1
votes

Trying to update a device displayName property using the graph api. Using this documentation (https://docs.microsoft.com/en-us/graph/api/device-update?view=graph-rest-beta&tabs=http). Request details:

PATCH https://graph.microsoft.com/v1.0/devices/{AAD Object ID here}
JSON payload:
{
    "displayName": "My-Test-iPad"
}

I've tried this using both v1.0 and beta versions of the API. Both are returning 403 (forbidden). My account is an Intune Admin, and all of my other API calls are working perfectly, including other AAD operations such as group membership adds/removes.

Also, using Set-AzureADDevice Cmdlet from the AzureAD PowerShell module works fine to change the displayName (using the same user account). So it doesn't seem to be a permissions issue. I wish I could see what that cmdlet is doing under the hood, as I'm sure that would give me everything I need, but not sure how to expose that either.

1
Have you requested Directory.ReadWrite.All or Directory.AccessAsUser.All scopes and received Admin Consent? - Marc LaFleur

1 Answers

1
votes

using Set-AzureADDevice Cmdlet from the AzureAD PowerShell module works fine to change the displayName (using the same user account). So it doesn't seem to be a permissions issue.

If you want to use Azure AD PowerShell module to update the device, you need to run the command Connect-AzureAD to connect Azure AD at first. When you run the command, you will use Azure AD user to login. The AD user has been assigned AD tole and the AD role has some AD permissions. So you can directly update Azure AD device. For more details, please refer to https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#role-permissions.

When I run the graph api to update Azure AD devices, I get the error the 403

According to my research, If you use the graph api to update Azure AD device, you need to provide some permissions. These permissions are Directory.ReadWrite.All and Directory.AccessAsUser.All. Because when I call the graph api, we neeed to provide access token. And we get access token by the AD application. When I create the AD application, the AD application does not have any permissions. We need to manually assign the permissions to the AD application we using. For more details, please refer to https://docs.microsoft.com/en-us/graph/auth/auth-concepts?context=graph%2Fapi%2F1.0&view=graph-rest-1.0.