Share via

Intune rights to unassignUserFromDevice and assignUserToDevice

Konrad Wojciechowski (Nokia) 40 Reputation points
2024-09-05T14:46:21.1333333+00:00

Hello,

I would like to remove or change assigned users to autopilot device in Intune.
I have the following endpoints:

https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/xxxx/assignUserToDevice

https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/xxxx/unassignUserFromDevice

Unfortunatelly I am receiving:

{
    "error": {
        "code": "Forbidden",
        "message": "{\r\n  \"_version\": 3,\r\n  \"Message\": \"User is not authorized to perform this operation - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 2ba45a6c-29cf-4e39-b07e-f0c23b0553fd - Url: https://fef.msub02.manage.microsoft.com/DeviceEnrollmentFE/StatelessDeviceEnrollmentFEService/deviceManagement/windowsAutopilotDeviceIdentities('9c0b5716-4736-4af5-a55c-3ac9c00f9a64')/microsoft.management.services.api.assignUserToDevice?api-version=2024-03-21\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\": \"{}\"\r\n}",
        "innerError": {
            "date": "2024-09-05T13:59:27",
            "request-id": "2ba45a6c-29cf-4e39-b07e-f0c23b0553fd",
            "client-request-id": "2ba45a6c-29cf-4e39-b07e-f0c23b0553fd"
        }
    }
}

We have the following permissions set in Intune (custom role):

  1. Enrollment programs: Create device, delete device, read token, delete token, update token, read device
  2. Managed devices: Read, Delete, Query
  3. Organization: read

What should we add there to make it working?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,981 questions
Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
467 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,893 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,047 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aleksandr Kolesnikov 636 Reputation points
    2024-09-05T22:31:11.43+00:00

    Hi @Konrad Wojciechowski (Nokia)

    Your account has not enough permissions for scope DeviceManagementServiceConfig.ReadWrite.All

    If you'd like to add them to a Custome role, please have a look at:

    Device Manage > Set primary user

    Choose, change, or remove the primary user of a managed device. This permission must be used in combination with the managed devices read and update permissions.

    User's image

    Also, you can add permissions to an Application for Graph API call, or connect via Powershell

    Connect-MgGraph -Scopes "DeviceManagementServiceConfig.ReadWrite.All"

    PS It will require to grant permissions with admin account.

    Best regards,

    Aleksandr

    If the response is helpful, please click "Accept Answer" and upvote it.

  2. Crystal-MSFT 48,581 Reputation points Microsoft Vendor
    2024-09-06T01:06:18.4066667+00:00

    @Konrad Wojciechowski (Nokia), Thanks for posting in Q&A. For assignUserToDevice action, the permission required is as below:

    User's image

    https://learn.microsoft.com/en-us/graph/api/intune-enrollment-windowsautopilotdeviceidentity-assignusertodevice?view=graph-rest-1.0&tabs=http

    For unassignUserFromDevice action, the permission is like this:

    User's image

    https://learn.microsoft.com/en-us/graph/api/intune-enrollment-windowsautopilotdeviceidentity-unassignuserfromdevice?view=graph-rest-1.0&tabs=http

    If you do the action via Graph Explorer, you can add permission here.

    User's image

    Or you can create registered app and grant required graph permission to access these Intune Graph API.

    https://learn.microsoft.com/en-us/mem/intune/developer/intune-graph-apis

    Please grant the above permission for graph to see if it works.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.