{"id":7482,"date":"2024-01-29T14:58:38","date_gmt":"2024-01-29T14:58:38","guid":{"rendered":"https:\/\/rakhesh.com\/?p=7482"},"modified":"2024-01-29T14:58:38","modified_gmt":"2024-01-29T14:58:38","slug":"intune-graph-powershell-an-internal-server-error-has-occurred","status":"publish","type":"post","link":"https:\/\/rakhesh.com\/azure\/intune-graph-powershell-an-internal-server-error-has-occurred\/","title":{"rendered":"Intune Graph PowerShell – An internal server error has occurred"},"content":{"rendered":"

I wasted an inordinate amount of time chasing this issue. Hopefully it saves others.<\/p>\n

I wanted to create Apple Enrollment profiles in Intune using Graph PowerShell (or even just Graph API). Creating is easy, just use the beta cmdlets like this:<\/p>\n

New-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfile -Platform 'iOS' -DefaultEnrollmentType 'device' -DisplayName \"<insert name>\" -Description \"<insert description>\"<\/pre>\n
You do need to give a description, even though it’s optional in the portal. Else the cmdlet throws an error.<\/p>\n
Assigning it to someone is a different story though – doesn’t work! Through a lot of trial and error I figured out the correct cmdlets to do this:<\/p>\n
$target = @{\r\n        '@odata.type' = \"#microsoft.graph.groupAssignmentTarget\"\r\n        'deviceAndAppManagementAssignmentFilterId' = $null\r\n        'deviceAndAppManagementAssignmentFilterType' = 'none'\r\n        'groupId' = '<put entra group Id>'\r\n}\r\n\r\nNew-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfileAssignment -AppleUserInitiatedEnrollmentProfileId '<put profile Id>' -Target $target<\/pre>\n
The documentation is useless and not helpful. But that in itself would have been fine, except that even this does not work. You get errors like this:<\/p>\n
New-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfileAssignment_CreateExpanded: {\r\n  \"_version\": 3,\r\n  \"Message\": \"An internal server error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 6be199a3-0fb5-4a3a-a0be-462341e3e050 - Url: https:\/\/fef.msua02.manage.microsoft.com\/DeviceEnrollmentFE\/StatelessDeviceEnrollmentFEService\/deviceManagement\/appleUserInitiatedEnrollmentProfiles('04719205-e852-461a-bb68-46c668cb7c28')\/assignments?api-version=5023-06-28\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\": \"{}\"\r\n}\r\n\r\nStatus: 500 (InternalServerError)\r\nErrorCode: InternalServerError\r\nDate: 2024-01-29T14:32:26\r\n\r\nHeaders:\r\nTransfer-Encoding             : chunked\r\nVary                          : Accept-Encoding\r\nStrict-Transport-Security     : max-age=31536000\r\nrequest-id                    : a8faebaa-91f0-43dc-a11d-7f2616fba1bf\r\nclient-request-id             : 6bf199a3-0fb5-4a3a-a0be-462341e3e050\r\nx-ms-ags-diagnostic           : {\"ServerInfo\":{\"DataCenter\":\"US East\",\"Slice\":\"E\",\"Ring\":\"5\",\"ScaleUnit\":\"001\",\"RoleInstance\":\"YT1PEPF00001D90\"}}\r\nDate                          : Mon, 29 Jan 2024 14:32:26 GM\r\n<\/pre>\n
I tried other variants like:<\/p>\n
$body = @{\r\n    'target' = @{\r\n            '@odata.type' = \"#microsoft.graph.groupAssignmentTarget\"\r\n            'deviceAndAppManagementAssignmentFilterId' = $null\r\n            'deviceAndAppManagementAssignmentFilterType' = 'none'\r\n            'groupId' = 'put entra group Id'\r\n    }\r\n}\r\n\r\nNew-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfileAssignment -AppleUserInitiatedEnrollmentProfileId '<put profile Id>' -BodyParameter $body<\/pre>\n
But no use. Ditto if I try Invoke-MgGraphRequest<\/code> or Invoke-RestMethod<\/code> directly. They all fail!<\/p>\n
Ok, and what about if I want to delete one of these via PowerShell? Same error:<\/p>\n
