Authenticating to new Get-WindowsAutoPilotInfo

As I am sure you have noticed, the Get-WindowsAutoPilotInfo script and associated WindowsAutoPilotIntune module have been updated and whether you are using the official one, or my forked version, the authentication method has changed to the Microsoft.Graph SDK.

In this post we will look at the two different authentication methods and the permissions required:

User Authentication

This uses the Connect-MgGraph command with the following scopes:

Group.ReadWrite.All
Device.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
GroupMember.ReadWrite.All

These are required so you are covered if you also use the “-group” parameter to add devices to an Azure AD Group.

We then run this command to do a basic online enrollment

get-windowsautopilotinfo.ps1 -online

You’ll be prompted to login to your tenant:

M365 Sign-In

Microsoft Graph Command Line Tools (it may be listed as Microsoft Graph PowerShell on some tenants) which are used by the SDK to run commands needs to setup an Application within your Azure Active Directory with the permissions selected earlier:

MS Graph Permissions Approval

We will start by looking at what happens if the box is left unticked:

If we navigate to Azure AD and click on Enterprise Applications, we can see the app in there:

Microsoft Graph Enterprise App

Clicking on that and then permissions, nothing has been given admin consent:

Admin Consent showing no permissions

But we can see those permissions under user consent with one user added:

User consent showing delegated access

In here we can click the big blue button to consent permissions to everyone in the tenant:

Grant admin consent button

Clicking this will prompt you to sign in with a global admin, but this only adds permissions to view the current user which is no use to us:

Admin consent showing user.read and nothing else

So what happens if we tick the box?

Graph permissions with consent on behalf ticked

Now in the enterprise app, the permissions are greyed out so in theory anyone can run the script. That’s worth testing. After logging in with a different user, all worked as expected, no prompt to set permissions.

Connecting to WindowsAutoPilotIntune Module

When using this module, you first need to connect to Graph, use this command:

Connect-MgGraph -scopes "Group.ReadWrite.All, Device.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, GroupMember.ReadWrite.All"

Connecting with an App Reg

The other option for connecting is using an application registration where an Application ID and Secret is supplied to the script to use instead of user credentials.

Let’s start by creating a new app reg:

Within Azure AD, click App Registrations and then New registration:

App Registrations Menu Item

New registration button

Single tenant is fine and we’ll set the redirect UI in a minute

App Reg Name and Single Tenant

Make a note of the client ID and click Add Redirect URI

App Reg details with Redirect URI selected

Click Add a platform

App reg add platform button

Select Mobile and Desktop Applications

Mobile and desktop applications button

Select the top URI

Redirect URI with:
https://login.microsoftonline.com/common/oauth2/nativeclient

Now click API permissions

API Permissions menu item

Add a permission

Add API permission

Select Microsoft Graph

Microsoft Graph API Permissions

We want to use Application Permissions so no user is required

Add the permissions mentioned earlier:

Group.ReadWrite.All
Device.ReadWrite.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
GroupMember.ReadWrite.All

You will notice they have added, but do not have admin consent:

Screenshot of API permissions showing "Not Granted for xxx" message

Click the Grant admin consent button

Grant admin consent button

Now the last thing is we need a secret (think of it as the password)

Navigate to certificates and secrets

Certificates and secrets menu item

Click new client secret

New client secret button

Make a note of the secret value, you can’t view it again afterwards so will need to create a new secret

App secret details

Now to use this with the script (obviously replace 12345 with your values):

get-windowsautopilotinfo.ps1 -online -TenantID 12345 -appid 12345 -appsecret 12345


Troubleshooting

A special thanks to Kenny Renström for help with these!

  • “The provided access token has expired” – Check the system date/time are correct
  • If using an app secret, make sure your redirect URIs are set correctly (the top option in Mobile and desktop applications will be sufficient) Link
  • “Invoke-autopilotsync: Microsoft.Graph.Powershell.Authentication.Helpers.httpresponseException: Response status code does not indicate success: Conflict” – The sync has been run too many times, wait 10 minutes and re-run the script (I am also fixing this in the code itself)

50 thoughts on “Authenticating to new Get-WindowsAutoPilotInfo”

  1. Andrew,

    Thanks for this guide – used it in the past with great success. I setup an App Registration and used this method to enroll hundreds of machines into our Autopilot.

