Does anyone know how I can connect to the Intune API using MS Graph with a Access/Refresh token?
I'm using AADInternals module.
Get-AccessTokenWithRefreshToken -Resource "https://graph.microsoft.com" -ClientId "00000000-0000-0000-0000-000000000000" -RefreshToken $refreshtoken -TenantId $Tenant
I've tried all kind of resources and clientid, but when I make a call I keep getting errors like:
{"error":"invalid_grant","error_description":"AADSTS70000: Provided grant is invalid or malformed.\r\n"
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid"
{"error":"unauthorized_client","error_description":"AADSTS700038: 00000000-0000-0000-0000-000000000000
Or when I use a default MSGraph API clientid & resource:
$apiUrl = "https://graph.microsoft.com/v1.0/deviceManagement/managedDeviceOverview"
Invoke-RestMethod -Headers @{Authorization = "Bearer " + $attributes.MSGraph} -Uri $apiUrl -Method GET -ContentType 'application/json'
Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
or:
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
Update 1
DeviceCompliance seems to be working, I just can't get managedDeviceOverview to work.... Even in Graph Explorer Developer it's giving errors...
https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies https://graph.microsoft.com/v1.0/deviceManagement/managedDeviceOverview"
If
/deviceManagement/deviceCompliancePoliciesis working and/deviceManagement/managedDeviceOverviewis not, my guess is that there are permissions missing on the enterprise application in AAD (application with the clientid which you pass to the-ClientIdparameter inGet-AccessTokenWithRefreshToken).Permissions for
/deviceManagement/deviceCompliancePoliciesDeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All
These permissions might already be set (because the api call is working).
Check this link (chapter prerequisites): https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicy-get?view=graph-rest-1.0#prerequisites
Permissions for
/deviceManagement/managedDeviceOverviewDeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All
These permissions might not be set (because the api call is not working).
Check this link (chapter prerequisites): https://learn.microsoft.com/en-us/graph/api/intune-devices-manageddeviceoverview-get?view=graph-rest-1.0#prerequisites
Check the permissions in the Azure portal: Azure Active Directory --> Enterprise applications --> Your enterprise app (with the right clientid) --> Permissions