Remove-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfile_Delete: {\r\n  \"_version\": 3,\r\n  \"Message\": \"An internal server error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 533345e0-cae9-4711-85e8-cb55d7a16e41 - Url: https:\/\/fef.msua02.manage.microsoft.com\/DeviceEnrollmentFE\/StatelessDeviceEnrollmentFEService\/deviceManagement\/appleUserInitiatedEnrollmentProfiles('636b9e2b-f762-4427-bfec-0fd76323750a')?api-version=5023-06-28\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\": \"{}\"\r\n}\r\n\r\nStatus: 500 (InternalServerError)\r\nErrorCode: InternalServerError\r\nDate: 2024-01-29T14:22:19\r\n\r\nHeaders:\r\nTransfer-Encoding             : chunked\r\nVary                          : Accept-Encoding\r\nStrict-Transport-Security     : max-age=31536000\r\nrequest-id                    : cc10c124-2666-4db1-b58c-aa327e32a382\r\nclient-request-id             : 133341e0-cae9-4711-85e8-cb55d7a16e42\r\nx-ms-ags-diagnostic           : {\"ServerInfo\":{\"DataCenter\":\"US East\",\"Slice\":\"E\",\"Ring\":\"5\",\"ScaleUnit\":\"000\",\"RoleInstance\":\"TO1PEPF000051D9\"}}\r\nDate                          : Mon, 29 Jan 2024 14:22:18 GM\r\n<\/pre>\n
Madness!<\/p>\n
Crazy thing is both operations work fine via the portal. I use Firefox, so if I right click the page, go to Inspect, and then the Network tab I can see the operations working.<\/p>\n
Here’s delete, for instance.<\/p>\n
\"\"<\/p>\n
And here’s a group assignment:<\/p>\n
\"\"<\/p>\n
And here’s the request body that Firefox sends:<\/p>\n
\"\"<\/p>\n
Everything matches what I am doing. Heck, I even copy pasted the request as is from Firefox and tried but it doesn’t work.<\/p>\n
Worse, if I hit Resend:<\/p>\n
\"\"<\/p>\n
That too works!<\/p>\n
Out of frustration I tried copying the headers in the request Firefox makes and adding them to my Invoke-RestMethod<\/code> requests, but nothing helped. What finally helped though, was copying the bearer token from Firefox and using that in Graph. That is to say, copy the entirety of the highlighted text:<\/p>\n
\"\"<\/p>\n
Paste it into PowerShell thus and connect:<\/p>\n
$accessToken = '<paste>' | ConvertTo-SecureString -AsPlainText\r\nConnect-MgGraph -AccessToken $accessToken<\/pre>\n
Now all the cmdlets above that didn’t work run successfully! Magic.<\/p>\n
I don’t know why this works but the way I was trying previously didn’t. I was using an App Registration with pretty much the same permissions as what I see in this access token (difference being the App Registration had application permissions while the token had delegated permissions) so I am not sure what’s different (except the access token being for the Intune portal and maybe that matters). But at least this way I can use PowerShell to manipulate things, rather than use the portal. It won’t work for any scripts, but is useful to create a bunch of profiles for instance or do assignments.<\/p>\n","protected":false},"excerpt":{"rendered":"
I wasted an inordinate amount of time chasing this issue. Hopefully it saves others. I wanted to create Apple Enrollment profiles in Intune using Graph PowerShell (or even just Graph API). Creating is easy, just use the beta cmdlets like this: New-MgBetaDeviceManagementAppleUserInitiatedEnrollmentProfile -Platform ‘iOS’ -DefaultEnrollmentType ‘device’ -DisplayName “<insert name>” -Description “<insert description>” You do need … Continue reading Intune Graph PowerShell – An internal server error has occurred<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[887],"tags":[1115,1015],"jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/7482"}],"collection":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/comments?post=7482"}],"version-history":[{"count":1,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/7482\/revisions"}],"predecessor-version":[{"id":7489,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/7482\/revisions\/7489"}],"wp:attachment":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/media?parent=7482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/categories?post=7482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/tags?post=7482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}