    All of a sudden, I’m getting the connect-mggraph error that the access token has expired. First thought was that date/time was off on the device – but that was not the case. My client secret is not expired. I even went so far as to completely rebuild my App Registration from scratch – but still getting the same error.

    Any thoughts on this?

    Thanks!
    Matt

    Reply
  2. I am getting this error:
    Add-AutopilotImportedDevice : System.Management.Automation.ValidationMetadataException: The cmdlet cannot run because Authentication is set to Default and Connect-MgGraph was not called. Invoke ‘Connect-MgGraph’ or specify Authentication to be ‘UserProvidedToken’ and Provide a Token then retry

    Reply
      • Thanks for the reply, I’m connecting using an app-reg – I actually missed the first error which is probably the cause of the issue ‘unable to decode the header’. Have you seen this before?

        Get-WindowsAutoPilotInfo.ps1 -Online -TenantID xxx -AppId xxx -AppSecret xxx

        Connect-MgGraph : IDX12729: Unable to decode the header ‘[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.%5D‘ as Base64Url encoded string. jwtEncodedString: ‘[PII is hidden. For more details, see
        https://aka.ms/IdentityModel/PII.%5D‘.
        At C:\Program Files\WindowsPowerShell\Modules\WindowsAutopilotIntune\5.7\WindowsAutoPilotIntune.psm1:62 char:9
        + Connect-MgGraph -AccessToken $secureToken
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [Connect-MgGraph], ArgumentException
        + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

        Connected to Intune tenant xxx using app-based authentication (Azure AD authentication not supported)
        Gathered details for device with serial number: xxxxxx
        Add-AutopilotImportedDevice : System.Management.Automation.ValidationMetadataException: The cmdlet cannot run because Authentication is set to Default and Connect-MgGraph was not called. Invoke ‘Connect-MgGraph’ or specify
        Authentication to be ‘UserProvidedToken’ and Provide a Token then retry
        at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
        At C:\Program Files\WindowsPowerShell\Scripts\Get-WindowsAutoPilotInfo.ps1:346 char:17
        + … imported += Add-AutopilotImportedDevice -serialNumber $_.’Device Seri …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
        + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-AutopilotImportedDevice

        Sorry for what might be a stupid question, but I’ve installed the community script using
        Install-Module -Name WindowsAutopilotIntuneCommunity -AllowClobber

        How do I actually connect using the community script?

        Thanks again

        Reply
  3. Here is the uput from the script:

    Add-AutopilotImportedDevice: C:\Program Files\WindowsPowerShell\Scripts\Get-WindowsAutoPilotInfo.ps1:346
    Line |
    346 | … imported += Add-AutopilotImportedDevice -serialNumber $_.’Device Seri …
    | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    | Response status code does not indicate success: Unauthorized (Unauthorized).

    Reply
    • That should need: DeviceManagementServiceConfig.ReadWrite.All
      It might be worth trying the community version of the script as well in case there has been a change to the official one

      Reply
  4. I followed the guide to set up the app and I am getting this error when running the the script Response status code does not indicate sucess: Unauthorized (Unauthorized)
    Do you have ny idea what could be the issue?

    Reply
  5. Quick question related to the module.

    I’m using version 5.6 and connect via app reg.

    I get the following error when using Set-AutopilotDevice :

    Response status code does not indicate success: NotFound (Not Found)

    App reg has the permissions mentionned in this article.

    Get-AutopilotDevice works fine.

    Any idea?

    Reply
      • I found the problem and will work on an appropriate solution.

        Basically, my script creates a user in Entra and eventually assign a device to said user, but he is not yet visible by Autopilot (?) so this is why Set-AutopilotDevice fails.

        Not sure if forcing a sync between Intune and Autopilot would work, but I’ll try a few different things.

        Reply
  6. Hi Andrew,

    All is working with the script and we are able to add devices to an online environment. But with setting the permissions needed for the app registration to work we are also able to delete devices with that app registration. So if someone comes along, looks at the script and figures out how to login to Microsoft Graph using the app credentials they are able to delete stuff. Is there a way to deny the delete permissions and to only add to the environment?

