762-4427-bfec-0fd76323750a')?api-version=5023-06-28", "CustomApiErrorPhrase": "", "RetryAfter": null, "ErrorSourceService": "", "HttpHeaders": "{}" } Status: 500 (InternalServerError) ErrorCode: InternalServerError Date: 2024-01-29T14:22:19 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : cc10c124-2666-4db1-b58c-aa327e32a382 client-request-id : 133341e0-cae9-4711-85e8-cb55d7a16e42 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"US East","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"TO1PEPF000051D9"}} Date : Mon, 29 Jan 2024 14:22:18 GM |
Madness!
Crazy thing is both operations work fine via the portal. I use Firefox, so if I right click the page, go to Inspect, and then the Network tab I can see the operations working.
Here’s delete, for instance.
And here’s a group assignment:
And here’s the request body that Firefox sends:
Everything matches what I am doing. Heck, I even copy pasted the request as is from Firefox and tried but it doesn’t work.
Worse, if I hit Resend:
That too works!
Out of frustration I tried copying the headers in the request Firefox makes and adding them to my Invoke-RestMethod requests, but nothing helped. What finally helped though, was copying the bearer token from Firefox and using that in Graph. That is to say, copy the entirety of the highlighted text:
Paste it into PowerShell thus and connect:
|
1 2 |
$accessToken = '<paste>' | ConvertTo-SecureString -AsPlainText Connect-MgGraph -AccessToken $accessToken |
Now all the cmdlets above that didn’t work run successfully! Magic.
I don’t know why this works but the way I was trying previously didn’t. I was using an App Registration with pretty much the same permissions as what I see in this access token (difference being the App Registration had application permissions while the token had delegated permissions) so I am not sure what’s different (except the access token being for the Intune portal and maybe that matters). But at least this way I can use PowerShell to manipulate things, rather than use the portal. It won’t work for any scripts, but is useful to create a bunch of profiles for instance or do assignments.