    Reply
    • Hi,
      As it’s a read/write all permission you can’t be any more specific with it unfortunately. Your only other option would be to use an automation with a web hook so they can’t access the script at all, but that would take a fair bit more coding.

      Reply
  7. Hi, Andrew

    When running the script, i’m getting an error when running with the “-group” parameter. “New-MgGroupMember : Insufficient privileges to complete the operation.” The device does enroll in autopilot and show in AAD and is assigned to the right group. I have granted the permissions you have listed above to the app registration. Is there something I’m missing?

    Thanks

    Reply
  8. Hi Andrew,

    I have a question you may be able to answer. Around 4 months ago, we provided admin consent for the user auth for entire tenant to MS Graph Command line tools. It has just re-requested the auth again, would you know why it’s asking to re-authenticate? As the IT admins that are enrolling the devices do not have GA, they have to request us to grant admin consent again.

    Reply
    • Hi,
      Have you changed any permissions in the graph connection? Adding or removing a permission will prompt a full re-authentication.
      It might be worth checking your Enterprise apps within Entra as well in case it has created a new one

      Reply
  9. No, I don’t get the login screen. The device shows in AAD portal as AAD joined and has the AutoPilot logo. The hostname is wrong and it’s the device SN as the hostname.
    When I run dsregcmd /status it doesn’t show it being AAD joined.

    Reply
  10. Thanks for the great tutorial.

    I have an issue though. When I run the script, the device gets Azure AD joined, but not intune joined. I do it through the OOBE though. Do you happen to know why that is?

    Thank you so much!

    Reply
  11. this works perfectly, thanks was going a bit crazy there for a while wondering why my original script wasn’t working but this online is so much easier thanks andrew.

    Reply
  12. Hi Andrew,

    Thank you for this post.

    Setting up App Reg work for me but still having issues with User Auth.

    I keep getting the following error:

    Add-AutopilotImportedDevice: Microsoft.Graph.PowerShell.Authentication.Helpers.HttpsResponseException: Response Status codes does not indicate success: Forbidden (Forbidden)

    GA role works, but want to give a role that is not GA and having trouble figuring that out.

    Reply
  13. I certainly will! We have a good 1000+ devices to join this coming summer break so will be hammering AutoPilot daily! I’ve built you suggestion into a Powershell script to completely automate the process with minimal touch from our guys on the ground. If you’d like a copy let me know also.

    Reply
  14. A…..Maze…..Ing!

    I’ve been struggling with using credential auth; why bother just use your app-based method, and its even less for the guys on the ground to have to enter into the PC!

    You Rock!

    Reply
  15. Should I use the Get-WindowsAutopilotInfoCommunity.ps1 latest version or version 1.0? I’m asking it because I installed the Install-Module -Name WindowsAutopilotIntuneCommunity today but when I tried to run the get-windowsautopilotcommunity -Online -TenantID xxxxxx -AppID yyyyy -Appsecret wwwww but I’m facing an error like this:
    Connect-ToGraph: cannot find a parameter that matches the name TenantID

    Thank you for your support

    Reply
  16. Unfortunately when I use the get-windowsautopilotinfo -Online -TenantId xxxxxxx -AppId xxxxxx -AppSecret xxxxxx I get an error that is not possible to convert Syestem.String do System.Security.String. Maybe there is some error on module when connecting to GraphApp

    Reply
  17. I was in a world of pain. Could not figure out why the prompted logon failed. All I could see was this diamond logo and that I did not have sufficient credentials. Now everything works again. Thanks to this informative, spot on advise post. Thanks for sharing.

    Reply
    • It may be the Graph PowerShell one you need, I think it has been recently renamed. My new tenant is “Command Line Tools” but my old one is “Graph PowerShell”.

      I’ll update the post 🙂

      Reply
  18. Hi,

    At the first step “We will start by looking at what happens if the box is left unticked:
    If we navigate to Azure AD and click on Enterprise Applications, we can see the app in there”
    I don’t have the `” Microsoft Graph Command Line Tools ” entry available within Enterprise apps. I’ve only the “Microsoft Graph Powershell” and “Graph Explorer” available.
    What am I doing wrong?

    Reply

Leave a Comment